24 November 2025

Windows ICACLS and Permission Inheritance

When NTFS permissions get out of sync, one common culprit is broken inheritance. A folder (or file) has been set to “stop inheriting permissions” and now behaves differently from the rest of the tree. Last week I had to reset the inheritance on a folder and realized that it would be the perfect topic to write an article about. So, in this post, you’ll learn how to use the Windows icacls command to re‑enable inheritance on a single file, a single folder, or recursively on an entire folder tree, and the difference between ACLs and ACEs.

Understanding Windows ICACLS and Permission Inheritance

The Windows icacls command is a powerful tool to view, modify, and manage permissions (aka Access Control Lists – ACL) on files and folders. One common scenario in permission management is controlling inheritance — whether an object inherits permissions from its parent folder or maintains its own explicit permissions.

Inheritance ensures that permissions applied on a parent folder can automatically propagate to its child files and subfolders, simplifying administration. Sometimes, inheritance is disabled and needs to be re-enabled. In order to change the object’s inheritance you will need to run the commands below as an administrator, or with full ownership of the folders. Running the commands as a normal user may cause “Access is denied” errors, even if the commands are correct.

This table shows the icacls commands that are most commonly used. I highly encourage you to read the entire article to better understand what the commands are actually doing and see examples of how they are used. Remember, I am not responsible for the changes you make!

CommandsEffect on inheritanceEffect on inherited ACEs
icacls "Path"Displays permissions as they currently existDisplays permissions as they currently exist
icacls "Path" /save "SavePath"Saves permissions as they currently existSaves permissions as they currently exist
icacls "Path" /inheritance:eEnable inheritance on a file or folderStarts inheriting from parent again
icacls "Path" /inheritance:e /tEnable inheritance recursively on folders and subfolders with filesStarts inheriting from parent again
icacls "Path" /inheritance:dDisable inheritance but keep current permissions explicitlyConverts inherited ACEs into explicit ones
icacls "Path" /inheritance:rDisable inheritance and remove inherited permissionsRemoves inherited ACEs entirely

Viewing Current Permissions and Inheritance

Before changing anything, show the current ACL to confirm whether inheritance is disabled.

icacls "C:\ExampleFolder"

In the output:

  • Entries marked with (I) are inherited from a parent.
  • If you only see explicit entries and no (I) flags, inheritance is likely disabled on that object.

Example snippet you might see when inheritance is working:

C:\ExampleFolder  NT AUTHORITY\SYSTEM:(I)(F)
                  BUILTIN\Administrators:(I)(F)
                  CONTOSO\Domain Users:(I)(M)

If those (I) indicators are missing at this level while present higher up the tree, someone has broken inheritance on this folder or file.

 Backup ACLs Before You Touch Anything

Use “icacls /save” to capture your ACLs for rollback:

icacls "C:\ExampleFolder\Project" /save "C:\Temp\Project.acl" /t

That way, if anything goes wrong, you can restore the ACLs :

icacls "C:\ExampleFolder" /restore "C:\Temp\Project.acl"

Notice that if you are restoring ACLs on a subfolder, you restore the backup to a base folder that matches the stored paths. The name of actual .acl file can be anything you want or that makes sense for your environment.

With things backed up, now we’re ready to go make changes!

How to Re-enable Inheritance Using ICACLS

The icacls command supports three inheritance-related switches:

  • Enable inheritance (re-enable permission inheritance from the parent) — /inheritance:e
  • Disable inheritance and copy existing inherited permissions explicitly — /inheritance:d
  • Disable inheritance and remove only inherited permissions — /inheritance:r
  • Reset inheritance to permissions from its parent directory — /reset

To re-enable inheritance on a file or folder, you use:

icacls "FullPathToFileOrFolder" /inheritance:e

Replace “FullPathToFileOrFolder” with the actual path of the file or folder you are working with.

Examples for Different Scopes

Enable Inheritance on a Single Folder or File

To re-enable inheritance only on a specific folder:

icacls "C:\ExampleFolder" /inheritance:e

Use this when you only want to fix one folder and leave children unchanged. As existing explicit permissions remain unchanged unless they conflict with what the parent applies.

To re-enable inheritance only on a specific file:

icacls "C:\ExampleFolder\File.txt" /inheritance:e

This makes “File.txt” inherit permissions again from “C:\ExampleFolder” (and ultimately from higher levels). The file will pick up any ACEs that are configured to flow down to files (container/object inherit flags). You can re-run icacls against just the file to look for “(I)” entries to confirm inheritance is active again.

