There are many GUI and command line tools kicking around that can be used to list, export, change permissions on Windows file systems. Here are my three favourites with some useful command line examples used to view windows permissions.
DumpACL Export Directory Security using a simple but flexible GUI in a concise format suitable for Wxcel (only non-inherited permissions listed in readable (group names, not SID) format.
SetACL Probably the most flexible and well documented tool for listing and changing ACLs. Useful in migrating data from one domain to another. Lots of options. Easy to use once oriented.
setacl -on C:\MyFolder -ot file -actn list -lst “f:tab;w:d;i:n;s:n” -display permissions (non-inherited, human friendly group names)
setacl -on C:\MyFolder -ot file -actn list -lst “f:tab;w:d;i:n;s:y” -display permissions (non-inherited actual SIDs)
The setacl command is made up of three parts or four if you require recursion.
-on (Object Name) – can be the path to a folder
-ot (Object Type) -can be file, reg, printer or other objects
-actn (Action) -can be one or more actions to apply such as list, clear, setowner, setgroup, domain and many others such as delorphanedsids to delete orphaned sids.
-rec (Recursive) is a fourth option used to carry on for specific container object children. As such it can take values of cont, obj or cont_obj to specify folder, files or both respectively.
Some actions come with their own additional options. E.g. the -lst part after the list action -actn list is optional, but it provides the greatest control over the output format of the list actions functionality.
f: (Format) – can be sddl, csv or tab
w: (What) – can be d s o or g (dacl, sacl, owner or group)
i: (Inherited) – can be y or n (yes or no to display inherited perms or not)
s: (SID) -can be y or n (yes for SIDs, no for Group Names, or b for both)
A recoverable backup of security dacls can be performed using the -bckp function (not -log), but the format must be sddl (sids only).
icacls Windows Command Line Built-in. simple and easy to use.
icacls C:\MyFolder -displays permissions of folder. Doesn’t require command line to be run as administrator unlike its deprecated predecessor cacls and is quicker and easier than equivalent SetAcl command (above) to provide a quick list of permissions from the command line.