SubInACL is a Microsoft utility which can be downloaded for free.
Quoting Microsoft's SubInACL download page:
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.
At first sight, SubInACL's help screen may look a bit intimidating:
SubInAcl version 5.2.3790.1180 USAGE ----- Usage : SubInAcl [/option...] /object_type object_name [[/action[=parameter]...] /options : /outputlog=FileName /errorlog=FileName /noverbose /verbose (default) /notestmode (default) /testmode /alternatesamserver=SamServer /offlinesam=FileName /stringreplaceonoutput=string1=string2 /expandenvironmentsymbols (default) /noexpandenvironmentsymbols /statistic (default) /nostatistic /dumpcachedsids=FileName /separator=character /applyonly=[dacl,sacl,owner,group] /nocrossreparsepoint (default) /crossreparsepoint /object_type : /service /keyreg /subkeyreg /file /subdirectories[=directoriesonly|filesonly] /clustershare /kernelobject /metabase /printer /onlyfile /process /share /samobject /action : /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\]New_Account /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]] /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]] /findsid=[DomainName\]Account[=stop|continue] /suppresssid=[DomainName\]Account /confirm /ifchangecontinue /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all] /testmode /accesscheck=[DomainName\]Username /setprimarygroup=[DomainName\]Group /grant=[DomainName\]Username[=Access] /deny=[DomainName\]Username[=Access] /sgrant=[DomainName\]Username[=Access] /sdeny=[DomainName\]Username[=Access] /sallowdeny==[DomainName\]Username[=Access] /revoke=[DomainName\]Username /perm /audit /compactsecuritydescriptor /pathexclude=pattern /objectexclude=pattern /sddl=sddl_string /objectcopysecurity=object_path /pathcopysecurity=path_container Usage : SubInAcl [/option...] /playfile file_name Usage : SubInAcl /help [keyword] SubInAcl /help /full keyword can be : features usage syntax sids view_mode test_mode object_type domain_migration server_migration substitution_features editing_features - or - any [/option] [/action] [/object_type]
Note, however, that this is only the initial help screen!
Each command line switch has its own help screen, which can be summoned
using the command SUBINACL /help /switch
For example, SUBINACL /help /grant
will call
the following help screen:
SubInAcl version 5.2.3790.1180 /GRANT ------ /grant=[DomainName\]User[=Access] will add a Permission Ace for the user. if Access is not specified, the Full Control access will be granted. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Process: F : Full Control R : Read W : Write X : eXecute SamObject: F : Full Control W : Write R : Read X : Execute
Some examples of granting access permissions:
SUBINACL /verbose=1 /subdirectories "D:\Departments\Marketing" /grant=Users=R
SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R
SUBINACL /verbose=1 /printer "Color Laser" /grant=MYDOMAIN\Marketing=MP
SUBINACL /verbose=1 /service Spooler /grant="Authenticated Users"=LQSTOP
SUBINACL /verbose=1 /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\MyWackyProgram" /grant="Authenticated Users"=QEDS
To check permissions, remove the /grant
switch: if no "action" is specified, the default /display
is used.
page last modified: 2018-04-14; loaded in 0.0014 seconds