Enable Inheritance on a Folder and All Its Subfolders and Files

This is the “fix the entire tree” scenario, and is useful when someone clicked “Disable inheritance” on a top‑level folder and has created a real mess. To recursively enable inheritance to a folder, all its subfolders, and files, use the “/t” (traverse) and “/c” (continue on errors) flags:

icacls "C:\ExampleFolder" /inheritance:e /t /c

This command makes sure inheritance is restored on the folder, all contained subfolders, and files, even if some files generate errors during processing. On large folder trees, this can take some time; so you can combine “/c” with “/q” to quiet the output:

icacls "C:\ExampleFolder" /inheritance:e /t /c /q

When to Use “/inheritance:d” vs “/inheritance:r”

It’s worth briefly discussing the other switches so we know when and how to use them, even if they are used less commonly.​

  • /inheritance:d
    • Disables inheritance on the object.
    • Copies currently inherited ACEs as explicit entries, preserving the effective permissions at that moment.
  • /inheritance:r
    • Disables inheritance.
    • Removes all inherited ACEs from the ACL, potentially locking users out if you rely on parent permissions.

Reset Inheritance

Completely resetting inheritance is a powerful way to restore all of the default security settings on files and folders by resetting explicit ACLs back to the default ACLs inherited values from the parent folder object. This means any manually configured permissions will be removed, and the file/folder will inherit its’ permissions as if it were newly created in that location. It is commonly used to fix corrupted or undesired permissions by restoring the default inheritance and access settings.

icacls "C:\ExampleFolder" /reset /t /c /l

A couple things to know about using “/reset” is that you may need to take ownership first before resetting permissions, especially if access is denied. takeown /R /F "C:\ExampleFolder" And that resetting inheritance removes explicit permissions and can temporarily restrict access until the inheritance applies and you verify everything is correct. Depending on the size of your folder tree, this could take some time, so it’s better to perform this during off hours.

What are ACE and ACL?

An ACE (Access Control Entry) is an individual rule that defines the permissions granted or denied to a specific user or group (called a trustee) on a securable object like a file or folder. Each ACE contains crucial information such as a security identifier (SID) that identifies the trustee, an access mask specifying the allowed or denied rights (e.g., read, write, execute), and flags indicating whether the ACE applies to child objects through inheritance. ACEs control or audit access by specifying who can do what on an object and are the building blocks of ACLs.

An ACL (Access Control List) is a collection of ACEs associated with a securable object. It acts as an ordered list of these individual ACEs that collectively define the overall security policy for that object. For example, an ACL on a file might have several ACEs granting different users read or write permissions while denying others. There are two common types of ACLs:

  • Discretionary ACL (DACL), which explicitly allows or denies access
  • System ACL (SACL), which specifies audit rules for tracking access attempts

In short, the ACL is the overall list of permission entries, and each ACE within it is a discrete permission rule for a trustee on that object.

This relationship is fundamental in Windows NTFS security and is managed by tools like icacls, which modify the ACLs by adding, removing, or changing individual ACEs on files or folders.

Additional Notes

  • Be sure to run the Command Prompt as Administrator to have sufficient privileges.
  • The “/t” flag is essential for recursive application across all subfolders and files.
  • Use “/c” to prevent the command from stopping on errors, which is useful for large directories.
  • When inheritance is enabled, permissions from the parent folder’s ACL are applied automatically to children, marked with an “(I)” for inherited in permission listings.

Common Gotchas and Tips

  • Inherited vs explicit permissions: Even after turning inheritance back on, explicit ACEs can still override or add to inherited permissions, so the ACL may not look perfectly “clean.”
  • File‑only vs folder‑only inheritance: Flags like “(OI)” (object inherit) and “(CI)” (container inherit) control whether permissions flow to files, folders, or both, which explains why some files still differ.
  • Locked or in‑use files: Using “/c” ensures the command continues even if a file is locked; errors will still be reported in the console.
  • Combine with “takeown”: If a different owner prevents changes, scripts often pair “takeown” followed by “icacls /reset” or “/inheritance:e” to normalize problem trees.

I hope this guide and examples help you to understand how to use icacls to manage ACL inheritance on Windows systems effectively.

