Managing NTFS permissions can be a tedious task. Making a change at the root level of a directory can have unexpected results if the permissions are forced down to the lower level directories. Doing this can remove or change explicitly assigned rights for users that result in broken functionality of a website. A client recently requested to update NTFS permissions on a directory structure that is the location of multiple website folders which are all accessible via FTP for management. After the change was made, multiple users were unable to successfully connect via FTP, or after connection, could not upload/download files. This ended up being resolved by addressing each request individually as they came in.
When making changes, it is best practice to create a backup in case something goes wrong so you can revert to that backup in order to return functionality. Microsoft has a utility built-in to the operating system that provides the ability to do this for Access Control Lists (ACLs). The icacls.exe utility allows you to view, save, and restore the permissions on given files or folders. Technet has additional information about this utility located here.
As with most command line based utilities, you can use /? to get additional information about the syntax. To begin with, I would like to view the assigned permissions for a folder named TestFolder on my machine. I want to include all folders and files within this root location. The command to gather this information is icacls c:\TestFolder\* /T. The output is written to the screen as shown in the screenshot below. Since this is a small folder, all of the data can be viewed on the screen. For larger outputs, you can output the results into a text file using the > setting. For example, icacls c:\TestFolder\* /T > c:\temp\file.txt.
To save the current permissions before making any changes, run icacls c:\TestFolder\* /save AclFile.txt /T. This saves the current settings to a file named AclFile.txt in the current location. This file is not a plain text output like the previous command, but rather lists the relative path of the folder followed by the Security Descriptor Definition Language (SDDL) format.
For this test, I am going to remove the Test1 group and add the Test2 group to the c:\TestFolder and propagate changes down. As you can see, the Test1 group is no longer listed and the Test2 group has read and execute (RX) permissions.
After testing, it was determined that this change broke functionality of the web site. With a folder structure this small, this would not be a big deal. But imagine if we were talking hundreds of folders and thousands of files. You just became the savior for your client because you made a backup of the permissions before starting. To restore the previous settings, run the icacls c:\TestFolder\ /restore AclFile.txt. The files will be processed and the results will be displayed on the screen.
So hopefully, my lesson learned will save you some time and heartache in a similar situation. It is always better to have a backup you will never use, than to need a backup that you do not have. If you would also like to read about a great way to gather group membership to see what users have access to the folders or files based on the groups listed, please check out my post here.