Why can't I remove a group from a file if it is being denied read permission even though I have read permission from my account, am part of the Administrators group, and I'm running icacls from an elevated command prompt?
This will remove the "Users" group just fine:
copy a b
icacls b /inheritance:d
icacls b /remove:g "Users"
Result: The file no longer has the "Users" group.
But if I remove read access then the group cannot be removed by icacls:
copy a b
icacls b /inheritance:d
icacls b /deny "Users":r
icacls b /remove:g "Users"
Result: The file still has the "Users" group.
To work around this I have to grant a group "full" permission first and then use /remove
to guarantee that the group will be removed. But this feels like a vulnerability as a particular group will, briefly, have full access.
Best Answer
You're using the wrong switch. You need to use
/remove:d
:When a group has been denied permissions, there are no rights for the
/remove:g
switch to remove.Alternately, to remove any permissions assigned to the group, whether they are grant or deny, use:
Summary
/remove:g
removes rights that are (G)ranted/remove:d
removes rights that are (D)enied/remove
removes all rightsMore information about Icacls switches can be found on TechNet.