Fix NTFS Permissions and Migrate Files with ICACLS and RoboCopy

📁 Handling Corrupted Permissions and Secure File Transfers

As a system administrator, you’ll inevitably encounter directories that are inaccessible, corrupted, or resistant to modification or deletion due to broken or misconfigured permissions. There are also times when you need to apply a specific set of NTFS permissions to a directory, or transfer data between drives while preserving file timestamps and security attributes. In these situations, ICACLS and RoboCopy are indispensable tools for restoring order and ensuring secure, consistent file operations.

🔐 Restoring NTFS Permissions with ICACLS and Creating Permission Templates

If a directory’s permissions are corrupted or missing, you can reset them by reapplying default or backed-up permissions:

icacls "C:\Path\To\CorruptedDir" /reset /T /C /Q

icacls "C:\Path\To\CorruptedDir" /reset /T /C /Q

/reset: Replaces ACLs with default inherited permissions.

/T: Applies to all subfolders and files.

/C: Continues on errors.

/Q: Quiet mode.

📄 Template: Backup and Apply NTFS Permissions from One Folder to Another

Step 1: Save (Export) Permissions from the Source Folder

icacls "C:\Path\To\SourceDir" /save "C:\perms_backup\source_perms.acl" /T

icacls "C:\Path\To\SourceDir" /save "C:\perms_backup\source_perms.acl" /T

Step 2: Apply Saved Permissions to Target Folder

icacls "C:\Path\To\TargetDir" /restore "C:\perms_backup\source_perms.acl"

icacls "C:\Path\To\TargetDir" /restore "C:\perms_backup\source_perms.acl"

This will replicate the exact permission structure from SourceDir to TargetDir, including subdirectories.

💾 Copy Drive Contents with RoboCopy — Preserve Timestamps, NTFS Permissions, and Log Everything

To copy all contents from one drive to another while preserving timestamps, NTFS permissions, and skipping retries, use the following RoboCopy command:

robocopy D:\ E:\ /MIR /COPYALL /DCOPY:T /R:0 /W:0 /LOG:"C:\Logs\robocopy_log.txt"

robocopy D:\ E:\ /MIR /COPYALL /DCOPY:T /R:0 /W:0 /LOG:"C:\Logs\robocopy_log.txt"

🔍 Explanation of switches:

• D:\ → Source drive
• E:\ → Destination drive
• /MIR → Mirrors directory tree (equivalent to /E and /PURGE)
• /COPYALL → Copies all file info: data, attributes, timestamps, NTFS ACLs, and owner info
• /DCOPY:T → Preserves directory timestamps
• /R:0 → Sets 0 retries on failed copies
• /W:0 → Sets 0 wait time between retries
• /LOG:"C:\Logs\robocopy_log.txt" → Outputs progress and errors to a log file

✅ Tip: Always test with /L (list only) before running full copy to preview what RoboCopy would do:

robocopy D:\ E:\ /MIR /COPYALL /DCOPY:T /R:0 /W:0 /L

robocopy D:\ E:\ /MIR /COPYALL /DCOPY:T /R:0 /W:0 /L

🧊 Copy Locked Files with RoboCopy via VSS Shadow Copy

🔧 Step-by-Step Instructions:

Step 1: Create a Shadow Copy Using DiskShadow

Create a .ds script file (e.g., shadow.ds) with the following contents:

SET CONTEXT PERSISTENT
SET METADATA C:\Shadow\meta.cab
BEGIN BACKUP
ADD VOLUME D: ALIAS MyShadow
CREATE
EXPOSE %MyShadow% X:

SET CONTEXT PERSISTENT
SET METADATA C:\Shadow\meta.cab
BEGIN BACKUP
ADD VOLUME D: ALIAS MyShadow
CREATE
EXPOSE %MyShadow% X:

This script:

• Creates a persistent shadow copy of drive D:
• Mounts the snapshot as drive X: (you can change this to any unused letter)

Run the script with:

diskshadow /s C:\Shadow\shadow.ds

diskshadow /s C:\Shadow\shadow.ds

✅ After running, you can access D: as it was at snapshot time via X:\

Step 3: Clean Up

When done, remove the exposed drive and delete the shadow copy:

diskshadow

diskshadow

Inside DiskShadow prompt:

DELETE SHADOWS ALL

DELETE SHADOWS ALL

Or use vssadmin delete shadows for more control:

vssadmin delete shadows /for=D: /all

vssadmin delete shadows /for=D: /all

🛑 Notes:

• Requires administrative privileges
• Make sure no critical app writes to the destination during the copy
• This approach ensures consistent copies even of in-use files (e.g., databases, logs)

Let me know if you want a full script that automates all steps!

✅ Conclusion

By combining ICACLS and RoboCopy, you gain powerful control over NTFS permissions and reliable data transfers—even in complex scenarios like restoring corrupted ACLs or copying locked files. Whether you’re backing up critical systems or migrating data securely, these tools offer the precision and flexibility Windows administrators need. With proper use of permission templates, logging, and VSS snapshots, your file operations can be both safe and efficient.

🌿 Final Thoughts

ICACLS and RoboCopy are essential tools in any Windows admin’s toolkit. With the right commands and a bit of planning, you can handle permissions, backups, and file migrations with confidence.

WinReflection

My name is Dex, author at WinReflection.

I am a Christian, conservative, truth-seeker, and problem-solver who is not afraid to be vocal about important or controversial issues—silence leads to death. There’s more to life than the worldly status quo, and that’s why many are sad and depressed—they’re suffocating. Truth and purpose can bring fresh air into one’s life, and that’s my mission. My sidebar content should not trigger you, the proof is all there.

📖 John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.