Managing NTFS permissions on file server folders may be quite tiresome. Inaccurate changes to the top (root) level of the directory may lead to unexpected results when individual permissions on lower-level files and directories are forcefully changed. Prior to significant change of permissions (moving, ACL update, resource migration) on an NTFS folder (Shared Folder), it is recommended to back up earlier permissions that will allow you to return to the original settings or at least see the previous access permissions to the specific file or folder.
To export/import current NTFS directory permissions, you can use built in utility icacls. This tool enables to get and change access control lists (ACLs) of file system objects.
To get all ACLs for a specific folder including its subfolders and files and save them as plain text, run the following command:
icacls g:\veteran /save veteran_ntfs_perms.txt /t /c
The file containing access permissions is saved by default to the current user folder.
Depending on the number of files and folders, the export of permissions can take quite a long time. After the command has been executed, the statistics on the number of successful or failed processing of files will be displayed.
Successfully processed 3001 files; Failed processing 0 files
Open the file veteran_ntfs_perms.txt using any text editor. As you can see, it contains the full list of files and folders in a directory, and each item has the current permissions specified in SDDL (Security Descriptor Definition Language) format.
For example, the current NTFS permissions for the root directory are as follows:
D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2340243621-32346796122-2349433313-23777994)(A;OICI;0x1301bf;;;S-1-5-21-2340243621-32346796122-2349433313-23777993)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)S:AI
This string describes the access for some groups or users. We won’t consider SDDL syntax in detail (if necessary, you can find help on MSDN). Let’s dwell on a small extract of SDDL by choosing only one object:
(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)
A – access type (Allow)
OICI – inherit flag (OBJECT INHERIT+ CONTAINER INHERIT)
FA – permission type (SDDL_FILE_ALL – all allowed)
S-1-5-21-2340243621-32346796122-2349433313-24109193 – SID of the account or domain group that has these permissions. To convert SID to the account or group name, use the following command:
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-2340243621-32346796122-2349433313-24109193")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value
Or use one of the commands:
Get-ADUser -Identity SID
or
Get-ADGroup -Identity SID
Thus, you have found that the user corp\dtrump had Full Control permissions on this directory.
To restore NTFS permissions on the objects of this folder automatically according to the values from the backup file, run this command:
icacls g:\ /restore veteran_ntfs_perms.txt /t /c
After all permissions have been recovered, the statistics on the number of the processed files will also be displayed.
3 comments
This is very helpful. If I make a duplicate of the g:\veteran onto a new drive, say e:\veteran, and mess up my permissions on the e:\veteran version, is it possible to use the g:\veteran backup to restore on e:\veteran? Do I need to do something to change the ACL file to point to the new location and restore permissions there?
Yes you can. You need to manually edit the file veteran_ntfs_perms.txt in any text editor find and replace the path g:\ to e:\.
How could I manage the SACL “System access control list” with ICACLS?