Difference between revisions of "Reset NTFS ACLs"
Jump to navigation
Jump to search
PeterHarding (talk | contribs) (Created page with " NTFS is a much more fine-grained than Unix. The following commands take ownership and reset the ACLs to default. Also, if the drive permissions themselves are mangled,...") |
PeterHarding (talk | contribs) (→ATTRIB) |
||
| (19 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Windows ACL Issues= | |||
NTFS is a much more fine-grained than Unix. | NTFS is a much more fine-grained than Unix. | ||
The following commands take ownership and reset the ACLs to default | The following commands can be used to take ownership and reset the ACLs to default. | ||
Assuming the tree is rooted at C:\xxx: | Assuming the tree is rooted at C:\xxx: | ||
| Line 18: | Line 14: | ||
icacls C:\xxx /reset /T /C /L /Q | icacls C:\xxx /reset /T /C /L /Q | ||
Also see: | |||
* http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/ | |||
Note, if the drive permissions themselves are mangled, you will need to fix those as well. | |||
=TAKEOWN= | |||
* https://technet.microsoft.com/en-us/library/cc753024.aspx | |||
=ICACLS= | |||
See: | |||
* https://technet.microsoft.com/en-us/library/cc753525.aspx | |||
* http://ss64.com/nt/icacls.html | |||
Examples: | |||
icacls "dir\*" /q /c /t /reset | |||
where | |||
/reset - Replaces ACLs with default inherited ACLs for all matching files. | |||
/t - Performs the operation on all specified files in the current directory and its subdirectories. | |||
==Syntax== | |||
<pre> | |||
Syntax | |||
ICACLS Name [/grant[:r] User:Permission[...]] | |||
[/deny User:Permission[...]] | |||
[/remove[:g|:d]] User[...]] | |||
[/inheritance:e|d|r ] | |||
[/t] [/c] [/l] [/q] | |||
[/setintegritylevel Level[...]] | |||
Store ACLs for one or more directories matching name into aclfile for later use with /restore | |||
ICACLS name /save aclfile [/T] [/C] [/L] [/Q] | |||
Restore ACLs to all files in directory : | |||
ICACLS directory [/substitute SidOld SidNew [...]] | |||
/restore aclfile [/C] [/L] [/Q] | |||
Change Owner: | |||
ICACLS name /setowner user [/T] [/C] [/L] [/Q] | |||
Find items with an ACL that mentions a specific SID: | |||
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] | |||
Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count: | |||
ICACLS name /verify [/T] [/C] [/L] [/Q] | |||
Replace ACL with default inherited acls for all matching files: | |||
ICACLS name /reset [/T] [/C] [/L] [/Q] | |||
Key | |||
name The File(s) or folder(s) the permissions will apply to. | |||
/T Traverse all subfolders to match files/directories. | |||
/C Continue on file errors (access denied) Error messages are still displayed. | |||
/L Perform the operation on a symbolic link itself, not its target. | |||
/Q Quiet - supress success messages. | |||
/grant :r user:permission | |||
Grant access rights, with :r, the permissions | |||
will replace any previouly granted explicit permissions. | |||
Otherwise the permissions are added. | |||
/deny user:permission | |||
Explicitly deny the specified user access rights. | |||
This will also remove any explicit grant of the | |||
same permissions to the same user. | |||
/remove[:[g|d]] User | |||
Remove all occurrences of User from the acl. | |||
:g remove all granted rights to that User/Sid. | |||
:d remove all denied rights to that User/Sid. | |||
/setintegritylevel [(CI)(OI)]Level | |||
Add an integrity ACE to all matching files. | |||
level is one of L,M,H (Low Medium or High) | |||
A Directory Inheritance option for the integrity ACE can precede the level | |||
and is applied only to directories: | |||
/inheritance:e|d|r | |||
e - enable inheritance | |||
d - disable inheritance and copy the ACEs | |||
r - remove all inherited ACEs | |||
user A user account, Group or a SID | |||
/restore Apply the acls stored in ACLfile to the files in directory | |||
permission is a permission mask and can be specified in one of two forms: | |||
a sequence of simple rights: | |||
D - Delete access | |||
F - Full access | |||
N - No access | |||
M - Modify access | |||
RX - Read and eXecute access | |||
R - Read-only access | |||
W - Write-only access | |||
a comma-separated list in parenthesis of specific rights: | |||
DE - Delete | |||
RC - read control | |||
WDAC - write DAC | |||
WO - write owner | |||
S - synchronize | |||
AS - access system security | |||
MA - maximum allowed | |||
GR - generic read | |||
GW - generic write | |||
GE - generic execute | |||
GA - generic all | |||
RD - read data/list directory | |||
WD - write data/add file | |||
AD - append data/add subdirectory | |||
REA - read extended attributes | |||
WEA - write extended attributes | |||
X - execute/traverse | |||
