Resetting NTFS Permissions Disk Wide

20,709

Solution 1

If you're talking about a disk that doesn't contain a Windows installation, just use the "TAKEOWN" and "ICACLS" utilities:

TAKEOWN /f "X:\" /r /d y
ICACLS "X:\" /reset /T

Then you can reset the ACLs to whatever you want.

If it's a disk with a Windows 2000, XP, or Server 2003 operating system installed (don't know about Vista on this one) you could try re-applying the default security template:

secedit /configure /db secedit.sdb /cfg %SystemRoot%\defltwk.inf /overwrite /verbose

(On a Windows Server install, substitute "defltsv.inf" for "defltwk.inf".)

Solution 2

As an alternative to takeown and *cacls you can use SetACL to first take ownership of every file and directory on the drive and then set the desired permissions.

Setting the owner of an entire tree to administrators and enabling inheritance on the child objects:

SetACL.exe -on "C:\" -ot file -actn setprot -op "dacl:np;sacl:nc" 
           -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y"

Adding full permissions for administrators:

SetACL.exe -on "C:\" -ot file -actn ace -ace "n:S-1-5-32-544;s:y;p:full"

20,709

Author by

Andrew Moore

Microsoft Certified Technology Specialist Zend Certified PHP Engineer (5.5) LinkedIn Profile http://www.linkedin.com/img/webpromo/btn_viewmy_160x25.png

Updated on September 17, 2022

Comments

Andrew Moore almost 2 years

Someone messed up majorly in setting permissions on an NTFS drive and I'm looking at a way to reset all permissions to default. The OS will be reinstalled but I'm trying to salvage data from their user directories.

None of the data is encrypted at an FS level.

Any recommendation on how to achieve that?
Spence almost 15 years

While I would agree that you can't restore any custom security settings, you can re-apply the default security template and get back to OS-default security.
user1364702 almost 15 years

Wouldn't using that potentially cause issues if he had custom security through applications? For some reason I shy away from it because it could cause unexpected behavior down the road...or did this improve?
Spence almost 15 years

If you've modified the security from default to accomodate some software you'll have to modify it again after you revert back to defaults. To my mind that should be "expected" behaviour. If you change something from default, and then change it back to default, it's back to default again.
mivk over 11 years

In Win7 x64, I got errors when quoting the drive. And for icacls, I could not specify the drive directly. So I had to use takeown /F X:\ /R /D Y and icacls X:\* /reset /T.
mirh over 4 years

Microsoft actually seems to have changed their minds on secedit's utility (and safety) at least for this task. The method is actually very light on touching anything at all AFAICT (a good deal of registry keys, but little system folders, Windows main one maybe). So at the end of the day the only reliable way I know is comparing ACLs with another trusted system.