Setacl.exe Not Available in Windows NT 4.0

Last reviewed: July 10, 1997
Article ID: Q157963
The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0

SUMMARY

When an administrator attempts to secure the Microsoft Windows NT system by changing the default Windows NT file system (NTFS) file and directory permissions set up on the <%systemroot%> and/or the default system directories and subdirectories, some functions, such as users' ability to log on to the network, may be impaired. In extreme cases, the system may display a blue screen error message on startup.

In Windows NT version 3.5x, it was possible to reset the default permissions on the system files using the Setacl.exe command. This is not possible in Windows NT version 4.0.

For additional information, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q153094
   TITLE     : Restoring Default Permissions to Windows NT System Files

MORE INFORMATION

The process that Windows NT Setup uses to create an NTFS partition and set the default permissions was changed in Windows NT 4.0. In Windows NT 3.5x, Setup would schedule two programs to run during the final reboot phase. The first program, Autoconv.exe, would convert the file system to NTFS format. The second program, Setacl.exe, would set the default permissions on the newly created NTFS system partition. These programs run independently from Setup and, therefore, could be rescheduled as noted in the above article.

In Windows NT 4.0, Setup was changed. The conversion to NTFS still works the same way, by scheduling Autoconv.exe. However, this is done at the end of the Text-mode portion of Setup so that the conversion happens when Setup is booting into GUI-mode before Setup finishes copying all files into the system. At the very end of GUI-mode, Setup calls a function that sets the default permissions based on the Perms.inf file. This function is not a program that runs independently from the Setup process; therefore, it cannot be rescheduled like previous versions. This is by design.

WORKAROUND

Reinstall Windows NT into a separate directory. This will allow you to restore your operating system files %systemroot% from a backup tape that contains the correct default permissions to allow the operating system to boot and function normally. After Windows NT is restored and restarted, you can delete the parallel copy of Windows NT.

-OR-

Use the NT v4.0 Resource Kit utility called FIXACLS.EXE.

FIXACLS.EXE can be found in the NT v4.0 Resource Kit Supplement Two.

When system permissions have been lost, FIXACLS can restore default permissions to the system files. For example, the Windows NT convert command only converts your file system to NTFS. It does not set the default permissions after the conversion. FIXACLS fills this gap.

To use FIXACLS, your user account needs "Backup files and folders" privileges on the computer where the files and folders are stored, and you must be logged on as a member of the Administrators group for the domain or computer where your user account is defined. Otherwise, "Access denied" error messages may occur.

FIXACLS sets the permissions to the values defined in %SYSTEMROOT%\INF\PERMS.INF. Therefore, access to this file is also required to run FIXACLS.


Additional query words: prodnt
Keywords : kbbug4.00 kbenv ntboot ntfilesys ntsecurity NTSrvWkst
Version : 4.0
Platform : WinNT


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: July 10, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.