How to Back Up and Restore NTFS and Share Permissions

How to Back Up and Restore NTFS and Share Permissions

This topic was originally posted to the AskDS blog and has been added to the wiki to allow for community editing.

 This topic is a how to.
Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies.

From time to time we are asked how to backup and restore NTFS file system permissions as well as network share permissions. KB article 125996 talks about the network share piece of it, but it does not talk about NTFS permissions.

One thing that has made the NTFS permissions piece of this simpler is the Icacls tool. Icacls was developed for Windows Vista as a replacement for tools such as Cacls, Xcacls, and Xcacls.vbs. It was also included in Service Pack 2 for Windows Server 2003 and Windows Server 2008.

Backup and Restore of Share Permissions

To backup share permissions, export the Shares registry key.

  1. Open Regedit to the following location:

    HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
  2. Right-click the Shares registry key and select Export. Give it a file name such as shareperms.reg.

When you want to restore the permissions, double-click shareperms.reg to import it back into the registry.

Use the Reg tool to backup the registry key from the command line:

reg export HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares shareperms.reg

If you need to restore it at some point, just run:

reg import shareperms.reg

Backup and Restore of NTFS Permissions

Use this command to backup NTFS permissions:

icacls d:\data /save ntfsperms.txt /t /c

The /T switch allows it to get subfolder permissions too. The /C switch allows it to continue even if errors are encountered (although errors will still be displayed).

Use this command to restore them:

icacls d:\ /restore ntfsperms.txt

Note that in the command to save the permissions, I specified the target folder D:\Data, but when I restored them, I specified just D:\ as the target. Icacls is a little funky like that, and here’s why.

If you open the text file with the exported permissions (ntfsperms.txt in the above example), you’ll see that Icacls uses relative paths (in bold below). Underneath the relative paths are the permissions for the folders in Security Descriptor Definition Language (SDDL) format.

data
D:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
data\folder1
D:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
data\folder2
D:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)

Had I specified D:\Data in the command to restore the permissions, it would have failed looking for a D:\Data\Data folder:

D:\>icacls d:\data /restore perms.txt
d:\data\data: The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

You might think specifying D:\ as the target in the restore command may somehow mess up the permissions on other folders at that level, but as you can see from the ntfsperms.txt output file, it only has information about the Data folder and subfolders, so that is all it will change.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • It did not work.  I followed the steps outlined precisey and the NTFS permissions did display correctly in the security window, but the permission are not in effect, i.e. users who should not have permissions to access the folders are now able to access them.  I even re-started the server as well as a workstation, in case they would take effect after a re-boot.

  • If you get either of the two following errors, this likely has to do with the formatting in the text file after it has been modified.  If this occurs, Copy the text out of the modified text file and paste it into the original text file that was created when the permissions were backed up.  Copying it into a new text file does not solve this problem… don't ask me why.  Hope this helps.  Post if it does.  

    Error 1:

    The system cannot find the path specif ied.

    Successfully processed 0 files; Failed processing I files

    Error 2:

    The filename, directory name, or volume label syntax is incorrect. Successfully processed 0 files; Failed processing I files

  • If you get either of the two following errors, this likely has to do with the formatting in the text file after it has been modified.  If this occurs, Copy the text out of the modified text file and paste it into the original text file that was created when the permissions were backed up.  Copying it into a new text file does not solve this problem… don't ask me why.  Hope this helps.  Post if it does.  

    Error 1:

    The system cannot find the path specif ied.

    Successfully processed 0 files; Failed processing I files

    Error 2:

    The filename, directory name, or volume label syntax is incorrect. Successfully processed 0 files; Failed processing I files

Page 1 of 1 (3 items)