none
ICACLS Syntax issues with backup / restore

    Question

  • I am doing some testing with Windows Server 2008 R2 with NTFS permissions.  I have a d: (multiple folders and sub-folders) drive with an existing ntfs permissions.  I want to make a backup of the settings using icacls so I can restore when needed.

    So, here is what I am doing and the issue:

    1.  Open an elevated cmd prompt.

    2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

    d:\D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1229272821-2
    025429265-725345543-3701)(A;CI;0x1200a9;;;BU)S:AI: The filename, directory name,
     or volume label syntax is incorrect.
    Successfully processed 0 files; Failed processing 1 files

    Any assistance is appreciated.

     

    Friday, October 15, 2010 8:35 PM

All replies

  • Never used icacls to do this.  I like FILEACL better for this type of thing.

    http://www.gbordier.com/gbtools/fileacl.asp

    Use one of the following options

    /BATCH

    Generate a batch file for reapplying the same permissions, use with /SUB

    /BATCHREAL

    Batch mode including inhirted right from the top level

    Saturday, October 16, 2010 8:28 PM
  • Hi Gunner999,

      Thank you for response and the workaround.  I don't mind using another tool, however, icacls.exe is a native tool and it should work as advertised.  I will test the freeware you suggested to get around the issue I am having with icacls.exe but would really like to know the answer to my question.

    thanks,

    Monday, October 18, 2010 8:14 PM
  • Hi,

    Here is an article which mentioned the same information you need. See:

    How to Back Up and Restore NTFS and Share Permissions

    http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx


    Shaon Shan| TechNet Subscriber Support in forum| If you have any feedback on our support, please contact tngfb@microsoft.com
    Wednesday, October 20, 2010 9:12 AM
  • Hi Shaon,

      The link above does not answer my question.  I want to capture everything from the root of d:\ and not just a sub-folder on the d:\.  If you execute these steps, does it work for you?

    1.  Open an elevated cmd prompt.

    2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes.

    Let me know and thanks,

    Raffi

    Wednesday, October 27, 2010 9:26 PM
  • ColorJet3,

    Did you ever find an answer to your question?  I made some progress by excluding the drive letter and just using the "\" as the "root"; for example;

    to restore all the files within root of "D:\" along with its folders and subfolders, try the following;

    icacls \ /restore ICACL_FileName

    Hope this helps...

    Regards,

    Doug

    Tuesday, December 14, 2010 3:08 AM
  • I've been trying to find an answer to this conundrum for some time now, albeit for the SystemDrive, the security-state of which I'd like to capture.  Even specifying just root on a Windows 2003 (x64) Ent Server, along the lines of what djyeater suggested, only up to the first (alphabetically) sorted directory is reported -- "Documents and Settings" as well root's files (excepting in-use files) -- on the system drive.  Here's the command executed by a local admin in a command prompt window focused on root (C:\):

    C:\WINDOWS\system32\icacls.exe \* /save C:\temp\HarvestedAcls.txt /t /c

    Like Colorjet3, I tend to rely on native capabilities where practicable, and am therefore really interested in learning why the utility can not be trusted to perform as advertised.  BTW.  The version of icacls.exe I'm explicitly using is 5.2.3790.3959 and 49.5 KB in size.  Note also that the x32 version (in SysWOW64) has the same version number, but is only 39 KB in size, and reports the exact same results.

    What's up with icacls.exe?  Is this an undocumented feature, or am I doing something wrong?

    Tuesday, December 14, 2010 10:27 AM
  • I may be a little late to the party here but I think I've found out what your problem is:

    1.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    2.  Run "icacls d:\ /restore ntfsDdrive.txt"

    Like you believe, your second step is where the failure occurs. The icacls script does NOT run from the directory you wish to restore. I've been trying to figure out all morning why the file path is specified is invalid as I had mine replicated "C:\test directory\test directory". I later edited the ACL file by removing the folder name on the first line, which evidently gave me "C:\test directory\ is not a valid filepath"

    I then progressed further by created a destination C:\Test Directory\Test and saving the ACL file with the /T switch active. After altering the permissions, I ran a restore for C:\Test Directory\Test from the C:\Test Directory folder. This completed successfully and permissions were replaced as they were before, without affecting the parent "Test Directory".

    1. run "icacls C:\test directory\test /save TestACL.txt"

    2. run "icacls C:\test directory /restore TestACL.txt"

    I'm not sure how you'd be able to run a permission replacement of the entire D:\ as it cannot go any higher up. I recommend taking ACL files of all sub-directories of D:\ and running them all from D:\ when the time comes. I hope this helps you guys out, it only took me two and a half hours to figure out -.-



    Thursday, June 02, 2011 11:39 AM
  • i know it's realy late but for those who need to fix that , it could be usefull.

    to save and restore a entire drive, do it like this

    icacls.exe d:\* /save  ntfspermitssion.txt /t /c

    icacls.exe d:\ /restore ntfspermission.txt /t /c

    it did the trick for me.

    Hope this help someone.

    • Proposed as answer by Mouchy Friday, October 12, 2012 9:12 AM
    Thursday, October 11, 2012 10:34 AM
  • i know it's realy late but for those who need to fix that , it could be usefull.

    to save and restore a entire drive, do it like this

    icacls.exe d:\* /save  ntfspermitssion.txt /t /c

    icacls.exe d:\ /restore ntfspermission.txt /t /c

    it did the trick for me.

    Hope this help someone.


    The "icacls.exe d:\* /save  ntfspermitssion.txt /t /c" command will not save the FTFS permissions from the D: root itself though.  I'm having the same problem trying to find a way to save the security settings from the root file down, and then being able to restore from that.  The save works, but the restore does not (as mentioned above). 
    Monday, December 10, 2012 6:44 PM
  • Hi JadedPuppy.

    This could be a long shot, but if you're trying to restore an entire drive, have you tried setting up a manually mapped drive with a shortcut in it to the drive you want to restore?
    I haven't tried this (As I've had no intention of restoring an entire drive), and I'd have little faith that such a thing would work.

    Another alternative could be to open the ACL File as a text file and remove the specified directory from the file. Now, I'm no expert on ICACLS or ACL Files and my initial thoughts on this would be the file would become corrupt... however, if you want to try it on a blank drive with just test folders and test documents to see what actually happens, it's another way of potentially finding out how to restore an entire drive.

    The only way I know you can restore an entire drive (excluding files within the root of the drive) is to create an ACL File for all sub-folders of the root.

    Sorry if this doesn't help much!


    HP WinTel Server Support

    Tuesday, December 11, 2012 9:18 AM
  • Long reply on this, so apologies.  After much work on this, it turns out that the format of the save command simply doesn't allow a restore on a root folder level.  It's a limitation of the the command.  I have found workarounds for it, such as mapping drives, but it is less than perfect.  Oh well. Thanks for the help everybody.  (I didn't mark an answer, as there really wasn't a solution).

    Wednesday, January 09, 2013 3:23 PM
  • I know that this is a really old thread, but I'm hoping that the solution will help others that may still be having this problem.

    The issue that the original poster had is because icacls puts a blank line at the beginning of the file if you run the backup from the root of a drive. That changes the line positioning so that the restore interprets the permissions line as the filename line for each subsequent pair.

    Filename
    ACL
    Filename
    ACL

    Just use a text editor to remove that blank line and the restore will work just fine.


    John Benfield

    Friday, August 15, 2014 3:09 PM