How to Reset Default Security ACLs in Windows

security red hero img

In today’s Ask the Admin, I’ll show you how to reset security ACLs in Windows to their defaults using the secedit tool.

If you’ve ever been in a situation where Windows Server exhibits strange behavior, or even worse, something has stopped working completely, you might have traced the issue to changes in security permissions on files, folders, or registry keys. Access control lists (ACLs) determine access to the filesystem and registry and can be changed manually, using Group Policy, or other tools, and untested modifications to default security settings can prove catastrophic.

Check out this article on Petri about how to modify access control lists using icacls if you want to work with individual files.

Prevention is better than cure, so adhering to security best practices is the best way to ensure that unwanted changes don’t cause any nasty surprises in your production environment, such as not granting IT staff permanent administrative access to servers and implementing a solid change control process. But in cases where those measures have either failed or were not present to protect your systems, it might be necessary to reset permissions to their out-of-the-box defaults.

The method I’m going to show you in this article resets filesystem and registry ACLs to their defaults. Production systems are rarely configured without significant changes to the OS defaults, so applying a mass rollback of ACLs is likely to cause some issues. But in a lab environment, you might decide it’s worth the risk.

Back up and test a restore operation of your server before following the instructions below. You might also consider using secedit’s /generaterollback switch to create a template that would allow you to restore the security ACLs to their current state. For more information about backing up Windows Server, see Back Up a Windows Server 2012 R2 Domain Controller on the Petri IT Knowledgebase.

Reset Default Security ACLs

Before using the secedit tool to reset permissions, you might consider using the Security Configuration and Analysis Tool instead, as it allows you to compare current settings against those in a template. Also, bear in mind that custom security settings you’ve defined in areas not covered by the security template won’t be rolled back. For more information about using secedit and the GUI Security Configuration and Analysis Tool, see Using the Windows Server 2012 Security Configuration and Analysis Tool on Petri.

To perform the steps below, you’ll need to log in to Windows Server with an account that has local administrative permissions. The default permissions that I’m going to apply using the command below are for servers that are not domain controllers (DCs). If you want to reapply default security settings to a DC, use the defltdc.inf template instead.

  • Log in to Windows Server.
  • Press WIN+R to open the Run dialog box.
  • Type cmd into the Run dialog box and then press ENTER.
  • In the command prompt window, type the following command and then press ENTER.
secedit /configure /cfg %windir%\inf\defltsv.inf /db defltbase.sdb /verbose

Note that the defltsv.inf template is part of a standard Windows Server install and is located in the Windows directory.

In this article, I showed you how to reset Windows security to settings to their defaults.