First, what you are trying to do is probably a bad idea. You should not let
low-privileged users write data that is consumed by high-privileged users.
Second, MA stands for Maximum Allowed. It is not a flag you can use when
specifying permissions. It is a flag you use when to try to open an object
and you do not care what permissions you get to the object, nor about
security. In that case, as long as you have any permissions at all you get a
valid handle back with whatever permissions you have. It is virtually always
a bad idea to use MA in an any call.
Now, the syntax you want is this:
icacls object /grant user
/t traverses the directory. I presume you have a brand new directory or that
you at least created everything so it inherits permissions from parents? In
that case /t is unnecessary. /c indicates that the command should continue on
file error, such as that the file is locked. More than likely you don't need
that flag either.
The folder specification you state is invalid. C:\ProgramData\MyApp*.* will
set permissions on all objects in C:\ProgramData called MyApp*.*, such as
MyAppFoo.Bar. It will not work if you have a folder called
Assuming that folder was just created and all you want to do is add a
permission to it, this command would suffice:
icacls c:\programdata\myapp /grant Users
There is lots more on icacls in the book referenced below.
Your question may already be answered in Windows Vista Security:
> Sorry to be clutter this thread. I've been working on this for quite some
> time, and carefully reading anything I can find on the web on icacls, so
> it's not that I haven't at least tried to do my homework.
> Below is a command that I *think* should do what I want. I'm having trouble
> with the OI and CI parameter syntax.
> Any help?
> iacls "C:\ProgramData\MyApp*.*" /T /C (OI) (CI) /Grant Users:F