Subinacl is a useful utility to give permissions to registries.
Here is a simple example how to give permissions to registry.
subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt
/keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Optika /grant=administrators=f /grant=system=f /grant=users=f /setowner=administrators >> %temp%\subinacl_output.txt
Subinacl can be downloaded from net.
More detailed Usage as per your requirements. This contains lots of features.
You can write your comments on what you used and if it worked. Help others by posting your real time examples.
Usage :
SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]
/options :
/outputlog=FileName /errorlog=FileName
/noverbose /verbose (default)
/notestmode (default) /testmode
/alternatesamserver=SamServer /offlinesam=FileName
/stringreplaceonoutput=string1=string2
/expandenvironmentsymbols (default) /noexpandenvironmentsymbols
/statistic (default) /nostatistic
/dumpcachedsids=FileName /separator=character
/applyonly=[dacl,sacl,owner,group]
/nocrossreparsepoint (default) /crossreparsepoint
/object_type :
/service /keyreg /subkeyreg
/file /subdirectories[=directoriesonly|filesonly]
/clustershare /kernelobject /metabase
/printer /onlyfile /process
/share /samobject
/action :
/display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
/setowner=owner
/replace=[DomainName\]OldAccount=[DomainName\]New_Account
/accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
/migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
/findsid=[DomainName\]Account[=stop|continue]
/suppresssid=[DomainName\]Account
/confirm
/ifchangecontinue
/cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
/testmode
/accesscheck=[DomainName\]Username
/setprimarygroup=[DomainName\]Group
/grant=[DomainName\]Username[=Access]
/deny=[DomainName\]Username[=Access]
/sgrant=[DomainName\]Username[=Access]
/sdeny=[DomainName\]Username[=Access]
/sallowdeny==[DomainName\]Username[=Access]
/revoke=[DomainName\]Username
/perm
/audit
/compactsecuritydescriptor
/pathexclude=pattern
/objectexclude=pattern
/sddl=sddl_string
/objectcopysecurity=object_path
/pathcopysecurity=path_container
Usage : SubInAcl [/option...] /playfile file_name
Usage : SubInAcl /help [keyword]
SubInAcl /help /full
keyword can be :
features usage syntax sids view_mode test_mode object_type
domain_migration server_migration substitution_features editing_features
- or -
any [/option] [/action] [/object_type]
SYNTAX
------
describe SubInAcl syntax
The SubInAcl syntax is analog to the UNIX find tool.
For each object, SubInAcl :
1. retrieves the security descriptor of the object
2. applies the /action(s). The /actions are executed in the order of
the command line
3. If :
- the security descriptor has been modified and
- the /testmode switch has not been specified
the changes are applied to the object
For instance :
- SubInAcl /outputlog=result.txt /subdirectories \\Server\c$\temp\*.*
/grant=Dom\John=F /noverbose /display
For each file below \\Server\c$\temp, SubInAcl will
- open the file
- grant full control for dom\john
- display the security setting in noverbose mode
- save the security descriptor.
All outputs will be saved in result.txt
You can specify as many /actions as you wish. You must specify at least 3
characters for each action.
The command line is not case-sensitive
Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display
for each *.txt file will - replace John with Smith
- display the whole security descriptor
- apply the changes if any
SubInAcl error messages are sent to the Standard error.
You can use the /output switch to save both outputs
and errors in the same file.
FEATURES
--------
describes SubInAcl main features
SubInAcl was designed to help administrators to manage security on
various objects.
It provides :
- a unified way to manipulate security for different kinds of objects
(files, registry keys, services, printer,...)
- a console tool that allows to write scripts to automate
security tasks
- some features that help administrators to modify security if some
changes occur in their organization:
- user, group deletions (/suppresssid, /cleandeletedsidsfrom )
- user, group migrations (/replace , /accountmigration)
- domain, server migration (/changedomain, /migratetodomain)
...
