Difference between revisions of "Reset NTFS ACLs"
Jump to navigation
Jump to search
PeterHarding (talk | contribs) |
PeterHarding (talk | contribs) (→ATTRIB) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Windows ACL Issues= | |||
NTFS is a much more fine-grained than Unix. | NTFS is a much more fine-grained than Unix. | ||
The following commands take ownership and reset the ACLs to default | The following commands can be used to take ownership and reset the ACLs to default. | ||
Assuming the tree is rooted at C:\xxx: | Assuming the tree is rooted at C:\xxx: | ||
Line 18: | Line 14: | ||
icacls C:\xxx /reset /T /C /L /Q | icacls C:\xxx /reset /T /C /L /Q | ||
Also see: | |||
* http://www.techrepublic.com/article/use-caclsexe-to-view-and-manage-windows-acls/ | |||
Note, if the drive permissions themselves are mangled, you will need to fix those as well. | |||
=TAKEOWN= | |||
* https://technet.microsoft.com/en-us/library/cc753024.aspx | |||
Line 36: | Line 43: | ||
/t - Performs the operation on all specified files in the current directory and its subdirectories. | /t - Performs the operation on all specified files in the current directory and its subdirectories. | ||
=Syntax= | ==Syntax== | ||
<pre> | <pre> | ||
Line 146: | Line 153: | ||
(I) - Permission inherited from parent container | (I) - Permission inherited from parent container | ||
</pre> | </pre> | ||
==Using PowerShell== | |||
See: | |||
* http://www.definit.co.uk/2012/02/powershell-recursively-taking-ownership-of-files-and-folders-and-adding-permissions-without-removing-existing-permissions/ | |||
==Tools== | |||
* http://lallouslab.net/2013/08/26/resetting-ntfs-files-permission-in-windows-graphical-utility/ | |||
=ATTRIB= | |||
Using the ATTRIB command, for example: | |||
attrib -r c:\folder\*.* /s | |||
where: | |||
-r is the flag for removing read-only attributes | |||
c:\folder\*.* is the filesystem location to use as the root, plus wildcards for all files | |||
/s is the flag for doing all sub directories and files | |||
Some links: | |||
* https://technet.microsoft.com/en-us/library/bb490868.aspx | |||
* https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/attrib.mspx?mfr=true | |||
[[Category:Windows]] | [[Category:Windows]] | ||
[[Category:Systems Admin]] | [[Category:Systems Admin]] |
Latest revision as of 12:12, 3 June 2016
Windows ACL Issues
NTFS is a much more fine-grained than Unix.
The following commands can be used to take ownership and reset the ACLs to default.
Assuming the tree is rooted at C:\xxx:
Make local administrators group owner.
takeown /F C:\xxx /R /A /D Y
Reset ACLs to defaults.
icacls C:\xxx /reset /T /C /L /Q
Also see:
Note, if the drive permissions themselves are mangled, you will need to fix those as well.
TAKEOWN
ICACLS
See:
Examples:
icacls "dir\*" /q /c /t /reset
where
/reset - Replaces ACLs with default inherited ACLs for all matching files. /t - Performs the operation on all specified files in the current directory and its subdirectories.
Syntax
Syntax ICACLS Name [/grant[:r] User:Permission[...]] [/deny User:Permission[...]] [/remove[:g|:d]] User[...]] [/inheritance:e|d|r ] [/t] [/c] [/l] [/q] [/setintegritylevel Level[...]] Store ACLs for one or more directories matching name into aclfile for later use with /restore ICACLS name /save aclfile [/T] [/C] [/L] [/Q] Restore ACLs to all files in directory : ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] Change Owner: ICACLS name /setowner user [/T] [/C] [/L] [/Q] Find items with an ACL that mentions a specific SID: ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count: ICACLS name /verify [/T] [/C] [/L] [/Q] Replace ACL with default inherited acls for all matching files: ICACLS name /reset [/T] [/C] [/L] [/Q] Key name The File(s) or folder(s) the permissions will apply to. /T Traverse all subfolders to match files/directories. /C Continue on file errors (access denied) Error messages are still displayed. /L Perform the operation on a symbolic link itself, not its target. /Q Quiet - supress success messages. /grant :r user:permission Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions. Otherwise the permissions are added. /deny user:permission Explicitly deny the specified user access rights. This will also remove any explicit grant of the same permissions to the same user. /remove[:[g|d]] User Remove all occurrences of User from the acl. :g remove all granted rights to that User/Sid. :d remove all denied rights to that User/Sid. /setintegritylevel [(CI)(OI)]Level Add an integrity ACE to all matching files. level is one of L,M,H (Low Medium or High) A Directory Inheritance option for the integrity ACE can precede the level and is applied only to directories: /inheritance:e|d|r e - enable inheritance d - disable inheritance and copy the ACEs r - remove all inherited ACEs user A user account, Group or a SID /restore Apply the acls stored in ACLfile to the files in directory permission is a permission mask and can be specified in one of two forms: a sequence of simple rights: D - Delete access F - Full access N - No access M - Modify access RX - Read and eXecute access R - Read-only access W - Write-only access a comma-separated list in parenthesis of specific rights: DE - Delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights can precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don’t propagate inherit (I) - Permission inherited from parent container
Using PowerShell
See:
Tools
ATTRIB
Using the ATTRIB command, for example:
attrib -r c:\folder\*.* /s
where:
-r is the flag for removing read-only attributes c:\folder\*.* is the filesystem location to use as the root, plus wildcards for all files /s is the flag for doing all sub directories and files
Some links: