Quick Tip: Back up your NTFS security permissions
Here is a simple command that you can run right now in order to save you from some down-time the next time your file system permissions get set back to the Windows defaults. Proactively running this from time to time (think: task scheduler) can save you a lot of time and money the next time disaster strikes. There are multiple backup solutions and utilities that you can use for this purpose, however this one is easy to use and the price is right. (free)
Subinacl.exe
Here is example syntax that you can use to proactively back up your NTFS permissions:
Subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories "Path to the Folder whose NTFS permissions we have to Backup"
To backup the permissions of the folder, subfolders and files on folder called Data on the G: drive:
subinacl /noverbose /output=c:\ntfs_perms.txt /subdirectories G:\data\
If you wanted to just backup the NTFS permissions for the entire drive, the command would look like this:
subinacl /noverbose /output=c:\ntfs_G_drive_perms.txt /subdirectories G:\*.*
Most of you will probably not be concerned with backing up down to the file level, and are satisfied with just backing up the permissions at the directory level. Backing up the permissions for just the directories can be achieved with the following syntax:
subinacl /noverbose /output=c:\G_driveNTFSperms.txt /subdirectories=directoriesonly G:\*.*
The contents of the file created by subinacl are viewable in your favorite text editor:
To restore the permissions on the drive using the file that you backed them up to:
Subinacl /playfile c:\G_driveNTFSperms.txt
Test it out thoroughly in your lab environment before rolling it out to production.
Thanks for reading,
Justin Turner
Technorati Tags: Permissions,Server 2008,Server 2003,Security
Comments
Anonymous
January 01, 2003
Hi Emily! Yes, you could try to convert the accessmask to something that is human readable. Take a look at the following article: http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx I think a much easier solution would be to use the sysinternals utility: AccessChk It's located here: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx Thanks, JustinAnonymous
April 03, 2009
Is there anything that helps you "decifer" the information on that output file? For example what /pace=buildin/users type=0x0 accessmask=0x2 anything that would translate that information. Thank you