How to Reset File or Folder Permissions to Inherited Defaults in Batch Script

When managing file servers or shared directories, permissions can sometimes become a disorganized mess. Users might accidentally change permissions, old administrators might have hardcoded specific access rights, or malicious software may have modified access control lists (ACLs). When this happens, often the fastest fix is to completely wipe out all explicitly set permissions and reset them to inherit from the parent folder above.

In this guide, we will use the highly powerful icacls command to seamlessly reset files and folders back to their default inherited state using a simple Batch script.

Understanding Inheritance

In Windows NTFS formatting, if a directory (e.g., C:\Marketing) grants "Read" access to "All Employees", any file created inside that folder will automatically inherit those same rights.

However, users can sometimes break this inheritance or add explicit permissions directly to a specific file (e.g., Budget.xlsx). Resetting permissions removes all explicit entries and forces the file to perfectly copy the permissions of its parent folder again.

The `icacls /reset` Command

The core command for this task is incredibly straightforward. The icacls tool includes a /reset switch specifically designed for this purpose.

Single File Reset

To reset permissions on a single file back to default:

icacls "C:\Shared\Marketing\Budget.xlsx" /reset

If successful, icacls will confirm:

processed file: C:\Shared\Marketing\Budget.xlsx
Successfully processed 1 files; Failed processing 0 files

Resetting an Entire Directory Tree

The real power of icacls /reset shines when you need to fix an entire corrupted folder structure. By adding the /t (traverse) switch, you can recursively apply the reset to all subfolders and files simultaneously. Adding the /c (continue on error) and /q (quiet) switches is highly recommended for bulk operations.

Warning: Running this command at the root of a drive (C:\) or crucial system folders (C:\Windows) will drastically alter your operating system's security and likely break it. Only use this on data directories or specific user profile paths.

@echo off
setlocal

set "CORRUPTED_FOLDER=D:\CompanyShare\Marketing"

if not exist "%CORRUPTED_FOLDER%\" (
    echo [ERROR] Directory not found: %CORRUPTED_FOLDER%
    pause
    exit /b 1
)

echo WARNING: You are about to reset all permissions for:
echo   %CORRUPTED_FOLDER%
echo.
echo This will remove any explicit permissions and replace them with inherited ones.
echo.

set /p "CONFIRM=Type YES to proceed: "
if /i not "%CONFIRM%"=="YES" (
    echo Operation cancelled.
    pause
    exit /b
)

echo.
echo Proceeding with reset...
echo ------------------------------------------

REM /reset replaces ACLs with default inherited ACLs.
REM /t traverses subdirectories.
REM /c continues despite individual file errors.
REM /q runs quietly (less console spam).

icacls "%CORRUPTED_FOLDER%" /reset /t /c /q

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Inheritance successfully reset.
) else (
    echo [WARNING] Reset attempt finished, but some errors occurred (e.g., Access Denied on specific files^).
)

endlocal
pause

Troubleshooting Access Denied Errors

If you run icacls /reset and receive an "Access is Denied" error for specific files, it usually means your current administrative user account does not have sufficient rights (such as SeTakeOwnershipPrivilege or SeRestorePrivilege) or outright lacks "Full Control" over the files you are trying to reset.

Wrong Approach (Assuming script fails completely):

icacls "C:\LockedFolder\Secret.txt" /reset
REM Output: C:\LockedFolder\Secret.txt: Access is denied.

If a previous administrator broke inheritance and maliciously removed "Administrators" from the file's ACL, you cannot reset it until you take ownership of it.

Step-by-Step Fix: Taking Ownership First

To guarantee the reset succeeds on stubbornly locked files, you must use the takeown command prior to icacls.

Here is a robust script that aggressively takes ownership of all files before resetting their permissions.

@echo off
setlocal

set "TARGET_DIR=D:\UserProfiles\OldEmployee"

if not exist "%TARGET_DIR%\" (
    echo [ERROR] Directory not found: %TARGET_DIR%
    pause
    exit /b 1
)

echo Preparing to forcefully reset permissions on %TARGET_DIR%...
echo.
echo Step 1: Taking ownership of all files and subfolders...

REM takeown gives the current logged-in Administrator ownership.
REM /F targets the folder.
REM /R recurses through subdirectories.
REM /D Y automatically says "Yes" to replacing directory permissions.

takeown /F "%TARGET_DIR%" /R /D Y >nul 2>nul

if %ERRORLEVEL% neq 0 (
    echo [WARNING] Some files could not have ownership changed. Continuing...
)

echo Step 2: Resetting inheritance...

REM Now that we own it, we can reset the ACLs.
icacls "%TARGET_DIR%" /reset /t /c /q

if %ERRORLEVEL% equ 0 (
    echo.
    echo [SUCCESS] Process complete. All permissions have been reset.
) else (
    echo.
    echo [WARNING] Process complete, but some files could not be reset.
)

endlocal
pause

Taking Ownership

When you use takeown, you are fundamentally changing the owner of the file (usually from the original creator to the "Administrators" group). Once reset, inherited permissions apply, but the owner remains "Administrators". If you need to restore the original creator as the owner, you will need more complex scripts, typically involving PowerShell.

Resetting Permissions on Home Folders (A Common Scenario)

A very common use case for Batch scripting permissions is recreating "Home Folders" on a file server. This script creates a folder, breaks inheritance, gives the user access, and ensures all contents reflect those specific rights.

@echo off
setlocal

set "USER_NAME=JSmith"
set "HOME_ROOT=D:\UserHomes"
set "USER_FOLDER=%HOME_ROOT%\%USER_NAME%"

REM 1. Ensure parent directory exists
if not exist "%HOME_ROOT%\" (
    echo [ERROR] Home root directory not found: %HOME_ROOT%
    pause
    exit /b 1
)

REM 2. Create user directory
if not exist "%USER_FOLDER%\" (
    mkdir "%USER_FOLDER%"
    if %ERRORLEVEL% neq 0 (
        echo [ERROR] Failed to create directory: %USER_FOLDER%
        pause
        exit /b 1
    )
)

REM 3. Reset it first to ensure a clean slate
icacls "%USER_FOLDER%" /reset

REM 4. Disable inheritance (/inheritance:r) and explicitly grant user rights
icacls "%USER_FOLDER%" /inheritance:r /grant "%USER_NAME%:(OI)(CI)F" /grant "Administrators:(OI)(CI)F"

if %ERRORLEVEL% equ 0 (
    echo [SUCCESS] Home folder created and permissions set for %USER_NAME%.
) else (
    echo [ERROR] Failed to set permissions on %USER_FOLDER%. Verify user account exists.
)

endlocal
pause

Summary

The icacls /reset command is the essential tool for cleaning up messy NTFS permissions in Windows environments. By combining it with the /t recursion switch and preceding it with the takeown command when fighting locked files, you can quickly write Batch scripts to normalize security settings across massive file shares and restore order to your inherited folder structures.

Understanding Inheritance​

The icacls /reset Command​

Single File Reset​

Resetting an Entire Directory Tree​

Troubleshooting Access Denied Errors​

Step-by-Step Fix: Taking Ownership First​

Resetting Permissions on Home Folders (A Common Scenario)​

Summary​

Table of Contents