Home / server / Questions / 113832
In Process
Zimmy-DUB-Zongy-Zong-DUBBY
Asked: 2010-02-18 07:36:44 +0800 CST

Remove invalid SIDs from filesystem ACLs in Windows

  • 772

Is there an automated way to traverse a filesystem and remove any ACL entries that reference invalid SIDs in any version of Windows with NTFS?

windows filesystems access-control-list ntfs

2 Answers

  1. icacls can do that:

    ICACLS name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]]

        /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
    :g, it removes all occurrences of granted rights to that Sid. With
    :d, it removes all occurrences of denied rights to that Sid.

    You can also check for bad entries:

    ICACLS name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.

    • 1

  2. Maybe it's because I am running this on a 2003 server, but this does not produce useful results for me.

    ICACLS name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.

    I'm not sure what that is supposed to do, but it doesn't provide anything useful for me. I have a folder with an unknown SID.

    ICACLS foldername

    returns the ACL entries, including "No mapping between account names and security IDs was done". It does not tell me which SID it failed to get a mapping for.

    ICACLS foldername /verify

    All this tells me is: "Successfully processed 1 files; Failed processing 0 files". Sounds great, but what was the result of the processing?

    I get the exact same results running this on any individual files in the folder as well. In order to remove the SIDs, you need to know what they are. And this is not a very helpful method for getting a list of the SIDs that need to be cleaned up.

    • 0