Resetting default file permissions on Windows Server 2003

Okay I blew it! Not until today in my career have I ever made a change to a production server that prevented it from booting properly!

I had to make a certain application run on a terminal server and the client wanted it "yesterday" as they always do. To cut a long story short I was playing around with rights in the system32 directory, rebooted (after hours) and a whole bunch of services failed to start, the most important of which being the RPC service, which of course is depended upon by a whole bunch of other important services. The net result was that explorer.exe hung at login, I could bring up the task manager and launch cmd, mmc etc. but explorer was not a happy customer. I attempted to undo my changes but unfortunately it appeared that something else was afoot that had been triggered by me changing these rights.

Damn I have nobbled our terminal server I thought, the whole heart sinking feeling occured as I cursed several times thinking of the long night ahead of me trying to fix it before anyone noticed.

I instantly began googling for information regarding resetting NTFS permissions to a "factory" state in XP/2003 Server. There is not a lot of information regarding this on the internet but I did find some references to the following Microsoft TechNet article:;EN-US;816585

This article explains how to apply security templates onto your installation of Windows Server 2003 using the Security Configuration and Analysis MMC plugin. However it doesn't explain how to get the .sdb file that you need to use as a database for the whole operation.

The security template files (.inf) are in the windowssecuritytemplates directory of your system. Have a look through these, they are basically a list of directory and filenames and the rights are itemized beside each entry. There are varying degrees of security that can be applied here but the Setup Security.inf file seemed the best to me. It is basically a snapshot of the rights on the system at install completion of the OS. Basically how it was before any changes to rights etc were made by you.

I brought up a cmd window and changed to the windowssecuritytemplates directory and issued the following command:

secedit /import /db my_security.sdb /cfg Setup Security.inf /overwrite

This creates the my_security.sdb file that can now be used in the Security Analysis and Configuration snap in to reset your permissions. I believe that the secedit command is capable of applying the template to the system all in one command, but in my impatience to get it fixed this was good enough for me.

The secedit command reference can be found at:

Anyway it fixed my problem up all services started without a hitch and explorer ran. Woohoo! With minimal changes to the documents and settings and program files directories etc, the system was back in place and fully functional.