Understanding how to use Icals & Takeown to make changes and reset in Windows 10

• Take ownership of a windows folder and its contents
• Make Changes
• Return ownership to original
• Understand the process
• Use Icacls and takedown in a windows 10 environment

Before using takeown and icacls commands because of the sensitive nature of windows folders, I would like to know and understand what changes to permissions will take place, so that they can be reset to their original position. As one article I read said “Be careful, taking the ownership of system folders you may break your operating systems.” Though I don’t think I will in this case, as I plan to use this on more than one computer, it would be good to know what is going on, so that the correct commands are used.

This is my current potential script:

takeown /f C:\Windows\Web
takeown /f C:\Windows\Web\*.* /R
…changes to default image cache here…
icacls C:\Windows\Web\*.* /reset /T /C
icacls c:\Windows\Web\*.* /setowner " Web NT SERVICE\TrustedInstaller" /T /C"
icacls c:\Windows\Web /setowner " Web NT SERVICE\TrustedInstaller" /T /C"

Current Understanding:

A)  takeown /f C:\Windows\Web  (Take ownership of directory) 
A)  takeown /f C:\Windows\Web\*.* /R 
    (Take ownership of all files and subdirectories)
    [[B is an alternative for A]]
B)  takeown /f C:\Windows\Web  /R /d Y  
    (?? recursively take ownership of all files and folders)
C)  icacls C:\Windows\Web\*.* /T /C /reset  
    (?? this resets security permissions to default for all the folders, 
    files and subfolders)
D)  icacls c:\Windows\Web\*.* /setowner " Web NT SERVICE\TrustedInstaller" /T /C"
    (This resets the owner of the folder contents see last script box)
E)  icacls c:\Windows\Web /setowner " Web NT SERVICE\TrustedInstaller" /T /C"
    Set owner of folder back to original

Current Folder Permissions are:

COMMAND PROMPT - ADMINISTRATOR 
C:\Windows>icacls "C:\Windows\Web"
C:\Windows\Web NT SERVICE\TrustedInstaller:(F)
               NT SERVICE\TrustedInstaller:(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(M)
               NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
               BUILTIN\Administrators:(M)
               BUILTIN\Administrators:(OI)(CI)(IO)(F)
               BUILTIN\Users:(RX)
               BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
               CREATOR OWNER:(OI)(CI)(IO)(F)
               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(RX)
               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(OI)(CI)(IO)(GR,GE)

Reading:

• SU - Is there a way in which I can use takeown to apply ownership to every directory on the drive?
• SU - Takeown grant permission
• SO - Change owner and permissions on folder
• SF - icacls equivalents of explorer basic permissions
• Microsoft - Takeown
• Microsoft - Icacls
• Microsoft - Quick way to reset all security permissions to default?
• SS46 - Takeown
• SS64 - Icacls
• TheSolving - How to reset NTFS permissions with ICACLS

Sure, I assumed your "Web NT SERVICE\TrustedInstaller" was a typo. It is "NT SERVICE\TrustedInstaller". If you save your ACLs with icacls you can look at the file generated in Notepad (it is text format). The first line is the name of the directory it wants to apply to. The second line is the permissions. You can see confirmation here if it isn't clear. blogs.technet.microsoft.com/askds/2008/11/24/…