Problem: Windows won't let you remove folders or files because of permission rights


Cannot delete folder. Access is denied

You need permission to perform this action. You require permission from COMPUTER\USER to make changes to this folder

You will need to provide administrator permission to change these attributes

Example: You installed a program that sets special permissions to its directory, and after formatting or reinstalling Windows, that folder now belongs to another user (your old account) which you do not have access to. Windows will block your attempt to rename, move, or delete the files or folders.

Cause: Lost user permission (mismatch SID) from previous Windows installation.
Solution: As an administrator, give yourself or everyone permission to the entire directory.
Use the Unlocker program for other access related problems.

Foreword: In the following instructions, the word "target" means the locked file or folder that you want to reclaim. Bolded all-caps words in the code should be replaced with your own input. Move your mouse over the underdotted words for tooltips. All steps will be done inside the Command Prompt, not Windows Explorer. If you are experienced with the Command Prompt, skip to Step 3.

Step 1: Directory

Start button -> enter cmd in the search box -> Command Prompt should be opened
Go to the folder where the target is stored. If your target is in a different hard drive, type: cd /d DRIVELETTER: Example: if the target is in "D:\Program Files", type cd /d D:\Program Files
Type cd DIRECTORY to change directory. Type dir to see the current directory's contents. Type cd .. to go one directory up.

Step 2: Ownership

If you do not have ownership to the target, type: takeown /f TARGET /r Example: if you are in "Program Files" and you want to give yourself permission to the child folder "cygwin", type takeown /f cygwin /r

Step 3: Permission

Assuming you want to delete the target later, the following code gives all permissions to everyone: icacls TARGET /grant Everyone:(OI)(CI)(F) /t If you want to give only yourself permissions, type: icacls TARGET /grant COMPUTER\USER:(OI)(CI)(F) /t To find out your computer name, type systeminfo. Your user name is same as the Windows login.
You may also set permissions in Windows Explorer by right clicking a file -> Properties option -> Security tab Example: icacls TARGET /grant Everyone:(DE) /t will make that target deleteable.

Step 4: Deletion

You should now be able to do anything with the target from Windows Explorer. If you rather use the Command Prompt for deletion, type rmdir TARGET /s /q for a directory, or del TARGET /f for a file.

Command Prompt: icacls /?

Read this help message for more specific permission settings.
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    stores the DACLs for the files and folders that match the name
    into aclfile for later use with /restore. Note that SACLs,
    owner, or integrity labels are not saved.

ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
                 [/C] [/L] [/Q]
    applies the stored DACLs to files in directory.

ICACLS name /setowner user [/T] [/C] [/L] [/Q]
    changes the owner of all matching names. This option does not
    force a change of ownership; use the takeown.exe utility for
    that purpose.

ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
    finds all matching names that contain an ACL
    explicitly mentioning Sid.

ICACLS name /verify [/T] [/C] [/L] [/Q]
    finds all files whose ACL is not in canonical form or whose
    lengths are inconsistent with ACE counts.

ICACLS name /reset [/T] [/C] [/L] [/Q]
    replaces ACLs with default inherited ACLs for all matching files.

ICACLS name [/grant[:r] Sid:perm[...]]
       [/deny Sid:perm [...]]
       [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
       [/setintegritylevel Level:policy[...]]

    /grant[:r] Sid:perm grants the specified user access rights. With :r,
        the permissions replace any previouly granted explicit permissions.
        Without :r, the permissions are added to any previously granted
        explicit permissions.

    /deny Sid:perm explicitly denies the specified user access rights.
        An explicit deny ACE is added for the stated permissions and
        the same permissions in any explicit grant are removed.

    /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
        :g, it removes all occurrences of granted rights to that Sid. With
        :d, it removes all occurrences of denied rights to that Sid.

    /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
        ACE to all matching files.  The level is to be specified as one
        Inheritance options for the integrity ACE may precede the level
        and are applied only to directories.

        e - enables inheritance
        d - disables inheritance and copy the ACEs
        r - remove all inherited ACEs

    Sids may be in either numerical or friendly name form. If a numerical
    form is given, affix a * to the start of the SID.

    /T indicates that this operation is performed on all matching
        files/directories below the directories specified in the name.

    /C indicates that this operation will continue on all file errors.
        Error messages will still be displayed.

    /L indicates that this operation is performed on a symbolic link
       itself versus its target.

    /Q indicates that icacls should supress success messages.

    ICACLS preserves the canonical ordering of ACE entries:
            Explicit denials
            Explicit grants
            Inherited denials
            Inherited grants

    perm is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                N - no access
                F - full access
                M - modify access
                RX - read and execute access
                R - read-only access
                W - write-only access
                D - delete access
        a comma-separated list in parentheses of specific rights:
                DE - delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights may precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don't propagate inherit
                (I) - permission inherited from parent container


        icacls c:\windows\* /save AclFile /T
        - Will save the ACLs for all files under c:\windows
          and its subdirectories to AclFile.

        icacls c:\windows\ /restore AclFile
        - Will restore the Acls for every file within
          AclFile that exists in c:\windows and its subdirectories.

        icacls file /grant Administrator:(D,WDAC)
        - Will grant the user Administrator Delete and Write DAC
          permissions to file.

        icacls file /grant *S-1-1-0:(D,WDAC)
        - Will grant the user defined by sid S-1-1-0 Delete and
          Write DAC permissions to file.
Keywords: Windows 7, Windows Vista, UAC, User Account Control, cacls, cygwin folder, cygwin directory