none
ICACLS Syntax issues with backup / restore

    질문

  • I am doing some testing with Windows Server 2008 R2 with NTFS permissions.  I have a d: (multiple folders and sub-folders) drive with an existing ntfs permissions.  I want to make a backup of the settings using icacls so I can restore when needed.

    So, here is what I am doing and the issue:

    1.  Open an elevated cmd prompt.

    2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

    d:\D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1229272821-2
    025429265-725345543-3701)(A;CI;0x1200a9;;;BU)S:AI: The filename, directory name,
     or volume label syntax is incorrect.
    Successfully processed 0 files; Failed processing 1 files

    Any assistance is appreciated.

     

    2010년 10월 15일 금요일 오후 8:35

모든 응답

  • Never used icacls to do this.  I like FILEACL better for this type of thing.

    http://www.gbordier.com/gbtools/fileacl.asp

    Use one of the following options

    /BATCH

    Generate a batch file for reapplying the same permissions, use with /SUB

    /BATCHREAL

    Batch mode including inhirted right from the top level

    2010년 10월 16일 토요일 오후 8:28
  • Hi Gunner999,

      Thank you for response and the workaround.  I don't mind using another tool, however, icacls.exe is a native tool and it should work as advertised.  I will test the freeware you suggested to get around the issue I am having with icacls.exe but would really like to know the answer to my question.

    thanks,

    2010년 10월 18일 월요일 오후 8:14
  • Hi,

    Here is an article which mentioned the same information you need. See:

    How to Back Up and Restore NTFS and Share Permissions

    http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx


    Shaon Shan| TechNet Subscriber Support in forum| If you have any feedback on our support, please contact tngfb@microsoft.com
    2010년 10월 20일 수요일 오전 9:12
    중재자
  • Hi Shaon,

      The link above does not answer my question.  I want to capture everything from the root of d:\ and not just a sub-folder on the d:\.  If you execute these steps, does it work for you?

    1.  Open an elevated cmd prompt.

    2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes.

    Let me know and thanks,

    Raffi

    2010년 10월 27일 수요일 오후 9:26
  • ColorJet3,

    Did you ever find an answer to your question?  I made some progress by excluding the drive letter and just using the "\" as the "root"; for example;

    to restore all the files within root of "D:\" along with its folders and subfolders, try the following;

    icacls \ /restore ICACL_FileName

    Hope this helps...

    Regards,

    Doug

    2010년 12월 14일 화요일 오전 3:08
  • I've been trying to find an answer to this conundrum for some time now, albeit for the SystemDrive, the security-state of which I'd like to capture.  Even specifying just root on a Windows 2003 (x64) Ent Server, along the lines of what djyeater suggested, only up to the first (alphabetically) sorted directory is reported -- "Documents and Settings" as well root's files (excepting in-use files) -- on the system drive.  Here's the command executed by a local admin in a command prompt window focused on root (C:\):

    C:\WINDOWS\system32\icacls.exe \* /save C:\temp\HarvestedAcls.txt /t /c

    Like Colorjet3, I tend to rely on native capabilities where practicable, and am therefore really interested in learning why the utility can not be trusted to perform as advertised.  BTW.  The version of icacls.exe I'm explicitly using is 5.2.3790.3959 and 49.5 KB in size.  Note also that the x32 version (in SysWOW64) has the same version number, but is only 39 KB in size, and reports the exact same results.

    What's up with icacls.exe?  Is this an undocumented feature, or am I doing something wrong?

    2010년 12월 14일 화요일 오전 10:27
  • I may be a little late to the party here but I think I've found out what your problem is:

    1.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    2.  Run "icacls d:\ /restore ntfsDdrive.txt"

    Like you believe, your second step is where the failure occurs. The icacls script does NOT run from the directory you wish to restore. I've been trying to figure out all morning why the file path is specified is invalid as I had mine replicated "C:\test directory\test directory". I later edited the ACL file by removing the folder name on the first line, which evidently gave me "C:\test directory\ is not a valid filepath"

    I then progressed further by created a destination C:\Test Directory\Test and saving the ACL file with the /T switch active. After altering the permissions, I ran a restore for C:\Test Directory\Test from the C:\Test Directory folder. This completed successfully and permissions were replaced as they were before, without affecting the parent "Test Directory".

