icacls: overwrite existing ACL with a DENY ACE

Question

Icacls with /grant:r will replace any previously granted explicit permissions with new ones specified. But there is no :r switch for /deny. So if one wants to completely replace an existing ACL with an explicit DENY, he should first remove single occurrences of existing SIDs and then apply an explicit DENY.

Is there a way of directly overwriting an existing ACL with a DENY ACL entry?

score 0 · Accepted Answer · answered Jan 30 '15 at 21:11

0

This is probably by design because denies override grants. However, you can deny and remove as separate steps

icacls yourdirectory /deny user:r (or whatever) 
icacls yourdirectory /remove:g user

answered Jan 30 '15 at 21:11

Katherine Villyard

18,550
4
37
59

icacls: overwrite existing ACL with a DENY ACE

1 Answers1