Using Icacls to Show Which Files Users or Groups Can Access

Q: How can I get a report of all the files on a server that a given user or group has access to?

A: You can get such a report by using the Icacls tool in Windows Vista and Windows Server 2003 SP2. Icacls is the new enhanced version of Cacls, which is now deprecated. Run the command

Icacls c:\*.* /findsid acme\salesreps /T /C

which tells Icacls to search the ACL of each file starting at the root of the C drive and report any access control entries (ACEs) in which acme\salesreps is the subject. The /T switch tells Icacls to recurse from the root down so that the entire volume is analyzed. The /C switch tells Icacls to keep searching if it encounters any errors on files that you don't have Read access to. For more information about Icacls, see Toolbox, "Icacls," May 2007,

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.