How to use icacls and takeown to troubleshoot permissions issues in Windows

Many Windows users have encountered at some point the dreaded access denied message when trying to open, modify, or delete files and folders on your systems. Permissions issues can become real headaches, especially when they affect folders with thousands of files, external drives, or after reinstallations and ownership changes. Fortunately, tools like icacls and takeown offer powerful solutions to regain control without resorting to third-party programs and avoiding unnecessary reinstallations.

This article comprehensively and practically covers how to use these commands to fix file permissions and ownership in all types of scenarios. We include warnings, detailed examples, recommended combinations, and behavioral differences across Windows versions, all clearly explained so you can resolve any such problem yourself.

Why do permissions fail in Windows?

On Windows systems, Security is based on permissions and ownership over files and folders. If accidental changes, file copies between users, or lockouts after using encryption like Bitlocker leave some of your information inaccessible, you'll see error messages when trying to access it, even as an administrator.

These problems are usually caused by the current user not being the owner of the files. or the permits NTFS (typical Windows secure file system) have become misaligned or have corrupted entries.

Tools to repair permissions: main commands

Windows includes two main utilities to deal with these scenarios:

• takeown: Allows you to change the ownership of files and folders to the current user or the administrators group, a prerequisite for changing permissions (especially when you can't access the folder even as an administrator). You can learn more at This guide on managing NTFS permissions.
• icacls: This is the most advanced and flexible command for resetting, modifying, exporting, and importing NTFS permissions on files and folders. It can be run in bulk and recursively.

Warnings before modifying permissions

Before you start changing file ownership or permissions, you should be very clear about what you're changing. Never use these commands on operating system folders or files (for example, the Windows or Program Files folder), as this could render your system unusable or create serious vulnerabilities.

Also, whenever possible, back up your most important files, and if you're dealing with servers or shared drives, consider exporting existing ACLs (access control lists) using icacls first so you can restore them later in case of problems.

How to take ownership of files and folders with takeown

The first step in the event of an access error is usually assign ownership of the affected resource. This is achieved with the command takeown, which should always be run in a command prompt window opened as administrator.

The basic syntax is:

takeown /f "folder_or_file_path" /r /d S

This forces take ownership of the given folder and with the /r /d S options it does so. recursively (including subfolders and files) and deletes commits.

For example, for a folder named “locked_folder” in the root of the C drive:

takeown /f "C:\locked_folder" /r /d S

If you want the property to be assigned to the Administrators group instead of the current user, use the parameter /a:

takeown /a /r /d S /f D:\SYSADMIT

Remember that if your system is in English, the confirmation option will be '/d Y'.

Restore and modify NTFS permissions with icacls

Once the correct user or group owns the folder, you can reset or assign the correct permissions Using icacls. This command is extremely powerful and offers a multitude of options for modifying access rights, reviewing, exporting, or restoring previous configurations.

To reset all permissions to their default state on a folder (and everything in it), use:

icacls "C:\locked_folder" /T /Q /C /RESET

Where:

• /T executes the change on all files and subfolders.
• /Q suppresses success messages.
• /C continues on errors without interruption.
• /RESET resets access control lists (ACLs) to the inherited defaults.

This process may take several minutes if there are many files and folders inside. Don't worry if the command window doesn't appear to be progressing, the command will be working in the background.

Restoring Permissions Safely: Best Practices

It's recommended to apply the commands first as a test, or start with small folders before working on entire volumes or external drives. If you have an affected external hard drive after removing encryption or copying files from another system, you can proceed as follows:

1. 1. Open the symbol of the system as administrator (search for “cmd”, right click, run as administrator).
   2. It takes possession of the root of the affected disk, for example if it is drive G:

takeown /f G:\* /r /d S

1. Change to the drive in the console (type G: and press Enter).
2. Reset permissions on all files and folders:

   icacls * /T /Q /C /RESET

After the command completes, you should be able to access, move, and delete files normally.

Customizing permissions with icacls

icacls allows for much more than just resetting. You can Grant or deny specific permissions to users or groups, modify owners, disable inheritance of permissions and save/restore complete configurations.

