Windows Equivalent to "chmod -R a-w"

Question

What is the Windows equivalent to "chmod -R a-w" to recursively remove write permissions of a directory? The tricky part is to leave the rest of the permissions the same (e.g. if subfolderA is only readable by groupA, do NOT open the folder permissions to Everyone).

Answer 1

I would say there is no "equivalent" way as the design of access control on Windows is quite different from that on Linux.

Anyway, you may achieve something similar with the icacls command, PowerShell script, VBScript, etc.

For each file there can be grant rules and deny rules attached to users or groups. And deny rules overrides grant rules. So you may have different ways depending on existing ACL configurations on the files. E.g.:

1. Users inherit both read and write permission: add a rule to deny write
2. Users inherit read permission and a rule that allow write is already exist on the file: just remove the allow write rule

Here is an example for case 1 to add a rule that deny a bunch of write permissions using icacls:

icacls C:\myFolder /deny UserOrGroup:(WD,AD,WDAC,WO,WEA,WA,DE,DC) /T

To add the rules for multiple users/groups, you will need to wrap it with a loop in batch script.

Since you have tagged powershell in you question, a PowerShell script similar to the above icacls example is:

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("UserOrGroup", "DeleteSubdirectoriesAndFiles, Write, Delete, ChangePermissions, TakeOwnership", "Deny")

Get-ChildItem 'C:\myFolder' -Recurse | ForEach-Object {
    $acl = Get-Acl $_.FullName
    $acl.AddAccessRule($rule)
    Set-Acl $_.FullName $acl
}

PowerShell is more complicated but provides more flexibility. E.g. you can get user/group from existing rules on the file/folder and add the deny rule dynamically.

Note: You can probably find even more relevant question and examples in serverfalult, superuser or stackoverflow with keywords like "windows chmod", "powershell acl", "icacls", etc.