Category: Microsoft, Windows 10, Windows 2012/2012R2, Windows 2016, Windows 2019, Windows 2022 | LEAVE A COMMENT
19 November 2022

Using a personalized domain with O365 Family

I want to start this post with the mention that Microsoft is going to be sunsetting this feature at the end of November 2023. So if this is something you are interested in… Hurry up as the opportunity is going away very soon. As per the Microsoft Support page (link): 

“Starting November 30, 2023, Microsoft 365 Personal or Microsoft 365 Family subscribers will no longer be able to create a new personalized email address associated with their Outlook.com inbox,”

Associating and using a personal domain with my O365 Family plan to allow personalized email addresses is something that has really appealed to me, being that I live and work in the tech realm. However, to my disappointment, this feature is only officially supported by Microsoft thru GoDaddy.

I personally do not want to have to switch registrars though. I’m quite happy with the folks that host my name servers and I will not budge on that. GoDaddy might be “ok” at best for tech newb with zero experience. I personally have had bad experiences with them, and their constant attempts of upselling you at every click I find extremely annoying. So then I was left trying to figure out how to still get my domain without switching registrars. Thankfully, thanks to the Internet, i was able to discover that someone already solved my problem. I found a post on Reddit by u/khatarian that explained what I needed to do.

Reminder: While this does work, it is not officially supported.

1) Open Outlook.com in your browser, open ‘Settings’ and go to the ‘Premium’ settings.
Click the “Get started” button under ‘Personalized email address’.

2) Click the button “Get a domain”. A new window will open.

3) Copy the URL of the new window that opens, it will appear like: https://domainconnect.godaddy.com/v2/domainTemplates/providers/outlook.com/services/personalizedoutlookemail/apply?mxRecordValue=XXXXXXXXX&state=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.

The part that is needed is “mxRecordValue=XXXXXXXXX” The XXXXXXXXX is a unique ID that Microsoft will check for during DNS verification. Save that in notepad for later…

4) Go to your own personal site’s DNS settings and add the following values, replacing XXXXXXXXX with the value you retrieved in step 3.
Note: Your DNS manager may use different syntax for it’s entries. Please adapt these entries accordingly. The dot at the end is not a typo!

NameTTLTypeValue
@1 hourMX0 XXXXXXXXX.pamx1.hotmail.com.
@1 hourTXTv=spf1 include:outlook.com -all
autodiscover1 hourCNAMEautodiscover.outlook.com.
_dmarc1 hourTXTv=DMARC1; p=none;
_domainconnect1 hourCNAME_domainconnect.gd.domaincontrol.com.
_outlook1 hourTXTXXXXXXXXX

FWIW – This is what the settings look like at NameCheap.com.

5) Return to your ‘Premium Settings’ in Outlook.com

6) Select and click the option “I already own a GoDaddy doamin”

7) Enter the personalized domain name that you used above and have configured the DNS entries for.

8) Click the “Sign in” button and then close the page it opens.

9) Woo-Hoo! You did it. It should now say that you are connected to the domain.

I’m confirmed that it works for one of the domains I own. I couldn’t be happier. Now it’s time for you to do it before the end of November 2023!

Category: Microsoft, Office | LEAVE A COMMENT
26 September 2022

Microsoft | Learn

I decided to write a little bit about the Microsoft Learn portal. We all know that Microsoft is one (if not the) standard for many business applications and cloud offerings. They also offer certifications on their products from basic fundamentals all the way up to the expert level. But how do you learn, practice, and eventually master the skills/knowledge needed to either professionally use or become certified in any of the Microsoft family of technologies? Well, the answer is Microsoft Learn.

The Microsoft Learn portal can really meet all of your learning needs. It can provide you the documentation for any of their current product offerings. It can walk you through any of the Microsoft exams, and the skills they cover. Microsoft has put together self-paced training modules that you can use. And best of all, they basically offer some sort of module for everything they offer. If you are interested in learning anything Microsoft-related, then it really behooves you to start looking at the Microsoft Learn site to begin or supplement your learning materials.

There is so much knowledge that is just sitting there, waiting for you. If it’s a Microsoft product, and you’re interested in it, then Microsoft Learn is where you need to go!

Category: Microsoft, Microsoft, Training | LEAVE A COMMENT
30 May 2022

Enable/Disable Multiple RDP Sessions

So the caveat to this article is that this is specifically for Windows Servers. If you’re trying to enable multiple RDP sessions on Windows 10 or 11, you’ll need to do some further googling to find out how to do that – as this alone won’t be enough.

Enable Multiple RDP Sessions

  1. Log into the server you are trying to enable multiple Remote Desktop sessions on.
  2. Click on the start menu button, type “gpedit.msc” and open it.
  3. Navigate to ‘Computer Configuration’ -> ‘Administrative Templates’ -> ‘Windows Components’ -> ‘Remote Desktop Services’ -> ‘Remote Desktop Session Host’ -> ‘Connections’.
  4. Set “Restrict Remote Desktop Services user to a single Remote Desktop Services session” to ‘Disabled’.
  5. Double-click on “Limit number of connections” and set the value of the RD Maximum Connections allowed to ‘999999’.

Disable Multiple RDP Sessions

  1. Log into the server that allows multiple Remote Desktop sessions.
  2. Click on the start menu button, type “gpedit.msc” and open it.
  3. Navigate to ‘Computer Configuration’ -> ‘Administrative Templates’ -> ‘Windows Components’ -> ‘Remote Desktop Services’ -> ‘Remote Desktop Session Host’ -> ‘Connections’.
  4. Set “Restrict Remote Desktop Services user to a single Remote Desktop Services session” to ‘Enabled’.
Category: Microsoft, Windows 2016, Windows 2019 | LEAVE A COMMENT
26 May 2022

Disable IP autoconfiguration

I ran into this last week when I was helping someone “fix” their server. They couldn’t reach, or ping, their host, and when running an “ipconfig /all” command it was returning that the machine’s IP was ‘duplicate’.

Worth Noting: So sometimes when a server reports that its’ IP is a ‘duplicate’ it can be a DHCP mishap. It can happen when a server is assigned a static IP that is within a DHCP pool, and because there was no reservation, DHCP hands the IP out to some other machine. Thus two machines are trying to use the same, duplicate, IP address. When that happens you’ll need to resolve it by creating an IP reservation for the “correct” machine, and then releasing the IP from the machine that “incorrectly” took the IP from the pool so it can be assigned a new IP.

The machine I was fixing lived in a subnet that did not use DHCP and only had machines that were statically assigned their IPs in it. So the possible resolution mentioned above did not fit my scenario. So, what could it be? Well if you have a static IP set, and the DHCP service is enabled, Windows likes to give you an address on the 169.x.x.x network. Which just breaks the ip traffic on your server. Here’s how to fix it…

Step 1.

Open a command prompt

Step 2. Enter

"ipconfig /all"

Find what your system’s preferred IP is and if autoconfiguration is enabled, and the name of the interface that they are on. You will need this for the next step.

Step 3. Enter

netsh interface ipv4 show interface

Find the index number that is assigned to the interface you identified in the step above, you will need it in the next step.

Step 4.

Run the command below, but replace ’69’ with the index number that you identified in the step above.

netsh interface ipv4 set interface 69 dadtransmits=0 store=persistent

Step 5. Enter

services.msc

Disable the DHCP Client service. If you ever revert from a static IP back to a DHCP IP, you will need to re-enable this service and set it back to automatic.

Step 6.

Restart your computer.
After your system reboots, its static IP should now be the correct IP you had configured on it, and your IP traffic to/from it should be back to normal.

Congratulations, autoconfiguration has been disabled.

Category: Microsoft, Windows 2016, Windows 2019 | LEAVE A COMMENT
8 May 2022

Was the file downloaded?

If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.

First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determining how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.

The ZoneId can have the following values:

  • 0. Local Computer
  • 1. Local Intranet
  • 2. Trusted Sites
  • 3. Internet
  • 4. Restricted Sites

Enough of the background… Let us get back to the hands-on part.

To check the files’ ADS & ZoneId from a command prompt, use the following syntax. The “file” we’re going to be checking is named: file.ext

notepad file.ext:Zone.Identifier

Alternatively, to check the file with PowerShell, use either of the following cmdlets. 

Get-Item .\file.ext -Stream *
Get-Content .\file.ext -Stream Zone.Identifier
Category: Microsoft, PowerShell | LEAVE A COMMENT
2 May 2022

Search GPO Settings

So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.

One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.

The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.

1 – https://gpsearch.azurewebsites.net/

This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.

2 – https://admx.help/

This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.

3 – https://reg2ps.azurewebsites.net/

So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.

