Windows Permissions

author: Nathan Acks
date: 2022-04-22

Windows access is default-deny.

Windows folder permissions:

Windows file permissions:

The biggest differences between Windows and UNIX permissions:

As much as it pains me to say it, in many ways the Windows permission mode is much better than the (pre-ACL) Linux model.

Checking Permissions

Use icacls or Get-Acl $PATH | Format-List in PowerShell to check permissions at the command line. The icacls tool can also be used to update Windows ACLs.

Both of these tools produce output that is somewhat different than that of the “Security” tab in the file or folder properties:

Note that the Windows File Explorer only displays the first ACL for a particular user or group, but that Windows allows multiple ACLs to be applied! This means that the File Explorer does not always show you the actual permissions a user/group will have - you really do need to use icacls or Get-Acl.

In the case of multiple ACLs, or when a user is part of two groups with different groups, keep in mind that allow permissions only override inherited deny permissions. Explicitly set deny permissions cannot be overridden.

Common User Types

Note that non-admin domain users may still be local admins.