New
#11
Okay.
You are going to restore the C:\Users\All Users\Application Data junction's permissions to what they where originally, by using Icacls' save command on the exact identical file/folder on another computer B, import the ACL txt file (that Icacls genorates) from computer B to computer A, then, with the ACL txt file, run Icacls restore on the item that needs fixing.
It's a simple two step procedure. All commands mentioned here should ideally be run in an elevated Command Prompt.
Step 1.
Option A.
Execute the Icacls /save command on the exact same Application Data folder that lives on another computer B. E.g.
Import this C:\Users\%username%\aclsave.txt file to computer A (which holds the file/folder that needs fixing) by any means possible. I.e. You can copy paste the contents of the ACL file, that Icacls generates, from computer B to A.Code:icacls "C:\Users\All Users\Application Data" /save "C:\Users\%username%\aclsave.txt"
OR
Option B.
Step a.
If you know that another file/folder on computer A holds the correct permissions, you can save and restore those permissions instead. No second computer needed.
In this case, because other junctions in the All Users (symbolic link) directory have the correct, unmodified, original permission set up as the Application Data junction, you can just take the permissions of one of those junctions, and replace them with Application Data's.
E.g. the C:\Users\All Users\Desktop "folder" has the correct permission layout as C:\Users\All Users\Application Data. So we can save and restore Desktop's permissions onto Application Data and achieve the same effect as importing Application Data's permission information from another computer.
Step b.Code:icacls "C:\Users\All Users\Desktop" /save "C:\Users\%username%\aclsave.txt"
If you choose this option, you need to perform the additional step of cracking open the ACL file in a text editor and changing the very first line of the file to the name of the file/folder that is going to be fixed. This first line is obviously how Icacls should know what file to look for when restoring.
In this case, Application Data is the folder (junction) that needs fixing, so swap "Desktop" to "Application Data" on the first line (file names are case insensitive). Close the text editor.
Step 2.
Now that the ACL data file is somewhere on computer A, (let's say it's in the users home directory of computer A right now: C:\Users\%username%\aclsave.txt), we can get to restoring permissions onto Application Data. The following command will use the aclsave.txt file created in Step 1 to restore the permissions of Application Data in C:\Users\All Users,
Code:icacls "C:\Users\All Users" /restore "C:\Users\%username%\aclsave.txt"
What to do if Step 2 produces an 'Access is denied' message
If an "Access is denied" message displays when restoring C:\Users\All Users\Appliction Data with Icacls, it means that the current access control permissions set on the item denies your user from both reading and write permissions to the object. If this occurs, make a note of the current owner of the file/folder, then take ownership of the item using the command,
Run the Icacls /restore command once again.Code:takeown /f "C:\Users\All Users\Appliction Data"
Then change the owner back to what it should be. The correct owner for Appliction Data is "System". So the command for giving ownership would be
Code:icacls "C:\Users\All Users\Appliction Data" /setowner "SYSTEM"
Note that Icacls save and restore does not correct ownership. Ownership does not affect ones access to a file/folder, so giving ownership back to the correct user is completely optional.
Quote