icacls remove all groups from ACL

Question

I am trying to amend the ACL on a file using icacls. I want this file to be owned by Administrator and be accessible to Administrator only. I found out how to make administrator the owner of the files, and I know how to remove a group from the security list but I don't know how to remove all groups but the administrator group if I don't know the name of the other groups.

I am looking for a way to tell Windows that I only want to let Administrator access the file and remove any other user/group if there is any.

I tried using the wildcard character but it doesn't work.

Here's my script:

$domain     = [Environment]::UserDomainName
$user       = [Environment]::UserName
icacls $myinvocation.mycommand.path /setowner "$domain\$user" /T
icacls $myinvocation.mycommand.path /grant "$domain\$user"

icacls $myinvocation.mycommand.path

Answer 1

In theory, you can use :r after grant (see Docs). However, in practice I couldn't make this work. I think :r means "Replace permisions only for the specified user".

I've tested the following solution in Powershell and it works fine though.

# Reset the folder to just it's inherited permissions
icaclsname c:\temp\test /reset 

# Then, disable inheritance and remove all inherited permissions
icacls c:\temp\test /inheritance:r

# Note the :r after grant. It's not now needed, but I've left it in anyway.
# Permissions replace previously granted explicit permissions.
# Also note the :F, where : is escaped with `. This grants FULL CONTROL.
# You can replace F with whatever level of control is required for you.
icacls c:\temp\test /grant:r $domain\$user`:F