2

I'm running this command on a folder structure in order for all files and folders to recursively inherit the SYSTEM account with full control (and correct inheritance):

icacls V:\path\*.* /T /C /Q /grant SYSTEM:(OI)(CI)F

This appears to work as expected, but when I go into the advanced permissions settings, there are two permission entries for SYSTEM: One is inherited (as I'd expect), but then there is an additional entry which says "not inherited"..

Is it possible to add a flag so that only the inherited permission entry gets applied? I'm confused as to why two entries need to be added to each file and folder.

I've thoroughly read the icacls /? documentation and attempted many different combinations to no avail.

Many thanks for any suggestions.

BSUK
  • 692
  • 1
  • 12
  • 28

1 Answers1

1

If you inherit permissions from parent and add specific permissions for an account that is already inherited, you will always have 2 (or more) entries for that account. If you want just the 1 entry, you'll have to either remove the account from parent, or stop inheriting from parent and specifically set permissions.

Bobtb
  • 26
  • 3
  • 2
    Thanks. I'm looking into ways of running a subsequent ICACLS command to remove the explicit "non-inherited" entry on folders and subfolders to no avail.. I appreciate your explanation, though when we're talking about several terabytes and a large and complexed permissions structure, manually adding this permission entry isn't an option. – BSUK Jan 10 '14 at 17:13