Easy way to remove unused security descriptors?

I am planning on re-installing Windows soon. All files on my disk D:, which I am not planning on erasing, will have security descriptors from the current Windows installation with new security descriptors coming from the new Windows installation.

Is there a way to remove all security descriptors from all folders and files on a drive other than the ones created by current installation? Please let me know how to do it.


Solution 1:

icacls is the way to go. I think this will do it, but if not, you can play with the other options:

icacls * /T /Q /C /RESET

http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx

Solution 2:

Other than icacls provided by KCotreau answer in here, you can also handle security descriptors through PowerShell. You may want to start here:

TechNeth: Windows PowerShell Tip of the Week: Working with Security Descriptors

Take particular notice that you can set your a desirable security descriptor on one file and then use that as a template for every other file. The following commands does this:

C:\>$MyNewACL = get-acl templatefile.txt
C:\>get-childitem x:\somefolder -recurse -force | set-acl -aclobject $MyNewACL

The first command will copy the security descriptions of the file templatefile.txt, that you first set as having the settings you want to repopulate some folder with. The second command does the actual changes to all the files in that folder inside drive X (-recurse will get files and directories inside that folder, and -force will get hidden files).

See also: Set-Acl command