Category: Microsoft, Windows 10, Windows 2012/2012R2, Windows 2016, Windows 2019 | LEAVE A COMMENT
24 February 2022

Changing Your Password from an RDP Session

So here’s the scenario, you’ve RDP-ed into a server and you want to change your password. You try to hit CRTL+ATL+DEL but instead of it getting sent to the remote computer, it opens on your local machine. Blah! That is not what we want… How do we get to a place where we can change the password for the account that was used in the RDP session?

One way to send it within the RDP session is to launch the on-screen keyboard. To launch it, simply click on the ‘Start Menu’ and type “osk”, then click on the result to open the keyboard. With the OSK on screen, press and hold “CTRL+ALT” on your physical keyboard, and click “DEL” on the virtual keyboard button.

The easiest way to bring up the menu from where you can change your password is to press CRTL+ALT+END in the RDP window. Now if you are RDP-ed from a mac, you’ll need to do a CRTL+ALT+Fn+Backspace or CRTL+ALT+Fn+Right-Arrow to bring up the menu.

Category: Microsoft, Windows 10, Windows 2016, Windows 2019 | LEAVE A COMMENT
5 January 2022

Reset password on locked-out Domain Admin

Sometimes things happen and a password gets forgotten or lost, or in the worst case it wasn’t updated in your password management tool after it was changed. We’ve likely all had to bug another admin to reset our password for one system or another. It happens. But what happens if you are the lone Domain Admin and lock yourself out? Luckily, there is a way to get back in if you do get locked out.

  • Download the Windows Server 2016 ISO.
  • Attach the ISO to your DC virtual machine.
  • Reboot the VM into the ISO
  • Select: Repair your Computer -> Troubleshoot -> Command Prompt
  • At the command prompt, run the following commands:
cd c:\Windows\System32
ren osk.exe osk.old
copy c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe osk.exe
  • Reboot the Server.
  • Launch the on-screen keyboard and PowerShell will open
  • At the Powershell prompt, run the following command, replacing <PASSWORD> with the password of your choice:
Net user Administrator <PASSWORD>
  • Revert file changes in your System32 folder, renaming ‘osk.old’ back to ‘osk.exe’.

And there you have it folks, you are now able to log back in with your Domain Admin account. This works because while the DC does not have a local Administrator account, it somehow realizes that and resets the Domain Admin. Yes it is a little bit of black magic fuckery in that regard… But it worked and got you back in, so who are we to complain.

Category: Microsoft, Windows 2012/2012R2, Windows 2016, Windows 2019 | LEAVE A COMMENT
30 December 2021

Open and Extract .tar files on Windows

What I’m about to say might be a surprise to you… But you don’t need to install any sort of 3rd party software (like 7zip or WinZip) to extract tarball files on WIndows. Windows 10 actually has the functionality built-in. I know, I was just as surprised to learn about it as you are. From the command line, you can use the “Tar” command to easily extract .tar, .gz, or tar.gz files.

For folks out there that don’t know;

  • A tarball file, ‘.tar’, is just a type of archived file. They are basically, a collection of files that have been merged into one single file.
  • Gzip files, ‘.gz’, are a type of compressed file and it is used to save on the amount of space that a file uses on the hard drive.
  • If you’re following along, then you’ll already have realized that a ‘.tar.gz’ file means that it is just a compressed archive file.

Here’s how to extract your tarball file in Windows 10.

Open the ‘Start Menu’ and search for “cmd”. Right-click on “Command Prompt” and select “Run as administrator“.

Enter the following command inside the window.

tar -xvzf "Path to file" -C "Path to destination"

Example:

tar -xvzf C:\Source\file.tar.gz -C C:\Destination\

This example will extract the contents of the ‘file.tar.gz’ file from the “C:\Source\” folder to the “C:\Destination\” folder. 
Note: Make sure the ‘-C’ parameter before the path to the destination is an uppercase.

The parameters explained:

  • x — instructs tar to extract the archived content.
  • v — verbose mode. This is optional to display the extraction process. Otherwise, you will only see a blinking cursor until the process is complete.
  • z — instructs tar to uncompress the content with gzip.
  • f — provides tar the name of the file you’re about to extract.
  • C — uppercase and with a hypen, this tells tar to change folders to the specified folder

Category: Microsoft, Windows 10 | 3 Comments on Open and Extract .tar files on Windows