Could someone help me to remove particular security groups from a file using icacls?
The file has all security settings inherited from the folder, where the file resides. So I would like to remove all the groups from ACL list of the file, then assign different groups.
How can I achieve this?
First, you need to remove inheritance on the object, which you can do by running: icacls file.txt /inheritance:d (where file.txt is the file you want to change).
This will remove inheritance, but copy the inherited ACLs to file.txt. If you're sure you don't need any of the ACLs which are inherited, you can just use: icacls file.txt /inheritance:r, but be careful you don't accidentally remove your own permissions when doing this.
Then, you can remove a user or group from the ACLs on an object by using: icacls file.txt /remove:g NTDOMAIN\sAMAccountName, or you can specify the user/group using the UPN (for example, bob.smith@activedirectory.example.com).
When you come to add users/groups to the ACLs, you need to think about which permissions you want them to have. If full control, this is represented by F. If modify, this is represented by M. Read and Execute by letters RX.
The command to add a user/group to the ACLs is: icacls file.txt /grant NTDOMAIN\sAMAccountName:(M) - which would grant modify permissions (M) to whichever account/group we specify.
You might want to add explicit users/groups to the ACLs before you remove inheritance on the file, rather than "remove all the groups from ACL list of the file, then assign different groups", because that might end up removing you from the ACL and locking you out of it.
