Regardless of Windows language, how can I make the ICACLS command set a folder to have full access to everyone?

Background

Say I have this command

icacls C:\FullyAccessibleFolder /grant Users:(OI)(CI)F

This works fine in English versions of Windows, but does not seem to work in French versions, giving the following error, presumably due to Users being different in French. Everyone gets translated as Tout le monde in Windows, so that's not a solution either.

Users: Le mappage entre les noms de compte et les ID de sécurité n'a pas été effectué.

Which Google translates as

Users: The mapping between account names and security IDs was not performed.

Question

Is there a command I can use to set a folder and recursively all of its contents to have full permissions for all users in a way that would work across different language versions of Windows?

Content from around the web

This page with a largely similar problem talks about how Everyone becomes Jeder in German and Tout le monde in French.

Solution 1:

Does not work in French versions, presumably due to Users being different

You have three options, detailed below:

1. Use the Use the Language Portal to get the translated name

2. Retrieve the localised name from the Users SID

3. Use the Users SID with icacls

Option 1: Use the Language Portal (canonical resource for Microsoft Terminology)

A search for Users returns:

Translations in Localized Microsoft Products

    English Translation         Product
    Users   Utilisateurs        Windows 7
    Users   des utilisateurs    Windows 7
    Users   Utilisateurs        Windows 8 Modern Voice
    Users   Utilisateurs        Windows 8
    Users   Utilisateurs        Windows 8.1
    USERS   UTILISATEURS        Windows 8.1
    Users   Utilisateurs        Windows 10
    Users   des utilisateurs    Windows 10
    Users   Utilisateurs        Windows 10 Anniversary Update
    users   utilisateurs        Windows 10 Anniversary Update

This suggests the following command may work:

icacls C:\FullyAccessibleFolder /grant Utilisateurs:(OI)(CI)F

Option 2: Retrieve the localised name from the Users SID (S-1-5-32-545)

SID: S-1-5-32-545

Name: Users

Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.

Source Well-known security identifiers in Windows operating systems

To retrieve the localised Users group name:

This simple script will give you actual name of 'Users' (S-1-5-32-545) group on a given PC:

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
    Set objAccount = objWMIService.Get ("Win32_SID.SID='S-1-5-32-545'")
    Wscript.Echo objAccount.AccountName

Put it into a file with vbs extension (Let's assume usersName.vbs).

Now run:

echo Y|for /f "delims=" %i in ('cscript -Nologo usersName.vbs') do cacls foldername /G "%i":F

Source Cacls, Windows 7, full permissions, local names by wmz

Option 3: Use the Users SID with icacls

Use the following command:

icacls C:\FullyAccessibleFolder /grant *S-1-5-32-545:(OI)(CI)F

Source comment by Harry Johnston

Solution 2:

You need to specify the AD-group not by its name, but by the SID number.
For standard groups like "EveryOne", "Domain Users", etc. there are standardized SID numbers, which can be found on the MSDN page Well-known security identifiers (SIDs).

The following are the most common relative identifiers.

The structure of a SID is describe as the following:

The components of a SID are easier to visualize when SIDs are converted from binary to string format by using standard notation:

S-R-X-Y1-Y2-Yn-1-Yn

    Component                   Definition

    S                         Indicates that the string is a SID
    R                         Revision level
    X                         Identifier authority value
    Y            A series of subauthority values, where n is the number of values

For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:

S-1-5-32-544

This SID has four components:

• A revision level (1)

• An identifier authority value (5, NT Authority)

• A domain identifier (32, Builtin)

• A relative identifier (544, Administrators)

How Security Identifiers Work

Solution 3:

If you like PowerShell scripts but have trouble remembering numbers for SIDs:

$acl = Get-Acl .\myfolder
$sid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::BuiltinUsersSid, $null)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($sid, 'FullControl', 'ObjectInherit,ContainerInherit', 'None', 'Allow')
$acl.AddAccessRule($rule)
Set-Acl .\myfolder $acl

I know that looks like a ton of typing, but these long identifiers are tab-completed:

• System.Security.Principal.SecurityIdentifier from securityi
• System.Security.Principal.WellKnownSidType from wellknownsi
• System.Security.AccessControl.FileSystemAccessRule from filesystem

All these strings are .NET identifiers, so they don't get localized.

If you want the Everyone SID instead, use WorldSid in place of BuiltinUsersSid. To get the list of all WellKnownSidType options, see MSDN or run this command:

[System.Security.Principal.WellKnownSidType].DeclaredFields | select Name