Quick Tip: Back up your NTFS security permissions

Quick Tip: Back up your NTFS security permissions

  • Comments 2
  • Likes

Here is a simple command that you can run right now in order to save you from some down-time the next time your file system permissions get set back to the Windows defaults.  Proactively running this from time to time (think: task scheduler) can save you a lot of time and money the next time disaster strikes.  There are multiple backup solutions and utilities that you can use for this purpose, however this one is easy to use and the price is right. (free)

Subinacl.exe

http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Here is example syntax that you can use to proactively back up your NTFS permissions:

Subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories "Path to the Folder whose NTFS permissions we have to Backup"

To backup the permissions of the folder, subfolders and files on folder called Data on the G: drive:

subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories G:\data\

If you wanted to just backup the NTFS permissions for the entire drive, the command would look like this:

subinacl /noverbose /output=c:\ntfs_G_drive_perms.txt /subdirectories G:\*.*

Most of you will probably not be concerned with backing up down to the file level, and are satisfied with just backing up the permissions at the directory level.  Backing up the permissions for just the directories can be achieved with the following syntax:

subinacl /noverbose /output=c:\G_driveNTFSperms.txt /subdirectories=directoriesonly G:\*.*

image

The contents of the file created by subinacl are viewable in your favorite text editor:

image

To restore the permissions on the drive using the file that you backed them up to:

Subinacl /playfile c:\G_driveNTFSperms.txt

image

 

Test it out thoroughly in your lab environment before rolling it out to production.

Thanks for reading,

Justin Turner

Comments
  • Is there anything that helps you "decifer" the information on that output file?  For example what /pace=buildin/users type=0x0 accessmask=0x2

    anything that would translate that information.

    Thank you

  • Hi Emily!

    Yes, you could try to convert the accessmask to something that is human readable. Take a look at the following article:

    http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx

    I think a much easier solution would be to use the sysinternals utility: AccessChk

    It's located here:

    http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

    Thanks,

    Justin

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment