Difference between revisions of "Reset NTFS ACLs"

From PeformIQ Upgrade
Jump to navigation Jump to search
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Windows ACL Issues=
 
 


NTFS is a much more fine-grained than Unix.
NTFS is a much more fine-grained than Unix.


The following commands take ownership and reset the ACLs to default.
The following commands can be used to take ownership and reset the ACLs to default.  
 
Also, if the drive permissions themselves are mangled, you will need to fix those as well.


Assuming the tree is rooted at C:\xxx:
Assuming the tree is rooted at C:\xxx:
Line 19: Line 15:
  icacls C:\xxx /reset /T /C /L /Q
  icacls C:\xxx /reset /T /C /L /Q


https://technet.microsoft.com/en-us/library/cc753525.aspx
Also see:
 
* http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/
 
Note, if the drive permissions themselves are mangled, you will need to fix those as well.
 
 
=TAKEOWN=
 
* https://technet.microsoft.com/en-us/library/cc753024.aspx
 
 
=ICACLS=
 
See:
 
* https://technet.microsoft.com/en-us/library/cc753525.aspx
* http://ss64.com/nt/icacls.html
 
Examples:
 
icacls "dir\*" /q /c /t /reset
 
where
 
/reset - Replaces ACLs with default inherited ACLs for all matching files.
/t    - Performs the operation on all specified files in the current directory and its subdirectories.
 
==Syntax==
 
<pre>
Syntax
      ICACLS Name [/grant[:r] User:Permission[...]]
        [/deny User:Permission[...]]
            [/remove[:g|:d]] User[...]]
              [/inheritance:e|d|r ]
                  [/t] [/c] [/l] [/q]
                    [/setintegritylevel Level[...]]
 
  Store ACLs for one or more directories matching name into aclfile for later use with /restore
      ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
   
  Restore ACLs to all files in directory :
      ICACLS directory [/substitute SidOld SidNew [...]]
          /restore aclfile [/C] [/L] [/Q]
 
  Change Owner:
      ICACLS name /setowner user [/T] [/C] [/L] [/Q]
 
  Find items with an ACL that mentions a specific SID:
      ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
 
  Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
      ICACLS name /verify [/T] [/C] [/L] [/Q]
  Replace ACL with default inherited acls for all matching files:
      ICACLS name /reset [/T] [/C] [/L] [/Q]
 
Key
  name  The File(s) or folder(s) the permissions will apply to.
 
  /T  Traverse all subfolders to match files/directories.
 
  /C  Continue on file errors (access denied)  Error messages are still displayed.
 
  /L  Perform the operation on a symbolic link itself, not its target.
 
  /Q  Quiet - supress success messages.
  /grant :r user:permission
      Grant access rights, with :r, the permissions
      will replace any previouly granted explicit permissions.
      Otherwise the permissions are added.
 
  /deny user:permission
      Explicitly deny the specified user access rights.
      This will also remove any explicit grant of the
      same permissions to the same user.
 
  /remove[:[g|d]] User
      Remove all occurrences of User from the acl.
    :g remove all granted rights to that User/Sid.
    :d remove all denied rights to that User/Sid.
 
    /setintegritylevel [(CI)(OI)]Level
      Add an integrity ACE to all matching files.
      level is one of L,M,H (Low Medium or High)
 
      A Directory Inheritance option for the integrity ACE can precede the level
      and is applied only to directories:
 
    /inheritance:e|d|r
            e - enable inheritance
            d - disable inheritance and copy the ACEs
            r - remove all inherited ACEs
 
  user  A user account, Group or a SID
 
  /restore  Apply the acls stored in ACLfile to the files in directory
 
  permission is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                D - Delete access
                F - Full access
                N - No access
                M - Modify access
                RX - Read and eXecute access
                R - Read-only access
                W - Write-only access
        a comma-separated list in parenthesis of specific rights:
                DE - Delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights can precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don’t propagate inherit
                (I)  - Permission inherited from parent container
</pre>
 
==Using PowerShell==
 
See:
 
* http://www.definit.co.uk/2012/02/powershell-recursively-taking-ownership-of-files-and-folders-and-adding-permissions-without-removing-existing-permissions/
 
==Tools==
 
* http://lallouslab.net/2013/08/26/resetting-ntfs-files-permission-in-windows-graphical-utility/
 
 
=ATTRIB=
 
Using the ATTRIB command, for example:
 
attrib -r c:\folder\*.* /s
 
where:
 
-r                is the flag for removing read-only attributes
c:\folder\*.*    is the filesystem location to use as the root, plus wildcards for all files
/s                is the flag for doing all sub directories and files
 
Some links:


* https://technet.microsoft.com/en-us/library/bb490868.aspx
* https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/attrib.mspx?mfr=true


[[Category:Windows]]
[[Category:Windows]]
[[Category:Systems Admin]]
[[Category:Systems Admin]]

Latest revision as of 12:12, 3 June 2016

Windows ACL Issues

NTFS is a much more fine-grained than Unix.

