Although there are a few methods to achieve this, the one requiring the least administrative effort is using icACLs.exe.
icACLs is a Windows built-in utility which displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.
The the permission restoration process includes the following steps (the example show restoring permissions for the C:\Windows\System folder):
1. Mount the recovery point with approved NTFS permissions as writable with a short path (i.e. mount it in C:\M)
2. Open a Command Prompt with administrative privileges.
3. Run the following command:
c:\>icACLs "<MountedRecoveryPointFolder>\<folder with good permissions>" /save <ACLfile>.txt /t
example:
c:\>icACLs "C:\M\C__\Windows\System" /save ACLPermissions.txt /t
4. Open the ACLPermissions.txt in Notepad
5. Search and change the first line if necessary from "C:\M\C__\<folder with good permissions>" to “<folder with good permissions>”. (Most likely no change will be needed).
6. Save the file ACLPermissions.txt file and exit.
7. Copy the ACLPermissions.txt on the machine to modify.
8. Run the following command:
C:\>icACLs <Drive>:\<folderabovefoldertorestore> /restore Permissions.txt
example
c:\>icACLs "C:\Windows" /save ACLPermissions.txt /t
9. Dismount the mounted recovery point
The permissions for the folder-to-restore and all its subfolders should be restored now.
More information about icACLs is shown below:
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
stores the DACLs for the files and folders that match the name
into aclfile for later use with /restore. Note that SACLs,
owner, or integrity labels are not saved.
ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
[/C] [/L] [/Q]
applies the stored DACLs to files in directory.
ICACLS name /setowner user [/T] [/C] [/L] [/Q]
changes the owner of all matching names. This option does not
force a change of ownership; use the takeown.exe utility for
that purpose.
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
finds all matching names that contain an ACL
explicitly mentioning Sid.
ICACLS name /verify [/T] [/C] [/L] [/Q]
finds all files whose ACL is not in canonical form or whose
lengths are inconsistent with ACE counts.
ICACLS name /reset [/T] [/C] [/L] [/Q]
replaces ACLs with default inherited ACLs for all matching files.
ICACLS name [/grant[:r] Sid:perm[...]]
[/deny Sid:perm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
[/setintegritylevel Level:policy[...]]
/grant[:r] Sid:perm grants the specified user access rights. With :r,
the permissions replace any previouly granted explicit permissions.
Without :r, the permissions are added to any previously granted
explicit permissions.
/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added for the stated permissions and
the same permissions in any explicit grant are removed.
/remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
:g, it removes all occurrences of granted rights to that Sid. With
:d, it removes all occurrences of denied rights to that Sid.
/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
ACE to all matching files. The level is to be specified as one
of:
L[ow]
M[edium]
H[igh]
Inheritance options for the integrity ACE may precede the level
and are applied only to directories.
/inheritance:e|d|r
e - enables inheritance
d - disables inheritance and copy the ACEs
r - remove all inherited ACEs