• Assign full control to administrators on a folder:

  icacls "D:\my_folder" /grant administrators:F /T

• Assign read-only or execute permissions to specific users:

  icacls "D:\my_folder" /grant pepito:RX /T

• Remove inheritance and assign new permissions:

  icacls "C:\test" /inheritance:r /grant:r DOM\All:(OI)(CI)(F)

• See what permissions a folder has:

  icacls "C:\test"

The argument /grant assign permissions, /deny explicitly denies them, and multiple assignments can be combined for different users or groups.

For example, to give full control to administrators and only modify one user:

icacls "C:\test" /grant:r DOM\Administrators:(OI)(CI)F /grant:r DOM\pepe:(OI)(CI)M /T

Export and import access control lists (ACLs)

Before making massive changes it is It is highly recommended to save the current status of the permitsYou can export the ACLs of a folder and its subfolders like this:

icacls "C:\test\*" /save "C:\acl-backup\ACL_backup.txt" /T

And later, if any problems arise or you need to restore the original permission settings:

icacls "C:\test\" /restore "C:\acl-backup\ACL_backup.txt"

This is especially useful on file servers, where misconfigured permissions can disrupt access for dozens or hundreds of users.

Understanding NTFS Permissions and Masks

When assigning permissions with icacls, you can specify both simple permissions (F, M, RX, R, W, D) and advanced combinations (DE, RC, WDAC, WO, S, AS, MA, etc.). For example:

• N – No access
• F – Total control
• M – Modify
• RX – Read and Execute
• R – Read only
• W – Write Only
• D – Delete

Additionally, there are inheritance options to define how inheritance is applied to folders, files, or both: (OI) for objects, (CI) for containers, (IO) for inheritance only, (NP) for no inheritance propagation, etc. A combined example:

icacls "C:\documents" /grant "users:(OI)(CI)M" /T

Troubleshooting locked system files

Sometimes the problem isn't just NTFS permissions, but system files that are corrupted or protected by Windows. In these cases, it's recommended to first use the utility sfc / scannow:

sfc / scannow

This command checks and attempts to repair essential Windows files. If you find messages about files that weren't fixed, you can check the generated log:

findstr /c:"" %windir%\Logs\CBS\CBS.log > "%userprofile%\Desktop\sfcdetails.txt"

If you need to replace damaged files that couldn't be repaired automatically, you'll need to take ownership and grant permissions to the specific file using the takeown and icacls commands, respectively, before you can replace them with healthy copies from another system.

Advanced options: SID substitution, verification, and inheritance

icacls allows advanced features such as replacing old SIDs with new ones (useful in domain migrations), checking the status of ACLs (/verify), search for references to specific SIDs (/findsid) and control inheritance (/inheritance:e|d|r).

For example, to remove inheritance and set only the permissions you assign to be effective:

icacls "C:\test" /inheritance:r /grant:r Administrators:(OI)(CI)F /T

Practical example: recovering access to an external drive after removing Bitlocker

Suppose after decrypting an external drive, you continually see the message "You currently don't have permission to access this folder." The solution would be:

1. Open cmd as administrator.
2. Run takeown /f X:\* /r /d S (where X is the drive letter).
3. Change drive in the console (type X:).
4. Run icacls * /T /Q /C /RESET within the unit.

Once finished, you'll have full access again and be able to play the files without errors.

When you shouldn't use takeown or icacls

If the permissions issue affects a system folder or files protected by Windows, you should be very careful, as forcing changes can break the system or leave it vulnerable. On production servers, always make backups beforehand and, if possible, make changes first in a test environment.

master the use of takeown e icacls It can save you many hours of frustration and manual work, especially on volumes with thousands of files. Always remember to use them with caution, fully understand the permissions structure, and avoid making massive changes to the operating system unless absolutely necessary and you know what you're doing. If you follow these steps and recommendations, you can regain control over locked files and folders, optimizing the security and functionality of your Windows system.