Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!
Windows Server

How to Reset Default Security ACLs in Windows

In today’s Ask the Admin, I’ll show you how to reset security ACLs in Windows to their defaults using the secedit tool.

If you’ve ever been in a situation where Windows Server exhibits strange behavior, or even worse, something has stopped working completely, you might have traced the issue to changes in security permissions on files, folders, or registry keys. Access control lists (ACLs) determine access to the filesystem and registry and can be changed manually, using Group Policy, or other tools, and untested modifications to default security settings can prove catastrophic.

Prevention is better than cure, so adhering to security best practices is the best way to ensure that unwanted changes don’t cause any nasty surprises in your production environment, such as not granting IT staff permanent administrative access to servers and implementing a solid change control process. But in cases where those measures have either failed or were not present to protect your systems, it might be necessary to reset permissions to their out-of-the-box defaults.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

The method I’m going to show you in this article resets filesystem and registry ACLs to their defaults. Production systems are rarely configured without significant changes to the OS defaults, so applying a mass rollback of ACLs is likely to cause some issues. But in a lab environment, you might decide it’s worth the risk.

Back up and test a restore operation of your server before following the instructions below. You might also consider using secedit’s /generaterollback switch to create a template that would allow you to restore the security ACLs to their current state. For more information about backing up Windows Server, see Back Up a Windows Server 2012 R2 Domain Controller on the Petri IT Knowledgebase.

Reset Default Security ACLs

Before using the secedit tool to reset permissions, you might consider using the Security Configuration and Analysis Tool instead, as it allows you to compare current settings against those in a template. Also, bear in mind that custom security settings you’ve defined in areas not covered by the security template won’t be rolled back. For more information about using secedit and the GUI Security Configuration and Analysis Tool, see Using the Windows Server 2012 Security Configuration and Analysis Tool on Petri.

To perform the steps below, you’ll need to log in to Windows Server with an account that has local administrative permissions. The default permissions that I’m going to apply using the command below are for servers that are not domain controllers (DCs). If you want to reapply default security settings to a DC, use the defltdc.inf template instead.

  • Log in to Windows Server.
  • Press WIN+R to open the Run dialog box.
  • Type cmd into the Run dialog box and then press ENTER.
  • In the command prompt window, type the following command and then press ENTER.

secedit /configure /cfg %windir%\inf\defltsv.inf /db defltbase.sdb /verbose

Note that the defltsv.inf template is part of a standard Windows Server install and is located in the Windows directory.

In this article, I showed you how to reset Windows security to settings to their defaults.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By