Master Windows File Permissions with icacls: From Basics to SSH Key Fixes

On Windows, file and directory permissions can be managed via the graphical interface, but scripting and bulk changes require a command‑line tool. icacls provides scriptable control over Access Control Lists (ACLs).

Why use icacls

icacls

is the successor to the older cacls utility. It supports batch permission changes, precise ACL manipulation, and full command‑line operation, making it suitable for automation and complex scenarios.

Basic usage

View permissions

icacls <file_or_folder_path>

Example:

icacls D:\id_rsa

Modify permissions

Grant permission : /grant user:perm Remove permission : /remove user_or_group Disable inheritance : /inheritance:r Enable inheritance : /inheritance:e Common permission flags: F – Full control M – Modify RX – Read & execute R – Read W – Write

Grant read permission to the current user: icacls D:\id_rsa /grant %USERNAME%:R Remove the Administrators group:

icacls D:\id_rsa /remove "BUILTIN\Administrators"

Fixing SSH private‑key permission warnings

When an SSH private key (e.g., id_rsa) is too permissive, SSH aborts with a warning similar to:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for '.\id_rsa' are too open.
This private key will be ignored.
Load key ".\id_rsa": bad permissions

Use icacls to restrict the file so that only the current user can read it.

Steps

Open PowerShell or Command Prompt.

Run the following commands (replace D:\id_rsa with the actual key path):

$path = "D:\id_rsa"
icacls $path /inheritance:r               # disable inheritance
icacls $path /grant:r "$($env:USERNAME):(R)"  # grant read to current user
icacls $path /remove "NT AUTHORITY\SYSTEM"    # optional: remove SYSTEM
icacls $path /remove "BUILTIN\Administrators" # optional: remove admins

Retry the SSH connection; the warning should disappear.

Batch processing

icacls

supports recursive operations with the /T switch, allowing bulk permission changes across a directory tree.

icacls <folder_path> /grant <username>:<perm> /T

Example: grant read permission to all files under D:\keys for the current user.

icacls D:\keys /grant "%USERNAME%:R" /T

Summary

icacls

is a powerful command‑line utility for precise, scriptable file‑system permission management on Windows. It is especially useful for fixing insecure SSH key permissions, performing bulk updates, and any scenario where the GUI lacks the required granularity.