Share via


Quick Tip: Back up your NTFS security permissions

Here is a simple command that you can run right now in order to save you from some down-time the next time your file system permissions get set back to the Windows defaults. Proactively running this from time to time (think: task scheduler) can save you a lot of time and money the next time disaster strikes. There are multiple backup solutions and utilities that you can use for this purpose, however this one is easy to use and the price is right. (free)

Subinacl.exe

https://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Here is example syntax that you can use to proactively back up your NTFS permissions:

Subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories "Path to the Folder whose NTFS permissions we have to Backup"

To backup the permissions of the folder, subfolders and files on folder called Data on the G: drive:

subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories G:\data\

If you wanted to just backup the NTFS permissions for the entire drive, the command would look like this:

subinacl /noverbose /output=c:\ntfs_G_drive_perms.txt /subdirectories G:\*.*

Most of you will probably not be concerned with backing up down to the file level, and are satisfied with just backing up the permissions at the directory level. Backing up the permissions for just the directories can be achieved with the following syntax:

subinacl /noverbose /output=c:\G_driveNTFSperms.txt /subdirectories=directoriesonly G:\*.*

image

The contents of the file created by subinacl are viewable in your favorite text editor:

image

To restore the permissions on the drive using the file that you backed them up to:

Subinacl /playfile c:\G_driveNTFSperms.txt

image

 

Test it out thoroughly in your lab environment before rolling it out to production.

Thanks for reading,

Justin Turner

Technorati Tags: Permissions,Server 2008,Server 2003,Security

Comments

  • Anonymous
    January 01, 2003
    Hi Emily! Yes, you could try to convert the accessmask to something that is human readable. Take a look at the following article: http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx I think a much easier solution would be to use the sysinternals utility: AccessChk It's located here: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx Thanks, Justin

  • Anonymous
    April 03, 2009
    Is there anything that helps you "decifer" the information on that output file?  For example what /pace=buildin/users type=0x0 accessmask=0x2 anything that would translate that information. Thank you