    1. run "icacls C:\test directory\test /save TestACL.txt"

    2. run "icacls C:\test directory /restore TestACL.txt"

    I'm not sure how you'd be able to run a permission replacement of the entire D:\ as it cannot go any higher up. I recommend taking ACL files of all sub-directories of D:\ and running them all from D:\ when the time comes. I hope this helps you guys out, it only took me two and a half hours to figure out -.-



    2011년 6월 2일 목요일 오전 11:39
  • i know it's realy late but for those who need to fix that , it could be usefull.

    to save and restore a entire drive, do it like this

    icacls.exe d:\* /save  ntfspermitssion.txt /t /c

    icacls.exe d:\ /restore ntfspermission.txt /t /c

    it did the trick for me.

    Hope this help someone.

    • 답변으로 제안됨 Mouchy 2012년 10월 12일 금요일 오전 9:12
    2012년 10월 11일 목요일 오전 10:34
  • i know it's realy late but for those who need to fix that , it could be usefull.

    to save and restore a entire drive, do it like this

    icacls.exe d:\* /save  ntfspermitssion.txt /t /c

    icacls.exe d:\ /restore ntfspermission.txt /t /c

    it did the trick for me.

    Hope this help someone.


    The "icacls.exe d:\* /save  ntfspermitssion.txt /t /c" command will not save the FTFS permissions from the D: root itself though.  I'm having the same problem trying to find a way to save the security settings from the root file down, and then being able to restore from that.  The save works, but the restore does not (as mentioned above). 
    2012년 12월 10일 월요일 오후 6:44
  • Hi JadedPuppy.

    This could be a long shot, but if you're trying to restore an entire drive, have you tried setting up a manually mapped drive with a shortcut in it to the drive you want to restore?
    I haven't tried this (As I've had no intention of restoring an entire drive), and I'd have little faith that such a thing would work.

    Another alternative could be to open the ACL File as a text file and remove the specified directory from the file. Now, I'm no expert on ICACLS or ACL Files and my initial thoughts on this would be the file would become corrupt... however, if you want to try it on a blank drive with just test folders and test documents to see what actually happens, it's another way of potentially finding out how to restore an entire drive.

    The only way I know you can restore an entire drive (excluding files within the root of the drive) is to create an ACL File for all sub-folders of the root.

    Sorry if this doesn't help much!


    HP WinTel Server Support

    2012년 12월 11일 화요일 오전 9:18
  • Long reply on this, so apologies.  After much work on this, it turns out that the format of the save command simply doesn't allow a restore on a root folder level.  It's a limitation of the the command.  I have found workarounds for it, such as mapping drives, but it is less than perfect.  Oh well. Thanks for the help everybody.  (I didn't mark an answer, as there really wasn't a solution).

    2013년 1월 9일 수요일 오후 3:23
  • I know that this is a really old thread, but I'm hoping that the solution will help others that may still be having this problem.

    The issue that the original poster had is because icacls puts a blank line at the beginning of the file if you run the backup from the root of a drive. That changes the line positioning so that the restore interprets the permissions line as the filename line for each subsequent pair.

    Filename
    ACL
    Filename
    ACL

    Just use a text editor to remove that blank line and the restore will work just fine.


    John Benfield

    2014년 8월 15일 금요일 오후 3:09
  • So, here is what I am doing and the issue:

    1.  Open an elevated cmd prompt.

    2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

    3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

    d:\D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1229272821-2
    025429265-725345543-3701)(A;CI;0x1200a9;;;BU)S:AI: The filename, directory name,
     or volume label syntax is incorrect.
    Successfully processed 0 files; Failed processing 1 files

    Old thread, I know, but I found the solution. (Or, at least, a workaround.)

    Edit the ACL text file. The first line will be blank signifying the current directory (which in this case happens to be the root of the drive). Put a single period (.) in this line.

    When restoring the ACL file, the restore command will correctly interpret this to mean the current directory (since a single period represents the current directory in most command syntaxes).

    It worked for me on Windows Server 2012R2.

    2015년 5월 8일 금요일 오후 7:03
  • You are the man Jonathan. the (.) in the first line of the acltext file did the trick. Thx a million.
    2015년 5월 13일 수요일 오후 2:01
  • ohhh   ..  just  only a fu..ing   Dot    made   me crazy

    reallt  really  thanks   u save  me  hours  of  work !

    2018년 5월 18일 금요일 오전 7:39