- security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)
- access to remote objects
- save and restore permissions (/playfile , /outputlog , /display )
You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool
Type SubInAcl /help to get extended help
SIDS
----
sids : explain how SubInAcl retrieves and translates SIDs
The security descriptor references users and groupswith a SID (Security
Identifier). A SID can be expressed in one of the following form:
+ DomainName\Account (ex: DOM\Administrators )
+ StandaloneServer\Group
+ Account ( see LookupAccount API )
+ s-1-x-x-x-x . x is expressed in decimal
(ex: S-1-5-21-56248481-1302087933-1644394174-1001)
Warning : In that case, no check is done to verify the existence
of this SID.
SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name"
translation network cost.
SubInAcl queries the server where the ressource object is located to
translate or retrieve SIDs. If needed, you can specify another SAM
server to translate SIDs (see /alternatesamserver).
If you try to replace SIDs and the originated domain or server is not online,
you can provide a file containing the needed SIDs (see /offlinesam).
You can dump the local cache of SIDs in a file (see /dumpcachedsids).
VIEW_MODE
---------
/noverbose /verbose
SubInAcl can be used in a quiet mode (/noverbose) or a in verbose mode
(/verbose , /Noverbose )
You can specify these switches either :
- for the entire comand line :
SubInAcl /noverbose /file *.dat /display
- after a specific action :
SubInacl /file *.dat /display /noverbose /display
TEST_MODE
---------
/testmode /notestmode (default)
If /testmode is specified, the changes will not be reflected to the object
security descriptor. This option is useful to test the validity of a comand.
Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB
/ifchangecontinue /noverbose /display /testmode
For each file modified this comand displays the modified security
descriptor. But these changes will not physically apply to the files
OBJECT_TYPE
-----------
/file /subdirectories /onlyfile /keyreg /subkeyreg /service /share /clustershare /printer
/kernelobject /metabase /process /samobject
SubInAcl can work with various objects:
- Files :
/file
/subdirectories
/onlyfile
- Registry keys :
/keyreg
/subkeyreg
- Services :
/service
- Shares :
/share
/clustershare
- Printer :
/printer
- Kernel named objects :
/kernelobject
- IIS adminidstration rights :
/metabase
// - Process :
/process
- Sam :
/SamObject
The actions are valid for all objects
Most of them support the enumeration with the * character
DOMAIN_MIGRATION
----------------
explain how to migrate security between domain SIDs
The main purpose of SubInAcl is to help administrators to migrate user(s)
if the domain architecture has changed.
For instance, the user John has moved and is now member of the DOMB domain.
You can reflect this change with :
SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John
N.B: A trust relationship must be enabled between the domain of server and
OldDomain and NEWDOMAIN
N.B: If a trust relationship cannot be enabled, you can use the
/alternatesamserver=Server. Server should be the name of Domain Controller
Server
Sample :
You have worked with a unique domain.
You want to migrate a BDC named MIGRCONTROL with all the files and the
users utilized on a new domain
1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files)
2. Create the users on NEWDOMAIN
3. Create a "trusted relationship" with OLDDOMAIN
4. Run SubInAcl /noverbose /subdirectories x:\*.*
/changedomain=OLDDOMAIN=NEWDOMAIN
5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.*
Sample :
You have worked with a standalone server named SERVER in a workgroup
environment. You want to move this server (including users) to a domain DOM.
1. Move SERVER to the domain DOM
2. Create the users in the DOM domain
3. SubInAcl /noverbose /subdirectories \\server\share
/changedomain=SERVER=DOM
See /changedomain /migratedomain /replace actions
SERVER_MIGRATION
----------------
explain how to migrate SIDs when objects are moved from one server to another one
Migrating file system from one local server to another local server is not
a trivial task. SubInAcl Version 2.2 has been enhanced to help this migration
process.
To migrate file system files from one local server and to preserve security,
you can perform the following steps:
1. use scopy to copy files and ACLs on destination server
2. create local groups on the destination server
3. Use /changedomain or /changedomain with the /alternatesamserver option :
By default SubInAcl queries the server where the objects are located to
retrieve SIDS. This server is not aware of the SIDs valid on another
standalone server
To address this issue, you can use the /alternatesamserver option to ask
SubInAcl to to use the alternamesamserver server if a SID resolution is
not successfull on the initial server.