The following commands can be used to take ownership and reset the ACLs to default.

Assuming the tree is rooted at C:\xxx:

Make local administrators group owner.

takeown /F C:\xxx /R /A /D Y

Reset ACLs to defaults.

icacls C:\xxx /reset /T /C /L /Q

Also see:

Note, if the drive permissions themselves are mangled, you will need to fix those as well.


TAKEOWN


ICACLS

See:

Examples:

icacls "dir\*" /q /c /t /reset

where

/reset - Replaces ACLs with default inherited ACLs for all matching files.
/t     - Performs the operation on all specified files in the current directory and its subdirectories.

Syntax

Syntax
      ICACLS Name [/grant[:r] User:Permission[...]]
         [/deny User:Permission[...]]
            [/remove[:g|:d]] User[...]]
               [/inheritance:e|d|r ]
                  [/t] [/c] [/l] [/q]
                     [/setintegritylevel Level[...]]

   Store ACLs for one or more directories matching name into aclfile for later use with /restore
      ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
    
   Restore ACLs to all files in directory :
      ICACLS directory [/substitute SidOld SidNew [...]]
          /restore aclfile [/C] [/L] [/Q]

   Change Owner:
      ICACLS name /setowner user [/T] [/C] [/L] [/Q]

   Find items with an ACL that mentions a specific SID:
      ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]

   Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count:
      ICACLS name /verify [/T] [/C] [/L] [/Q]
 
   Replace ACL with default inherited acls for all matching files:
      ICACLS name /reset [/T] [/C] [/L] [/Q]

Key
   name  The File(s) or folder(s) the permissions will apply to.

   /T  Traverse all subfolders to match files/directories. 
   
   /C  Continue on file errors (access denied)  Error messages are still displayed.
  
   /L  Perform the operation on a symbolic link itself, not its target.

   /Q  Quiet - supress success messages.
	
   /grant :r user:permission
       Grant access rights, with :r, the permissions
       will replace any previouly granted explicit permissions.
       Otherwise the permissions are added.

   /deny user:permission
       Explicitly deny the specified user access rights.
       This will also remove any explicit grant of the 
       same permissions to the same user.

   /remove[:[g|d]] User 
       Remove all occurrences of User from the acl. 
	    :g remove all granted rights to that User/Sid.
	    :d remove all denied rights to that User/Sid.

    /setintegritylevel [(CI)(OI)]Level 
       Add an integrity ACE to all matching files. 
       level is one of L,M,H (Low Medium or High)
	   
       A Directory Inheritance option for the integrity ACE can precede the level
       and is applied only to directories:

    /inheritance:e|d|r
             e - enable inheritance
             d - disable inheritance and copy the ACEs 
             r - remove all inherited ACEs

   user   A user account, Group or a SID

   /restore  Apply the acls stored in ACLfile to the files in directory

   permission is a permission mask and can be specified in one of two forms:
        a sequence of simple rights:
                D - Delete access
                F - Full access
                N - No access
                M - Modify access
                RX - Read and eXecute access
                R - Read-only access
                W - Write-only access
        a comma-separated list in parenthesis of specific rights:
                DE - Delete
                RC - read control
                WDAC - write DAC
                WO - write owner
                S - synchronize
                AS - access system security
                MA - maximum allowed
                GR - generic read
                GW - generic write
                GE - generic execute
                GA - generic all
                RD - read data/list directory
                WD - write data/add file
                AD - append data/add subdirectory
                REA - read extended attributes
                WEA - write extended attributes
                X - execute/traverse
                DC - delete child
                RA - read attributes
                WA - write attributes
        inheritance rights can precede either form and are applied
        only to directories:
                (OI) - object inherit
                (CI) - container inherit
                (IO) - inherit only
                (NP) - don’t propagate inherit
                (I)  - Permission inherited from parent container

Using PowerShell

See:

Tools


ATTRIB

Using the ATTRIB command, for example:

attrib -r c:\folder\*.* /s

where:

-r                is the flag for removing read-only attributes
c:\folder\*.*     is the filesystem location to use as the root, plus wildcards for all files
/s                is the flag for doing all sub directories and files

Some links: