Reset NTFS ACLs
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Windows ACL Issues
NTFS is a much more fine-grained than Unix.
The following commands can be used to take ownership and reset the ACLs to default.
Assuming the tree is rooted at C:\xxx:
Make local administrators group owner.
takeown /F C:\xxx /R /A /D Y
Reset ACLs to defaults.
icacls C:\xxx /reset /T /C /L /Q
Also see:
Note, if the drive permissions themselves are mangled, you will need to fix those as well.
TAKEOWN
ICACLS
See:
Examples:
icacls "dir\*" /q /c /t /reset
where
/reset - Replaces ACLs with default inherited ACLs for all matching files. /t - Performs the operation on all specified files in the current directory and its subdirectories.
Syntax
Syntax ICACLS Name [/grant[:r] User:Permission[...]] [/deny User:Permission[...]] [/remove[:g|:d]] User[...]] [/inheritance:e|d|r ] [/t] [/c] [/l] [/q] [/setintegritylevel Level[...]] Store ACLs for one or more directories matching name into aclfile for later use with /restore ICACLS name /save aclfile [/T] [/C] [/L] [/Q] Restore ACLs to all files in directory : ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] Change Owner: ICACLS name /setowner user [/T] [/C] [/L] [/Q] Find items with an ACL that mentions a specific SID: ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count: ICACLS name /verify [/T] [/C] [/L] [/Q] Replace ACL with default inherited acls for all matching files: ICACLS name /reset [/T] [/C] [/L] [/Q] Key name The File(s) or folder(s) the permissions will apply to. /T Traverse all subfolders to match files/directories. /C Continue on file errors (access denied) Error messages are still displayed. /L Perform the operation on a symbolic link itself, not its target. /Q Quiet - supress success messages. /grant :r user:permission Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions. Otherwise the permissions are added. /deny user:permission Explicitly deny the specified user access rights. This will also remove any explicit grant of the same permissions to the same user. /remove[:[g|d]] User Remove all occurrences of User from the acl. :g remove all granted rights to that User/Sid. :d remove all denied rights to that User/Sid. /setintegritylevel [(CI)(OI)]Level Add an integrity ACE to all matching files. level is one of L,M,H (Low Medium or High) A Directory Inheritance option for the integrity ACE can precede the level and is applied only to directories: /inheritance:e|d|r e - enable inheritance d - disable inheritance and copy the ACEs r - remove all inherited ACEs user A user account, Group or a SID /restore Apply the acls stored in ACLfile to the files in directory permission is a permission mask and can be specified in one of two forms: a sequence of simple rights: D - Delete access F - Full access N - No access M - Modify access RX - Read and eXecute access R - Read-only access W - Write-only access a comma-separated list in parenthesis of specific rights: DE - Delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights can precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don’t propagate inherit (I) - Permission inherited from parent container
Using PowerShell
See:
Tools
ATTRIB
Using the ATTRIB command, for example:
attrib -r c:\folder\*.* /s
where:
-r is the flag for removing read-only attributes c:\folder\*.* is the filesystem location to use as the root, plus wildcards for all files /s is the flag for doing all sub directories and files
Some links: