How to Backup and Restore File Permissions in Batch Script
Managing NTFS permissions is a critical part of maintaining a secure and functional Windows environment. However, permissions can be fragile. A single mistake during a folder move or a failed script can overwrite complex Access Control Lists (ACLs), leading to data breaches or service outages.
Being able to backup the current permission state of a directory tree and restore it quickly if something goes wrong is an essential safety net for any developer or administrator.
In this guide, we will use the icacls command to create a robust backup and restoration system using Batch scripts.
The ICACLS Save and Restore Mechanism
The icacls utility has two specific switches designed for this purpose: /save and /restore.
How it Works:
/save: Exports the security descriptors of the specified files and folders into a text file./restore: Reapplies the descriptors from that text file back to the original objects.
When using /save, specify a directory as the target, and icacls will process that directory. However, when using /restore, you must specify the parent directory of the saved files.
Creating a Permission Backup Script
The following script will capture the permissions of a specific folder and all its contents, saving them to a timestamped file.
@echo off
setlocal
REM Define the directory to backup and the location to save the ACL file
set "sourceDir=D:\ImportantData"
set "backupPath=C:\Backups\Permissions"
if not exist "%sourceDir%\" (
echo [ERROR] Source directory not found: %sourceDir%
pause
exit /b 1
)
REM Ensure the backup directory exists
if not exist "%backupPath%\" mkdir "%backupPath%"
if %ERRORLEVEL% neq 0 (
echo [ERROR] Failed to create backup directory: %backupPath%
pause
exit /b 1
)
REM Create a robust, locale-independent timestamp for the filename
REM We use PowerShell to ensure the format is consistent regardless of system region
for /f "tokens=*" %%i in ('powershell -NoProfile -ExecutionPolicy Bypass -Command "Get-Date -Format 'yyyy-MM-dd_HHmm-ss'"') do set "STAMP=%%i"
if not defined STAMP (
echo [ERROR] Could not retrieve system date/time for timestamp.
pause
exit /b 1
)
set "aclFile=%backupPath%\acl_backup_%STAMP%.txt"
echo Backing up permissions for: %sourceDir%
echo Saving to: %aclFile%
echo.
REM /save extracts the permissions
REM /T ensures subdirectories are included
REM /C continues on errors
icacls "%sourceDir%" /save "%aclFile%" /T /C /Q
if %ERRORLEVEL% equ 0 (
echo [SUCCESS] Backup completed: %aclFile%
) else (
echo [WARNING] Backup finished with some errors. Check for locked files or access issues.
)
endlocal
pause
Restoring Permissions from a Backup
Restoring is slightly more sensitive than backing up. The paths in the ACL file are relative to the directory where the save was performed.
The Correct Way to Restore
If you backed up D:\ImportantData while it was the target, you should point your restore command to D:\.
@echo off
setlocal
set "restoreRoot=D:\"
set "aclFile=C:\Backups\Permissions\acl_backup_2026-03-28_1200-00.txt"
if not exist "%aclFile%" (
echo [ERROR] ACL backup file not found: %aclFile%
pause
exit /b 1
)
echo Restoring permissions from: %aclFile%
echo Restoring to root: %restoreRoot%
echo.
REM /restore applies the saved ACL file back to the directory tree
icacls "%restoreRoot%" /restore "%aclFile%" /C /Q
if %ERRORLEVEL% equ 0 (
echo [SUCCESS] Permissions restored successfully.
) else (
echo [ERROR] Errors occurred during restoration. Ensure you are running as Administrator.
)
endlocal
pause
Comparisons: Why not just copy the folder?
You might wonder why you wouldn't just copy the files to another drive to "backup" the permissions. There are several reasons why the icacls /save method is superior:
- Storage Efficiency: An ACL backup is a tiny text file, even for a directory with millions of files. A full file backup could be terabytes.
- Independence: You can restore permissions to an existing directory without overwriting the actual file data. This is perfect for fixing "permission drift" where the data is fine but the access rules are broken.
- Audit Trail: The ACL backup file is human-readable (to a degree), providing a snapshot in time of who had access to what.
Common Pitfalls
Wrong Case: Misaligned Restore Paths
If you backup C:\Data\Finance and then try to restore it while the current directory is C:\, the paths won't match, and no permissions will be applied.
Solution: Always verify exactly which folder you were targeting during the /save operation. The path within the text file usually starts from the folder name itself.
Mistake: System Volume Information
When backing up an entire drive, icacls might fail when it hits protected system folders like System Volume Information.
Solution: Use the /C (continue) switch so the script skips these folders and continues backing up your actual data.
Best Practices
- Run as Administrator: Capturing and applying security descriptors requires full administrative privileges.
- Combine with Data Backups: Whenever you perform a major data migration or backup, run a permission backup immediately before and after.
- Test the Restore: In a test environment, try breaking permissions on a few files and using your script to restore them. Knowing the process works before a crisis is invaluable.
Conclusion
The icacls /save and /restore commands are powerful, if occasionally finicky, tools. By wrapping them in a Batch script, you create a repeatable, reliable way to protect the security architecture of your file systems. Whether you are preparing for a server migration or simply want an insurance policy against user error, a fast permission backup is one of the most effective scripts an administrator can have in their toolkit.