I am doing some testing with Windows Server 2008 R2 with NTFS permissions.  I have a d: (multiple folders and sub-folders) drive with an existing ntfs permissions.  I want to make a backup of the settings using icacls so I can restore when needed.

So, here is what I am doing and the issue:

1.  Open an elevated cmd prompt.

2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

d:\D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1229272821-2
025429265-725345543-3701)(A;CI;0x1200a9;;;BU)S:AI: The filename, directory name,
 or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files

Any assistance is appreciated.

 

Never used icacls to do this.  I like FILEACL better for this type of thing.

http://www.gbordier.com/gbtools/fileacl.asp

Use one of the following options

/BATCH	Generate a batch file for reapplying the same permissions, use with /SUB
/BATCHREAL	Batch mode including inhirted right from the top level

Hi Gunner999,

  Thank you for response and the workaround.  I don't mind using another tool, however, icacls.exe is a native tool and it should work as advertised.  I will test the freeware you suggested to get around the issue I am having with icacls.exe but would really like to know the answer to my question.

thanks,

Hi,

Here is an article which mentioned the same information you need. See:

How to Back Up and Restore NTFS and Share Permissions

http://blogs.technet.com/b/askds/archive/2008/11/24/how-to-back-up-and-restore-ntfs-and-share-permissions.aspx

Hi Shaon,

  The link above does not answer my question.  I want to capture everything from the root of d:\ and not just a sub-folder on the d:\.  If you execute these steps, does it work for you?

1.  Open an elevated cmd prompt.

2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes.

Let me know and thanks,

Raffi

ColorJet3,

Did you ever find an answer to your question?  I made some progress by excluding the drive letter and just using the "\" as the "root"; for example;

to restore all the files within root of "D:\" along with its folders and subfolders, try the following;

icacls \ /restore ICACL_FileName

Hope this helps...

Regards,

Doug

I've been trying to find an answer to this conundrum for some time now, albeit for the SystemDrive, the security-state of which I'd like to capture.  Even specifying just root on a Windows 2003 (x64) Ent Server, along the lines of what djyeater suggested, only up to the first (alphabetically) sorted directory is reported -- "Documents and Settings" as well root's files (excepting in-use files) -- on the system drive.  Here's the command executed by a local admin in a command prompt window focused on root (C:\):

C:\WINDOWS\system32\icacls.exe \* /save C:\temp\HarvestedAcls.txt /t /c

Like Colorjet3, I tend to rely on native capabilities where practicable, and am therefore really interested in learning why the utility can not be trusted to perform as advertised.  BTW.  The version of icacls.exe I'm explicitly using is 5.2.3790.3959 and 49.5 KB in size.  Note also that the x32 version (in SysWOW64) has the same version number, but is only 39 KB in size, and reports the exact same results.

What's up with icacls.exe?  Is this an undocumented feature, or am I doing something wrong?

I may be a little late to the party here but I think I've found out what your problem is:

1.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

2.  Run "icacls d:\ /restore ntfsDdrive.txt"

Like you believe, your second step is where the failure occurs. The icacls script does NOT run from the directory you wish to restore. I've been trying to figure out all morning why the file path is specified is invalid as I had mine replicated "C:\test directory\test directory". I later edited the ACL file by removing the folder name on the first line, which evidently gave me "C:\test directory\ is not a valid filepath"

I then progressed further by created a destination C:\Test Directory\Test and saving the ACL file with the /T switch active. After altering the permissions, I ran a restore for C:\Test Directory\Test from the C:\Test Directory folder. This completed successfully and permissions were replaced as they were before, without affecting the parent "Test Directory".

1. run "icacls C:\test directory\test /save TestACL.txt"

2. run "icacls C:\test directory /restore TestACL.txt"

I'm not sure how you'd be able to run a permission replacement of the entire D:\ as it cannot go any higher up. I recommend taking ACL files of all sub-directories of D:\ and running them all from D:\ when the time comes. I hope this helps you guys out, it only took me two and a half hours to figure out -.-

i know it's realy late but for those who need to fix that , it could be usefull.

to save and restore a entire drive, do it like this

icacls.exe d:\* /save  ntfspermitssion.txt /t /c

icacls.exe d:\ /restore ntfspermission.txt /t /c

it did the trick for me.

Hope this help someone.

• Proposed as answer by Mouchy Friday, October 12, 2012 9:12 AM

i know it's realy late but for those who need to fix that , it could be usefull.

to save and restore a entire drive, do it like this

icacls.exe d:\* /save  ntfspermitssion.txt /t /c

icacls.exe d:\ /restore ntfspermission.txt /t /c

it did the trick for me.

Hope this help someone.

The "icacls.exe d:\* /save  ntfspermitssion.txt /t /c" command will not save the FTFS permissions from the D: root itself though.  I'm having the same problem trying to find a way to save the security settings from the root file down, and then being able to restore from that.  The save works, but the restore does not (as mentioned above). 

Hi JadedPuppy.

This could be a long shot, but if you're trying to restore an entire drive, have you tried setting up a manually mapped drive with a shortcut in it to the drive you want to restore?
I haven't tried this (As I've had no intention of restoring an entire drive), and I'd have little faith that such a thing would work.

Another alternative could be to open the ACL File as a text file and remove the specified directory from the file. Now, I'm no expert on ICACLS or ACL Files and my initial thoughts on this would be the file would become corrupt... however, if you want to try it on a blank drive with just test folders and test documents to see what actually happens, it's another way of potentially finding out how to restore an entire drive.

The only way I know you can restore an entire drive (excluding files within the root of the drive) is to create an ACL File for all sub-folders of the root.

Sorry if this doesn't help much!

Long reply on this, so apologies.  After much work on this, it turns out that the format of the save command simply doesn't allow a restore on a root folder level.  It's a limitation of the the command.  I have found workarounds for it, such as mapping drives, but it is less than perfect.  Oh well. Thanks for the help everybody.  (I didn't mark an answer, as there really wasn't a solution).

I know that this is a really old thread, but I'm hoping that the solution will help others that may still be having this problem.

The issue that the original poster had is because icacls puts a blank line at the beginning of the file if you run the backup from the root of a drive. That changes the line positioning so that the restore interprets the permissions line as the filename line for each subsequent pair.

Filename
ACL
Filename
ACL

Just use a text editor to remove that blank line and the restore will work just fine.

So, here is what I am doing and the issue:

1.  Open an elevated cmd prompt.

2.  Run "icacls d:\ /save ntfsDdrive.txt /t /c" without the quotes.  No issues.

3.  Run "icacls d:\ /restore ntfsDdrive.txt" without the quotes and I get the following:

d:\D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;S-1-5-21-1229272821-2
025429265-725345543-3701)(A;CI;0x1200a9;;;BU)S:AI: The filename, directory name,
 or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files

Old thread, I know, but I found the solution. (Or, at least, a workaround.)

Edit the ACL text file. The first line will be blank signifying the current directory (which in this case happens to be the root of the drive). Put a single period (.) in this line.

When restoring the ACL file, the restore command will correctly interpret this to mean the current directory (since a single period represents the current directory in most command syntaxes).

It worked for me on Windows Server 2012R2.

• Proposed as answer by Jonathan M. Johnson 11 hours 59 minutes ago