How to Reset Default Security ACLs in Windows
In today’s Ask the Admin, I’ll show you how to reset security ACLs in Windows to their defaults using the secedit tool.
If you’ve ever been in a situation where Windows Server exhibits strange behavior, or even worse, something has stopped working completely, you might have traced the issue to changes in security permissions on files, folders, or registry keys. Access control lists (ACLs) determine access to the filesystem and registry and can be changed manually, using Group Policy, or other tools, and untested modifications to default security settings can prove catastrophic.
Check out this article on Petri about how to modify access control lists using icacls if you want to work with individual files.
Prevention is better than cure, so adhering to security best practices is the best way to ensure that unwanted changes don’t cause any nasty surprises in your production environment, such as not granting IT staff permanent administrative access to servers and implementing a solid change control process. But in cases where those measures have either failed or were not present to protect your systems, it might be necessary to reset permissions to their out-of-the-box defaults.
The method I’m going to show you in this article resets filesystem and registry ACLs to their defaults. Production systems are rarely configured without significant changes to the OS defaults, so applying a mass rollback of ACLs is likely to cause some issues. But in a lab environment, you might decide it’s worth the risk.
Back up and test a restore operation of your server before following the instructions below. You might also consider using secedit’s /generaterollback switch to create a template that would allow you to restore the security ACLs to their current state. For more information about backing up Windows Server, see Back Up a Windows Server 2012 R2 Domain Controller on the Petri IT Knowledgebase.
Reset Default Security ACLs
Before using the secedit tool to reset permissions, you might consider using the Security Configuration and Analysis Tool instead, as it allows you to compare current settings against those in a template. Also, bear in mind that custom security settings you’ve defined in areas not covered by the security template won’t be rolled back. For more information about using secedit and the GUI Security Configuration and Analysis Tool, see Using the Windows Server 2012 Security Configuration and Analysis Tool on Petri.
To perform the steps below, you’ll need to log in to Windows Server with an account that has local administrative permissions. The default permissions that I’m going to apply using the command below are for servers that are not domain controllers (DCs). If you want to reapply default security settings to a DC, use the defltdc.inf template instead.
- Log in to Windows Server.
- Press WIN+R to open the Run dialog box.
- Type cmd into the Run dialog box and then press ENTER.
- In the command prompt window, type the following command and then press ENTER.
secedit /configure /cfg %windir%\inf\defltsv.inf /db defltbase.sdb /verbose
Note that the defltsv.inf template is part of a standard Windows Server install and is located in the Windows directory.
In this article, I showed you how to reset Windows security to settings to their defaults.
More in Windows Server
Latest Patch Tuesday Updates Cause Freezes, Reboots on Domain Controllers
Nov 25, 2022 | Rabia Noureen
Microsoft Releases Fix for Kerberos Authentication Issues on Domain Controllers
Nov 18, 2022 | Rabia Noureen
Microsoft Confirms Server Manager Disk Resets Could Cause Data Loss
Oct 28, 2022 | Rabia Noureen
September Patch Tuesday Updates Cause Group Policy Issues on Windows PCs
Sep 26, 2022 | Rabia Noureen
Latest Windows Server 2022 Update Improves Protection Against Ransomware Attacks
Aug 17, 2022 | Rabia Noureen
Latest Windows Server Updates May Cause Printing and Scanning Issues
Jul 25, 2022 | Rabia Noureen
Most popular on petri