We help IT Professionals succeed at work.

Restoring Windows 7 ACLs on C:\

Scurfy
Scurfy asked
on
Long story, I'll make it short(er). I inadvertently changed ACLs on C:\ (ie, the root directory of the C: drive) and want to get them set back to how they were when the OS was installed.  Tried lots of things. Lastest is to use icacls /save to save the ACLs from another machine I know is correct, and then icacls /restore to restore, on the target machine, those ACLs from the previously saved file.  (i.e., save to file icacls.ssp, copy icacls.ssp to target machine,
restore on target machine).

I:\>icacls C:\ /restore icacls.ssp
C:\D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:(ML;OINPIO;NW;;;HI): The filename, directory name, or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files

Hmm...

Not sure if there's a problem with my command line, or the ACL file from the other system, so as a test I /saved and then tried to immediately /restore, BOTH SAVE AND RESTORE ON THE TARGET SYSTEM, just to see if it would work.  It didn't:

I:\>icacls C:\ /save icacls.jmb
processed file: C:\
Successfully processed 1 files; Failed processing 0 files

I:\>icacls C:\ /restore icacls.jmb
C:\D:PAI(A;OICI;FA;;;WD)(A;OICI;0x1301bf;;;AU)(A;OICIIO;FA;;;SY)(A;;0x1201ff;;;SY)(A;OICI;FA;;;S-1-5-21-1718308051-1053876602-292602114-1000)(A;OICI;FA;;;BA)S:(ML;OINPIO;NW;;;HI):
The filename, directory name, or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files

All of the above was done from the Command Prompt running as Administrator.

I would like to understand what's up with icalcs; but even more I'd like to get my ACLs  reset the way I want.  I've tried to do this using the GUI, with different problems:

Start -> Computer -> right click OS (C:) -> Properties -> Security -> Advanced -> Change Permissions  -> Add/Edit/Remove etc., but when I try to set permissions for a particular
user or group, and I specify  "Apply to: " "This folder only", it STILL tries to propagate
the setting to sub-folders!

I just want a simple, clean, reliable way to get my ACLs reset.
Comment
Watch Question

Top Expert 2012

Commented:
Have you tried to initiate a Windows 7 System Restore to a point prior to the change?

How to Do a System Restore in Windows 7
Commented:
Nope, but I thought about it.  In the research I did, I couldn't find any indication that permissions are saved when creating restore points, or that they would be restored.  So I opted not to go there.  As an update, I've recently had some success with using icacls in a different way than in my initial question.  For example, this works to correctly set permissions for Authenticated users:

icacls C:\ /grant "Authenticated Users":(OI)(CI)(IO)(DE,GE,GW,GR)

I'd attempted this earlier but hadn't gotten the syntax quite right in specifying inheritance rights.

Looks like I'll be able use this application of icacls to accomplish what I want.  Sure would be nice to know why icacls /save & /restore wasn't doing what I expected, and why setting permissions from the GUI was causing propagation even when I explicitly specified "This folder only".
Top Expert 2012

Commented:
"So I opted not to go there."

In the future, keep in mind that you don't lose or overwrite any user data files when you execute a System Restore.  It is a very low-risk procedure, and it may resolve the problem at hand.
LeeTutorretired
Top Expert 2009

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.