How to Fully Reset an NTFS Filesystem

I’ve recently needed to reorganise a very large (>3.5 TB), very complex (millions of folders, tens of millions of files) NTFS filesystem which had been allowed to evolve slowly over the years into a great big mess.

Share permissions were a little too liberal, so users of varying technical competence had run riot – applying permissions at random, hiding and making read-only things at random, taking ownership at random, ownership by users/groups long gone… it was all here.

People could see things they shouldn’t be able to, not see things they should, files and folders were hidden for no reason, permissions were applied to a random mix of users and groups, admins had to take ownership to do basic things. It wasn’t even certain the backup system could access all the files to protect them!

I wanted to completely reset the whole thing, by achieving the following for every file and folder:

  • Take ownership of absolutely everything
  • Reset all permissions to a consistent minimum
  • Reset all read-only, system and hidden attributes to off

Open an Administrative Command Line

You need to run these fixes in an administrative command line, to ensure they can do what they need to. Any of the standard four ways are useful here:

  • Hit Windows-R, type “cmd”, hit Ctrl-Shift-Return or Ctrl-Shift-Enter
  • Hit Windows-X, click “Command Prompt (Admin)”
  • Hit Windows key or click on the Start button, type “cmd”, right-click on “Command Prompt” and click “Run as administrator”
  • Right-click on an existing Command Prompt in the taskbar, right-click on “Command Prompt”, click “Run as administrator”

Navigate to the Drive and Folder You Want to Fix

In my example, the drive was the M: drive. Yours will be something different. Do not run these command in C:\ as you will destroy your Windows install. Also don’t run them in C:\Program Files, C:\Program Files (x86), c:\Users, or C:\Windows folders, unless it’s somewhere limited deeper into the tree. Most importantly, do not run any of these commands unless you fully understand the implications of what you’re going to do.

In my example, I enter “M:” and then “cd\” to ensure I was in the root folder of the M: drive.

Take Ownership of Everything

Before we can fix permissions or attributes, we need to be able to work on all the files and folders – and to do that, we should take ownership of them all:

takeown /f * /r /d Y

That runs through the whole structure (/r), setting ownership to your current logged-in account of every file (/f *) and folder (/d Y). If you want to set ownership to a different account, shown here as myuser in the mydomain active directory domain, substitute your required user and domain names in this command – which will ask you for the user’s password:

takeown /u mydomain\myuser /f * /r /d Y

Note – if you are running this in the root of a filesystem as I was, there is a folders you won’t be able to take ownership of, namely “System Volume Information” folders. That’s not a problem.

Reset All NTFS Permissions

Now we’re ensured we own all files and folders, we need to reset the permissions to the defaults, using icacls. The default is the inheritable permissions applied to the folder you’re running the command from. You might want to check and if neccessary correct those permissions before running the command. You can see them by right-clicking on the folder in Windows Explorer, clicking Properties, and looking in the Security tab.

The caveats above about where not to run this and which folder might give you an error both apply. The options chosen are to recurse through the whole tree, and to continue if there’s a problem with a file or folder.

icacls * /t /c /reset

You can add /q if you don’t want it to show you every file and folder it’s working on. I prefer to see how it’s progressing.

Remove All Attributes

Now we have folders and files we own and have simple permissions over, we can do the final tidy-up bit, to remove any hidden, system and read-only attributes that have been set. The option chosen are to recurse through subfolders and to process the directories themselves too.

attrib -R -S -H /S /D

Other more obscure attributes are available, just type “attrib /?” to see the list. and add any other modifiers you need. for instance -A would clear the Archive attribute, which might help mitigate backup issues.

Job Done

These commands took hours to run in my case, but I ended up with a much tidier system which I could protect properly. The share permissions were re-done so that users can’t “manage” the permissions or attributes of files (Change permissions, not Full Control). Many folders that people had lost sight of were now visible, and much space and backup time was saved by un-needed ones being deleted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s