windows xp Professional restore Security Descriptors after cacls /t /e /p

Someone changed the permissions on a bunch of machines using cacls which fixed one problem but created a bigger one. I'm looking at ways to revert this but can't seem to get it back to the way it was.

I've replicated using a test machine and the output is below. I used subinacl to get the output.

Change made using:

ECHO Y|CACLS C:\APPSYS      /t /e /p User1:F

The reason why the permissions were changed was because some files were put on by someone logged in as the administrator which the users needed full access too. I would still like to know a safe way to add the usergroup1 to these files whilest not messing with the others that don't need changing. It's not a static list of files, some machines have only 1 or 2 files others have 20-50 files where the user1 requires full control of but doesn't have permissions.

Before running ECHO "Y|CACLS C:\APPSYS /t /e /p User1:F"

====================
+File C:\APPSYS\BIN
====================
/control=0x400
/owner             =PC1125230\ORGUSER
/primary group     =PC1125230\none
/audit ace count   =0
/perm. ace count   =8
/pace =PC1125230\USERGROUP1  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =builtin\administrators  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =system  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =PC1125230\ORGUSER  Type=0x0 Flags=0x10 AccessMask=0x1f01ff
/pace =creator owner  Type=0x0 Flags=0x1b AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x13 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0x12 AccessMask=0x4
/pace =builtin\users  Type=0x0 Flags=0x12 AccessMask=0x2


=============================
+File C:\APPSYS\ERROR.LOG
=============================
/control=0x0
/owner             =PC1125230\ORGUSER
/primary group     =PC1125230\none
/audit ace count   =0
/perm. ace count   =0

After running ECHO "Y|CACLS C:\APPSYS /t /e /p User1:F"

====================
+File C:\APPSYS\BIN
====================
/control=0x0
/owner             =PC1125230\ORGUSER
/primary group     =PC1125230\none
/audit ace count   =0
/perm. ace count   =9
/pace =PC1125230\User1  Type=0x0 Flags=0x3 AccessMask=0x1f01ff
/pace =PC1125230\USERGROUP1  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =builtin\administrators  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =system  Type=0x0 Flags=0x13 AccessMask=0x1f01ff
/pace =PC1125230\ORGUSER  Type=0x0 Flags=0x10 AccessMask=0x1f01ff
/pace =creator owner  Type=0x0 Flags=0x1b AccessMask=0x10000000
/pace =builtin\users  Type=0x0 Flags=0x13 AccessMask=0x1200a9
/pace =builtin\users  Type=0x0 Flags=0x12 AccessMask=0x4
/pace =builtin\users  Type=0x0 Flags=0x12 AccessMask=0x2


=============================
+File C:\APPSYS\ERROR.LOG
=============================
/control=0x0
/owner             =PC1125230\ORGUSER
/primary group     =PC1125230\none
/audit ace count   =0
/perm. ace count   =1
/pace =PC1125230\User1  Type=0x0 Flags=0x0 AccessMask=0x1f01ff

There are lots of files and folders that get unique to the different machines so i'm trying to find a method that works on them all without specifying each exact file.

I've used subinacl to grant the user groups that are denied access to the ERROR.LOG for example and all files and folders in the APPSYS folder because there were lots of issues with the applications crashing. This fixed that problem but i'm worried about the lasting effect of the changes made when compared to the original settings.

Before using subinacl method to grant permissions I've tried removing the User1 permission but again the ERROR.LOG does not go back to what it was permissions wise. I've tried suppresssid also with the same no difference result. I've tried with the test device of making a backup of before running the cacls command and then restoring the backup with subinacl but it didn't restore properly from what i can see, "/pace =builtin\users Type=0x0 Flags=0x12 AccessMask=0x4" was removed from the ACL.

I'm not experienced with security descriptors so sorry if it's painfully obvious or i've left details out. I've spent the last 5 days and nights reading what i can to figure out what went wrong and how to fix it using a batch process.

I'm limited to basic scripts (windows xp pro) vb, batch i can use tools from resource kit and to some extent 3rd party utils but again will have to be batch scripted usage.

I have managed to come up with a solution (forgot to post it here).

Using xcacls.vbs with the following Arguments Used:

Filename = "c:\APPSYS\"
/F (All Files under current directory)
/S (All Sub Directories under current directory)
/T (Traverse Directories)
/E (Edit ACL leaving other users intact)
/I (Inheritance)
    ENABLE

This restored the inheritance of the files in the folder back to what they were and for the file which had no ACEs (set to allow everyone) they inherited the required usergroups.

Hope this helps anyone else who got into the same position.