DC - delete child | |||
RA - read attributes | |||
WA - write attributes | |||
inheritance rights can precede either form and are applied | |||
only to directories: | |||
(OI) - object inherit | |||
(CI) - container inherit | |||
(IO) - inherit only | |||
(NP) - don’t propagate inherit | |||
(I) - Permission inherited from parent container | |||
</pre> | |||
==Using PowerShell== | |||
See: | |||
* http://www.definit.co.uk/2012/02/powershell-recursively-taking-ownership-of-files-and-folders-and-adding-permissions-without-removing-existing-permissions/ | |||
==Tools== | |||
* http://lallouslab.net/2013/08/26/resetting-ntfs-files-permission-in-windows-graphical-utility/ | |||
=ATTRIB= | |||
Using the ATTRIB command, for example: | |||
attrib -r c:\folder\*.* /s | |||
where: | |||
-r is the flag for removing read-only attributes | |||
c:\folder\*.* is the filesystem location to use as the root, plus wildcards for all files | |||
/s is the flag for doing all sub directories and files | |||
Some links: | |||
* https://technet.microsoft.com/en-us/library/bb490868.aspx | |||
* https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/attrib.mspx?mfr=true | |||
[[Category:Windows]] | [[Category:Windows]] | ||
[[Category: | [[Category:Systems Admin]] | ||
Latest revision as of 12:12, 3 June 2016
Windows ACL Issues
NTFS is a much more fine-grained than Unix.
The following commands can be used to take ownership and reset the ACLs to default.
Assuming the tree is rooted at C:\xxx:
Make local administrators group owner.
takeown /F C:\xxx /R /A /D Y
Reset ACLs to defaults.
icacls C:\xxx /reset /T /C /L /Q
Also see:
Note, if the drive permissions themselves are mangled, you will need to fix those as well.
TAKEOWN
ICACLS
See:
Examples:
icacls "dir\*" /q /c /t /reset
where
/reset - Replaces ACLs with default inherited ACLs for all matching files. /t - Performs the operation on all specified files in the current directory and its subdirectories.
Syntax
Syntax
ICACLS Name [/grant[:r] User:Permission[...]]
[/deny User:Permission[...]]
[/remove[:g|:d]] User[...]]
[/inheritance:e|d|r ]
[/t] [/c] [/l] [/q]
[/setintegritylevel Level[...]]
Store ACLs for one or more directories matching name into aclfile for later use with /restore
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
Restore ACLs to all files in directory :
ICACLS directory [/substitute SidOld SidNew [...]]
/restore aclfile [/C] [/L] [/Q]
Change Owner:
ICACLS name /setowner user [/T] [/C] [/L] [/Q]
Find items with an ACL that mentions a specific SID:
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
ICACLS name /verify [/T] [/C] [/L] [/Q]
Replace ACL with default inherited acls for all matching files:
ICACLS name /reset [/T] [/C] [/L] [/Q]
Key
name The File(s) or folder(s) the permissions will apply to.
/T Traverse all subfolders to match files/directories.
/C Continue on file errors (access denied) Error messages are still displayed.
/L Perform the operation on a symbolic link itself, not its target.
/Q Quiet - supress success messages.
/grant :r user:permission
Grant access rights, with :r, the permissions
will replace any previouly granted explicit permissions.
Otherwise the permissions are added.
/deny user:permission
Explicitly deny the specified user access rights.
This will also remove any explicit grant of the
same permissions to the same user.
/remove[:[g|d]] User
Remove all occurrences of User from the acl.
:g remove all granted rights to that User/Sid.
:d remove all denied rights to that User/Sid.
/setintegritylevel [(CI)(OI)]Level
Add an integrity ACE to all matching files.
level is one of L,M,H (Low Medium or High)
A Directory Inheritance option for the integrity ACE can precede the level
and is applied only to directories:
/inheritance:e|d|r
e - enable inheritance
d - disable inheritance and copy the ACEs
r - remove all inherited ACEs
user A user account, Group or a SID
/restore Apply the acls stored in ACLfile to the files in directory
permission is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
D - Delete access
F - Full access
N - No access
M - Modify access
RX - Read and eXecute access
R - Read-only access
W - Write-only access
a comma-separated list in parenthesis of specific rights:
DE - Delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights can precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - don’t propagate inherit
(I) - Permission inherited from parent container
Using PowerShell
See:
Tools
ATTRIB
Using the ATTRIB command, for example:
attrib -r c:\folder\*.* /s
where:
-r is the flag for removing read-only attributes c:\folder\*.* is the filesystem location to use as the root, plus wildcards for all files /s is the flag for doing all sub directories and files
Some links: