Script to change file permissions on Windows devices

Windows devices can be configured with a set of files or folder permissions for each user. This set of permissions restricts unauthorized access to the specified files and folders. This document includes customized scripts to change file, folder, or directory permissions on a remote Windows device. These scripts can be deployed using the Execute Custom Script action.

Configure folder permissions

The icacls command, a command-line tool, is used to modify a file or folder’s permissions on a Windows device. The following scripts can be executed in both PowerShell and Batch file formats.

Restrict access to a folder or file

Deny a user permission to access a file or folder using the /deny parameter.

For example, to deny John the permission to access the folder DeviceLogs in the “C:” directory, execute the following command.

icacls C:\DeviceLogs /deny John:F

Grant access to a folder or file

Use the /grant parameter to grant a user access to a specific file or folder. The /t parameter recursively updates the permission on all specified files in the current directory and its subdirectories. The /c parameter ensures a continued operation despite any errors.

Remove permission of a user

The /remove parameter can be used to remove the configured permissions for a user on a file or folder. To remove the deny permission set on a file or folder replace <action> with d. Replace d with g to remove the grant permission.

Display permissions on the folder or file

Execute the above command after replacing <path> with file or folder path to display the permissions of different users on the folder and the subfolders/files within the folder.

Reset permissions to defaults

Reset the permissions of the file or folder to the default setting using the /reset parameter.