Rob van der Woude's Scripting Pages


SubInACL is a Microsoft utility which can be downloaded for free.

Quoting Microsoft's SubInACL download page:

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

At first sight, SubInACL's help screen may look a bit intimidating:

SubInAcl version 5.2.3790.1180


Usage :
     SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]

 /options    :
    /outputlog=FileName                 /errorlog=FileName
    /noverbose                          /verbose (default)
    /notestmode (default)               /testmode
    /alternatesamserver=SamServer       /offlinesam=FileName
    /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
    /statistic (default)                /nostatistic
    /dumpcachedsids=FileName            /separator=character
    /nocrossreparsepoint (default)      /crossreparsepoint

 /object_type :
    /service            /keyreg             /subkeyreg
    /file               /subdirectories[=directoriesonly|filesonly]
    /clustershare       /kernelobject       /metabase
    /printer            /onlyfile           /process
    /share              /samobject

 /action      :
    /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)

Usage  : SubInAcl   [/option...] /playfile file_name

Usage  : SubInAcl   /help [keyword]
         SubInAcl   /help /full
    keyword can be :
    features  usage syntax sids  view_mode test_mode object_type
    domain_migration server_migration substitution_features editing_features
         - or -
    any [/option] [/action] [/object_type]

Note, however, that this is only the initial help screen!
Each command line switch has its own help screen, which can be summoned using the command SUBINACL /help /switch

For example, SUBINACL /help /grant will call the following help screen:

SubInAcl version 5.2.3790.1180



     will add a Permission Ace for the user.
     if Access is not specified, the Full Control access will be granted.

       F : Full Control
       C : Change
       R : Read
       P : Change Permissions
       O : Take Ownership
       X : eXecute
       E : Read eXecute
       W : Write
       D : Delete

       F : Full Control
       R : Read
       C : Change

       F : Full Control
       M : Manage Documents
       P : Print

       F : Full Control
       R : Read
       A : ReAd Control
       Q : Query Value
       S : Set Value
       C : Create SubKey
       E : Enumerate Subkeys
       Y : NotifY
       L : Create Link
       D : Delete
       W : Write DAC
       O : Write Owner

       F : Full Control
       R : Generic Read
       W : Generic Write
       X : Generic eXecute
       L : Read controL
       Q : Query Service Configuration
       S : Query Service Status
       E : Enumerate Dependent Services
       C : Service Change Configuration
       T : Start Service
       O : Stop Service
       P : Pause/Continue Service
       I : Interrogate Service
       U : Service User-Defined Control Commands

       F : Full Control
       R : Read
       C : Change

       F : Full Control
       R : Read - MD_ACR_READ
       W : Write - MD_ACR_WRITE
       I : Restricted Write - MD_ACR_RESTRICTED_WRITE
       U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
       E : Enum keys- MD_ACR_ENUM_KEYS
       D : write Dac- MD_ACR_WRITE_DAC

       F : Full Control
       R : Read
       W : Write
       X : eXecute

       F : Full Control
       W : Write
       R : Read
       X : Execute

Some examples of granting access permissions:

To check permissions, remove the /grant switch: if no "action" is specified, the default /display is used.


page last modified: 2018-04-14