Recovering NTFS inheritance

Eelco Ligtvoet

7 years ago

A little time ago, my (admin) user in Windows 10 was so badly damaged, that I had to re-create it.
While that was easily done, I found that the NTFS rights on my D: drive were a bit odd: Every folder had inherited an ACL right from D:\ for my old user (as an unrecognized S-xxx SID), but there was no entry on D:\ itself that referred to that user, so I could not remove any entry that supposedly was the origin for the inheritance.

In order to fix this, I decided to find out how to reset these NTFS permissions.
It turned out that I needed to reset the propagation of the inheritance. However, this wasn’t so straightforward, as (some of) the files and folders files were also still owned by my former user account, which I also wanted to repair.

The fix

In the end, I ended up using the below command as an Administrator to take ownership, remove any explicitly assigned ACLs and to enable inheritance propagation for all folders on the D: drive:

for /d %I in (d:\*.*) do (takeown /f "%~I" /a /r /d y&icacls "%~I" /reset /t /q /c&icacls "%~I" /inheritance:e /t /q /c)

Breakdown of the commands:

takeown /f "%~I" /a /r /d y

Take ownership of directory in variable “%~I”

/f The switch to identify the file or folder to take ownership of.
/a Assign it to the local Administrators group instead of the current user. Note that this was the proper solution in my case, but normally you should be very careful with this. When in doubt, do not specify it and it will default to the currently logged on user
/r Recursive operation on all matching files/directories below the directory specified in the command
/d y Default answer used when the current user (or, in this case, the Administrators group) does not have the “list folder” permission on a directory. This creates a non-inherited ACL on the directory, but this is needed for the recursive operation.

icacls "%~I" /reset /t /q /c

Replaces explicit ACLs with default inherited ACLs for all matching folders.

/t Recursive operation on all matching files/directories below the directory specified in the command
/q Suppress success messages
/c Continue on errors

icacls "%~I" /inheritance:e /t /q /c

Enable inheritance for all matching folders

/t Recursive operation on all matching files/directories below the directory specified in the command
/q Suppress success messages
/c Continue on errors