Messed up NTFS permissions? – how to cleanup and remove users/groups there should NOT be there

Last Updated on February 19, 2024 by Michael Morten Sonne

Intoduction

Fileservers – the never ending story for many companys – and the issue with messed up NTFS permissions 😣😂

🛑 The Dangers of Cancelling or Applying NTFS File Permissions Incorrectly 🛑

Back in time at my jobs, I had seen issues with wrong NTFS permissions – both how such NTFS inheritances now works, but also traces of people having canceled changes when they have started these, and Windows otherwise starts from the end and doing what you just told it to do!

This is dangerous, as the NTFS permissions that ARE adjusted/removed/added are NOT rolled back when you cancel your action!

In this blog, I share some PowerShell scripts that have been made to fix/clean up this easier than going to Windows Explorer and correcting NTFS rights manually by hand – life is too short for that! 😭

I want to bring your attention to a critical issue that can occur when working with NTFS file permissions and abruptly canceling or applying changes in the middle of an action. It is essential to be aware of the potential consequences and take necessary precautions to avoid complications.

The tasks you need to be in control of

Interrupting permission changes

When modifying NTFS file permissions, it is crucial to allow the process to complete uninterrupted. Cancelling the action halfway through or abruptly terminating the operation can lead to inconsistent permission settings!. This inconsistency might render certain files or folders inaccessible or grant unintended access so users there should not access the files or folders can access them, and potentially compromising the security of your data! ⚠️

Stop doing this! 🛑

Incomplete or partial permission changes

If you apply NTFS file permission changes partially or incorrectly, it can result in unpredictable access behaviors. Some files or folders might receive the updated permissions, while others might not, leading to confusion and potential security vulnerabilities. It is important to ensure that all necessary files and folders are included in the permission changes and the process is completed successfully.

Inconsistent file ownership

Changing NTFS file permissions can also involve modifying the file ownership. If the ownership transfer is interrupted or incomplete, it can cause ownership discrepancies between files and their parent directories. This inconsistency might hinder proper access control, as ownership plays a crucial role in determining who can modify or access a file and modify the permissions to other.

Impact on system stability

In certain cases, if NTFS file permission changes are interrupted or applied incorrectly, it can negatively impact the stability of the operating system/applications. This can manifest as system slowdowns, application errors, or even system crashes. It is important to exercise caution when making changes to file permissions and ensure that the process is completed without interruptions.

Regarding the Windows operating systems files and folders – if you in most cases modify them (and you should not), the operating system in most reverts your changes automaticly as SYSTEM.

How to view, set, export or restore NTFS permissions

You can use the built-in iCACLS tool in Windows to manage NTFS permissions. The icacls.exe command line tool allows you to get or change Access Control Lists (ACLs) for files and folders on the NTFS file system. In this post we’ll look at useful commands for managing NTFS permissions on Windows with iCACLS.

View and Set File and Folder Permissions

The current access permissions to any object on an NTFS volume can be displayed as follows here:

For a file:

icacls Set-TokenPrivilege.ps1

For a folder:

icacls 'D:\Temp'

An output for etc. a C:Temp folder normal looks like this:

The command will return a list of users and groups that have been assigned access permissions to it. Permissions are specified using abbreviations as in this list:

  • F – full access
  • – modify access
  • RX – read and execute access
  • R – read-only access
  • W –write-only access
  • D – delete

Inheritance rights are specified before access permissions (inheritance permissions are applied only to folders):

  • (OI) – object inherit
  • (CI) – container inherit
  • (IO) – inherit only
  • (I) – inheriting permissions from parent container

With icacls you can change folder permissions like add or remove.

To grant the “domain\company_Admins” group read and execute (RX) permissions on the folder run:

icacls 'D:\Share\IT\' /grant domain\company_Admins:RX

To remove a group from a directory ACL run:

icacls 'D:\Share\IT\' /remove domain\company_Admins

With icacls you can enable NTFS permissions inheritance from the parent folder run:

icacls 'D:\Share\IT\' /inheritance:e

You can use the icacls.exe to change ownership of a file or folder, run:

icacls 'D:\Share\IT\' /setowner domain\master.smith /T /C /L /Q

Or disable inheritance with removing all inherited ACEs run:

icacls 'D:\Share\IT\' /inheritance:r

How to backup (Export) Folder NTFS Permissions

The PowerShell Cmdlets here can be used to – but have succes with iCACLS over time 🙂

Read more about the CMD-let´s here:

Backup-ACL (WindowsServerBackup) | Microsoft Learn
Restore-ACL (WindowsServerBackup) | Microsoft Learn
Get-Acl (Microsoft.PowerShell.Security) – PowerShell | Microsoft Learn

Before making any significant changes to permissions (remove or update ACLs, migrate resources or like on this post – fix/cleanup wrong NTFS permissions) on an NTFS folder (or shared network folder etc. as a common use in a company), it is advisable to back up the old permissions. This copy will allow you to return to the original permissions before, or at least clarify the old permissions for a specific file/directory!

You can use the icacls.exe tool to export/import current NTFS directory permissions. To get all ACLs for a specific folder (including sub-directories and files) and export them to a text file, run the following command (and it´s going fast the processing! 😲🤣):

icacls D:\Share\IT\ /save D:\backup\IT_ntfs_perms.txt /t /c

Note/t key is used to get ACLs for all subdirectories and files, /c allows to ignore access errors (be aware here). By adding /q option, you can disable the display of information about successful access to the file system objects. But for me personaly, I will keep a look at the process 😉

After the command has been executed, the statistics on the number of successful or failed processing of files will be displayed etc:

Successfully processed 35908 files; Failed processing 6 files

Open the file IT_ntfs_perms.txt using any text editor. As you can see, it contains the full list of files and folders in a directory, and each item has the current permissions specified in the SDDL (Security Descriptor Definition Language) format 👍

For example, the current NTFS permissions for the folder root are as follows for the Temp folder above here:

Temp
D:AI(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)
D:PAI(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2320243621-32346796144-2349431113-23777994)(A;OICI;0x1301bf;;;S-1-5-21-2320243621-32346796144-2349431113-23777993)(A;OICI;FA;;;SY)(A;OICI;FA;;;S-1-5-21-2320243621-32346796144-2349431113-24109193)S:AI

A – access type (Allow)

OICI – inheritance flag (OBJECT INHERIT+ CONTAINER INHERIT)

FA – permission type (SDDL_FILE_ALL – all allowed)

S-1-5-21-2320243621-32346796144-2349431113-23777994 – SID of the account or domain group for which the permissions are set for.

How to Restore NTFS Permissions with iCacls

You can restore NTFS permissions on a folder using the previously created IT_ntfs_perms.txt file. To set NTFS permissions on objects in the directory according to the values in the ACL backup file, run this command:

icacls D:\Share\ /restore D:\backup\IT_ntfs_perms.txt /t /c

Note. Please note that when importing permissions from the file, you should specify the path to the parent directory instead of the folder name you apply the permissions to.

After all permissions have been recovered, the statistics on the number of the processed files will also be displayed 🥳😉

Please note that the file with backup of ACL contains relative, not absolute (full path etc.) file paths. This means that you can restore permissions on a folder even after moving it to a different drive or directory as it was performed from the root folder there NTFS backup is performed on.

Resetting NTFS Permissions to Defaults

You can use the icacls tool to reset the folder permissions (as well as nested files and sub-directories) – and it´s too easy to be true 😲

icacls D:\share\IT /reset /T /Q /C

This command will enable inherited NTFS permissions for the specified object and will remove any other ACLs.

Be aware if you run this command my a mistake – as all got reverted to default!

Some reminders to you

  • Before modifying NTFS permissions, ensure you have a full backup of critical files and folders.
  • Double-check your changes before applying them and verify that all necessary files and folders are included.
  • Avoid cancelling permission changes once the process has started 🛑
  • If interrupted or encountering issues, revert to a known-good state and restart the process.
  • Regularly monitor and review file permissions to identify any inconsistencies or unauthorized access.
  • And final: Assigning Permissions to User Groups

    Similar to granting direct access to users is the common practice of assigning permissions directly to groups of users instead of adding this organizational group to dedicated permission groups that govern access to a specific resource!

    For a home drive, it makes sense to assign a user – not a group for that single user!

Now the funny part – scripts!

🛑 Remember the backup of your current NTFS permissions 🛑

Remember: most of my scripts will come in a Code Signed version – when is was my original release – file prefixes beside the original is: _signed.ps1

You can find the unsigned and signed v. of the scripts here:

RemoveNTFSPermissions_signed.ps1 at main · michaelmsonne/public (github.com)

Set-TokenPrivilege_signed.ps1 at main · michaelmsonne/public (github.com)

How to use “Set-TokenPrivilege.ps1”

When you need to add/cleanup some big issues and add NTFS permissions like Owner, Administrator permissions is not enough in some cases.

Here we need the special SeTakeOwnershipPrivilege privilege there is documented here as well as the other options you have: User Rights Assignment – Windows Security | Microsoft Learn

You can see your current permissions in your terminal with this small command when started a fresh terminal:

whoami /priv
Normal user terminal (sorry for the Danish here as this PC this is created from)
Administrator terminal (sorry for the Danish here as this PC this is created from)

In short words what it this: This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

With this script you can active this special permission if you running your PowerShell console as administrator.

Remember the Best practices regarding this permission:
Assigning this user right can be a security risk. Because owners of objects have full control of them, only assign this user right to trusted users.

How works this?

To enable the needed permissons in this current console we are using to run the other script with this command:

.\Set-TokenPrivilege.ps1 SeRestorePrivilege 

It should return: True – then all is good and the privilege is set👍

Vertify you have SeRestorePrivilege, do it with the command:

whoami /priv

To disable the permissons in this current console we are using to run the other script with, run this command:

.\Set-TokenPrivilege.ps1 SeRestorePrivilege -Disable

It should return: True – then all is good again 👍

Now we are good to go with the NTFS permissions cleanup (remenber a backup of the NTFS permissions if a rollback is needed)

How to use “Remove wrong NTFS Permissions.ps1”

This script can loop in all the ACL´s and cleanup the user/group you will remove (when applyed wrong) there is messed up, and apply them agin without the removed user/group – and this is a much faster way to cleanup the mess 😉😁

It can remove all NTFS permissions for a user/group for a folder (and subfolders) and files and the valid format is:

Local on a server/client:
Groups: “Users” (local Users group)
User: “Administrator” (local built in user)

In a fomain:
Groups: “Domain Admins” (Domain Admins)
User: “DOMAIN\user” (user in the domain)

Here is an example for removeing all NTFS permissions for Domain Admins for “D:\Test\

.\RemoveNTFSPermissions.ps1 -username "Domain Admins" -path "D:\Test\"

Be sure to remove the RIGHT permissions as this is a powerfull task with the current permissins like SeRestorePrivilege!

When you perfom an action, with the script it will ask you to confirm the task it will do before it doing anything.

The group name if you will remove that need to be in the native language for the operation system to be found – else it will fail when you press Y – this it how Windows works..

I will try to update it so it works better for error correcting 😉

Then when the script is done, you can now enjoy that the user/group is removed if the NTFS permissions and inheritances is a mess and you got the right permissions now without – do not cancel the task again for adding NTFS permissions! 🥳😉

The scripts

As mention before – I had used this at work and for the tasks here this works. The scripts here is used – verify them in your enviroment before use it in production!

Conclusion

If you encounter significant issues or unexpected behavior after applying or cancelling NTFS file permission changes, consider seeking professional assistance or referring to official documentation for advanced troubleshooting steps.

This can help you to cleanup – but if you not know what you are doing – stop!

By being aware of the risks associated with cancelling or applying NTFS file permissions incorrectly and following best practices, you can maintain a secure and stable file management environment. Take precautionary measures, exercise patience, and ensure that your changes are carried out smoothly to avoid any unwanted consequences.

Take care about permissions, and don´t mess up again! 😁🙃

Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

Stay tuned for the new post about something cool! 🥳

Total
0
Shares
Previous Article

How is it now you get a refund for Microsoft 365 and Azure downtime and see service status?

Next Article

Entra ID - Comming: Auto-rollout of basic Conditional Access policies to protect your tenant - is missing in so many tenants so finally!

Related Posts

Discover more from Sonne´s Cloud

Subscribe now to keep reading and get access to the full archive 🤝🧑‍💻

Join 20 other subscribers