Posted on October 19, 2017 · Posted in Tools, Windows Server 2012 R2

How to Backup and Restore NTFS Permissions Using ICACLS

Managing NTFS permissions on file server folders may be quite tiresome. Inaccurate changes to the top (root) level of the directory may lead to unexpected results when individual permissions on lower-level files and directories are forcefully changed. Prior to significant change of permissions (moving, ACL update, resource migration) on an NTFS folder (Shared Folder), it is recommended to back up earlier permissions that will allow you to return to the original settings or at least see the previous access permissions to the specific file or folder.

To export/import current NTFS directory permissions, you can use built in utility icacls. This tool enables to get and change access control lists (ACLs) of file system objects.

To get all ACLs for a specific folder including its subfolders and files and save them as plain text, run the following command:

icacls g:\veteran /save veteran_ntfs_perms.txt /t /c
The file containing access permissions is saved by default to the current user folder.

Note. /t key is used to get ACLs for all subdirectories and files, /c allows to ignore access errors. By adding /q key, you can disable the display of information about successful access to the file system objects.

icacls save ntfs permission on all files in the folder

Depending on the number of files and folders, the export of permissions can take quite a long time. After the command has been executed, the statistics on the number of successful or failed processing of files will be displayed.

Successfully processed 3001 files; Failed processing 0 files

Successfully processed 3001 files; Failed processing 0 files

Open the file veteran_ntfs_perms.txt using any text editor. As you can see, it contains the full list of files and folders in a directory, and each item has the current permissions specified in SDDL (Security Descriptor Definition Language) format.

ntfs file permissions in SDDL format

For example, the current NTFS permissions for the root directory are as follows:

D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2340243621-32346796122-2349433313-23777994)(A;OICI;0x1301bf;;;S-1-5-21-2340243621-32346796122-2349433313-23777993)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)S:AI

This string describes the access for some groups or users. We won’t consider SDDL syntax in detail (if necessary, you can find help on MSDN). Let’s dwell on a small extract of SDDL by choosing only one object:

(A;OICI;FA;;;S-1-5-21-2340243621-32346796122-2349433313-24109193)

A – access type (Allow)

OICI – inherit flag (OBJECT INHERIT+ CONTAINER INHERIT)

FA – permission type (SDDL_FILE_ALL – all allowed)

S-1-5-21-2340243621-32346796122-2349433313-24109193 – SID of the account or domain group that has these permissions. To convert SID to the account or group name, use the following command:

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-2340243621-32346796122-2349433313-24109193")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

get username from sid

Or use one of the commands:
Get-ADUser -Identity SID
or 
Get-ADGroup -Identity SID

Thus, you have found that the user corp\dtrump had Full Control permissions on this directory.

To restore NTFS permissions on the objects of this folder automatically according to the values from the backup file, run this command:

icacls g:\ /restore veteran_ntfs_perms.txt /t /c

Note. Please, note that when importing permissions from the file, you should specify the path to the parent directory instead of the folder name.

After all permissions have been recovered, the statistics on the number of the processed files will also be displayed.

restore ntfs permissions with icacls

Previous:
Next:
Related Articles