Using iCACLS to restore NTFS permissions

LongLastingFlavor 216 Reputation points
2021-12-02T18:18:21.14+00:00

Hello,

I need to restore some NTFS permissions to the C:\Windows folder on our Windows 10 machines. "ALL APPLICATION PACKAGES" and the "TrustedInstaller" are missing from just the C:\Windows folder. The sub-folders are all ok. (Some old GPO was identified that created the issue).

I have a batch file that calls a txt file...

154593-capture1.jpg

And from within the txt file it is restoring the NTFS permissions (ALL APPLICATION PACKAGES and TrustedInstaller) to C:\Windows...

154572-capture2.jpg

I am trying to run the batch file as a Logon Script using Group Policy but it is not working. Looking for a way to successfully push this out companywide.

When I manually run the batch file with an elevated command prompt from a problem machine it works.

Just wondering if anyone had any thoughts or suggestions on how to go about applying this.

Thank you!

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,573 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,084 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions
0 comments
Accepted answer
  1. MotoX80 31,566 Reputation points
    2021-12-03T02:15:58.427+00:00

    Change the bat file to capture stdout and stderr to see what the command is doing. 

    icacls C:\ /restore C-Windows_Permissions.txt 1>C:\Windows\Temp\Perms.log 2>&1

    When I manually run the batch file with an elevated command prompt from a problem machine it works.

    So the obvious conclusion would be is that the command is not elevated when it runs.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,336 Reputation points
    2021-12-03T09:26:34.103+00:00

    Hello SteveChambers,

    First I would recommend to test the script locally in some test computers to see if there is any error coming up or runs smooth.

    Have you verified that the Script and txt file are allocated in the Sysvol folder > Domain.name> Policies > Policy GUID > Machine > Scripts > Startup
    If everything is ok with the GPO, the same script and file is copied to the local folder %systemroot%\System32\GroupPolicy\Machine\Scripts\Startup but you need to ensure that script call the TXT file in the SYSVOL share (only the scripts are copied, not the files they are used).

    --If the reply is helpful, please Upvote and Accept as answer--

  2. LongLastingFlavor 216 Reputation points
    2021-12-03T23:36:26.337+00:00

    On two machines if I manually run the batch file in Safe Mode it runs successfully. Running in normal mode or with non-Microsoft Services disabled I get access is denied. Running it as a logon script under Computers also did not work (Did verify that the machines are picking up the policy).

    Not sure if running it in Safe Mode can be automated or not. Currently researching my options.

  3. LongLastingFlavor 216 Reputation points
    2021-12-04T00:00:50.157+00:00

    Worth trying! Thank you!