Reset NTFS ACLs

From PerformIQ Knowledgebase
Jump to navigationJump to search

Windows ACL Issues

NTFS is a much more fine-grained than Unix.

The following commands can be used to take ownership and reset the ACLs to default.

Assuming the tree is rooted at C:\xxx:

Make local administrators group owner.

takeown /F C:\xxx /R /A /D Y

Reset ACLs to defaults.

icacls C:\xxx /reset /T /C /L /Q

Also see:

Note, if the drive permissions themselves are mangled, you will need to fix those as well.


TAKEOWN


ICACLS

See:

Examples:

icacls "dir\*" /q /c /t /reset

where

/reset - Replaces ACLs with default inherited ACLs for all matching files.
/t     - Performs the operation on all specified files in the current directory and its subdirectories.

Syntax

Syntax
      ICACLS Name [/grant[:r] User:Permission[...]]
         [/deny User:Permission[...]]
            [/remove[:g|:d]] User[...]]
               [/inheritance:e|d|r ]
                  [/t] [/c] [/l] [/q]
                     [/setintegritylevel Level[...]]

   Store ACLs for one or more directories matching name into aclfile for later use with /restore
      ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    
   Restore ACLs to all files in directory :
      ICACLS directory [/substitute SidOld SidNew [...]]
          /restore aclfile [/C] [/L] [/Q]

   Change Owner:
      ICACLS name /setowner user [/T] [/C] [/L] [/Q]

   Find items with an ACL that mentions a specific SID:
      ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]

   Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
      ICACLS name /verify [/T] [/C] [/L] [/Q]
 
   Replace ACL with default inherited acls for all matching files:
      ICACLS name /reset [/T] [/C] [/L] [/Q]

Key
   name  The File(s) or folder(s) the permissions will apply to.

   /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.

   /Q  Quiet - supress success messages.
	
   /grant :r user:permission
       Grant access rights, with :r, the permissions
       will replace any previouly granted explicit permissions.
       Otherwise the permissions are added.

   /deny user:permission
       Explicitly deny the specified user access rights.
       This will also remove any explicit grant of the 
       same permissions to the same user.

   /remove[:[g|d]] User 
       Remove all occurrences of User from the acl. 
	    :g remove all granted rights to that User/Sid.
	    :d remove all denied rights to that User/Sid.

    /setintegritylevel [(CI)(OI)]Level 
       Add an integrity ACE to all matching files. 
       level is one of L,M,H (Low Medium or High)
	   
       A Directory Inheritance option for the integrity ACE can precede the level
       and is applied only to directories:

    /inheritance:e|d|r
             e - enable inheritance
             d - disable inheritance and copy the ACEs 
             r - remove all inherited ACEs

   user   A user account, Group or a SID

   /restore  Apply the acls stored in ACLfile to the files in directory

   permission is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                D - Delete access
                F - Full access
                N - No access
                M - Modify access
                RX - Read and eXecute access
                R - Read-only access
                W - Write-only access
        a comma-separated list in parenthesis of specific rights:
                DE - Delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights can precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don’t propagate inherit
                (I)  - Permission inherited from parent container

Using PowerShell

See:

Tools


ATTRIB

Using the ATTRIB command, for example:

attrib -r c:\folder\*.* /s

where:

-r                is the flag for removing read-only attributes
c:\folder\*.*     is the filesystem location to use as the root, plus wildcards for all files
/s                is the flag for doing all sub directories and files

Some links: