-This option may only be given in the normal extraction mode (not NTFS).
-By default, in the normal extraction mode, \fBimagex apply\fR will ignore both
-Windows-style security descriptors and UNIX-specific file owners, groups, and
-modes set when using \fBimagex capture\fR with the \fB--unix-data\fR flag. By
-passing \fB--unix-data\fR to \fBimagex apply\fR instead, this causes this
-UNIX-specific data to be restored when available.
-
+(UNIX only) By default, in the normal extraction mode on UNIX,
+\fB@IMAGEX_PROGNAME@ apply\fR will ignore both Windows-style security
+descriptors and UNIX-specific file owners, groups, and modes set when
+using \fB@IMAGEX_PROGNAME@ capture\fR with the \fB--unix-data\fR flag.
+By passing \fB--unix-data\fR to \fB@IMAGEX_PROGNAME@ apply\fR instead,
+this causes this UNIX-specific data to be restored when available. However, by
+default, if \fB@IMAGEX_PROGNAME@\fR does not have permission to set the UNIX
+owner, group or file mode on an extracted file, a warning will be printed and it
+will not be considered an error condition; use \fB--strict-acls\fR to get
+stricter behavior.
+.TP
+\fB--no-acls\fR
+(Windows only) Do not restore security descriptors on extracted files and directories.
+.TP
+\fB--strict-acls\fR
+On Windows: Fail immediately if the full security descriptor of any file or
+directory cannot be set exactly as specified in the WIM file. The default
+behavior without this option is to fall back to setting a security descriptor
+with the SACL omitted, then only the default inherited security descriptor, if
+we do not have permission to set the desired one. On UNIX: with
+\fB--unix-data\fR, fail immediately if the UNIX owner, group, or file mode on an
+extracted file cannot be set for any reason.
+.TP
+\fB--include-invalid-names\fR
+Extract files and directories with invalid names by replacing characters and
+appending a suffix rather than ignoring them. The meaning of this is
+platform-dependent.
+.IP "" 6
+On UNIX, filenames are case-sensitive and may contain any byte except '\\0' and
+\'/', so on UNIX this option will only have an effect in the unlikely case that
+the WIM image for some reason has a filename containing one of these characters.
+.IP "" 6
+On Windows, filenames are case-insensitive, cannot include the characters '/',
+\'\\0', '\\', ':', '*', '?', '"', '<', '>', or '|', and cannot end with a
+space or period. Ordinarily, files in WIM images should meet these
+conditions as well. However, it is not guaranteed, and in particular a WIM
+image captured with \fB@IMAGEX_PROGNAME@\fR on UNIX could contain such files.
+By default, invalid names will be ignored, and if there are multiple names
+differing only in case, one will be chosen to extract arbitrarily; however,
+with \fB--include-invalid-names\fR, all names will be sanitized and
+extracted in some form.