Sample :
SubInAcl /alternatesamserver=SourceServer /subdirect
\\DestServer\Share\*.*
/migratedomain=SourceServer=DestServer
See /alternatesamserver /migratedomain /offlinesam
EDITING_FEATURES
----------------
how to edit parts of the security descriptor
SubInAcl allows to modify each part of a a security descriptor :
- owner
see /owner=SID or /setowner=SID
- primary group
see /setprimarygroup=GroupSID
- system ACL (SubInAcl name = Audit ACL) with Access Control Entries
(SubInAcl name= AAce = Audit ACE)
see /audit /sgrant /sdeny /sallowdeny
- discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries
(SubInAcl name= PAce = Perm ACE)
see /perm /pace=xxx /revoke=SID /grant=SID=Access /deny=SID=access
/sgrant=SID=Access /sdeny=SID=access
/sallowdeny=SID=access- or the full security descriptor
see /sddl=sddl_string
/SERVICE
--------
/service service_name
manipulate service
- \\ServerName\Messenger
- \\ServerName\M*
- Messenger
N.B: /driver can be used also.
/driver * will display all driversm
/service * will display all services
/KEYREG
-------
/keyreg registry_key
manipulate registry keys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath
/SUBKEYREG
----------
/subkeyreg registry_key
manipulate registry keys and subkeys
- HKEY_CURRENT_USER\Software
- HKEY_CURRENT_USER\Software\*Version
- \\Srv\HKEY_LOCAL_MACHINE\KeyPath
/FILE
-----
/file filename
manipulate files
N.B: SubInAcl is not supported on DFS volumes
- *.obj
- c:\temp\*.obj
- \\servername\share\*.exe
- c:\
/file=directoriesonly will apply parameters on directories only
/file=filesonly will apply parameters on files only
/SUBDIRECTORIES
---------------
/subdirectories file_path
manipulate files in specified directory and all subdirectories
- c:\temp\*.obj : work with all obj files
- c:\temp\test : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\ : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files only
/ONLYFILE
---------
/onlyfile file_name
open a file without using the FindFilexxx mechanism.
Can be used to access named pipes or mailslot
- \\.\pipe\pipename
/SAMOBJECT
----------
/samobject samobject
allow to access ACL associated to SAM objects(users,localgroup,globalgroup).
Can be used to allow a localgroup(alias) created by a power users on a member
to be updated by another power users member
- \\samserver\localgroup
- \\samserver\*users*
- *group*
- Subinacl /samobject \\sams\testgroup /grant=poweruser1=f
/SHARE
------
/share file_share_name
access a network file share.
- \\server\share
- \\server\test*
/CLUSTERSHARE
-------------
/clustershare \\clustername\fileshareresource
access a cluster file share resource.
- \\clustername\FileShare_Resource_Name
- \\clustername\s*
/KERNELOBJECT
-------------
/kernelobject kernel_object_name
access a named kernel object.
Can be used to view mutex, sections, events objects
/PROCESS
--------
/process pid_or_executable_pattern
access a process object.
- notepad.* or pid_in_decimal
/METABASE
----------
/metabase metabase_path
access to IIS metabase AdminACL metabase property
Note that this property can only be used with these Metabase paths
/LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/
This object doesn't support enumeration.
- SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F
/PRINTER
---------
/printer printername
access to printer
- \\server\printer1
- \\server\*
/DISPLAY
--------
/display[=dacl|sacl|owner|primarygroup|sdsize|sddl]
display the security descriptor
You can also view part of the security descriptor. /display=dacl will
display the discretionary acl. /display=sddl will display the security
using the Win32 SDDL security descriptor string format (see Platform SDK)
The /noverbose display can be used to reapply the security descriptor
(see /playfile)
/PLAYFILE
---------
/playfile playfile
The /playfile feature allows SubInacl to run in a batch mode.
The format of the playfile command file is :
+ object_type object_name
/action[=parameter]...
/action[=parameter]...
+object_type object_name
/action[=parameter]...
SubInacl /playfile=playfile.txt with
With playfile :
+subdirec *.txt
/grant=everyone=R
+service RkillSrv
/display
will give the same result than
SubInAcl /subdirectories *.txt /grant=everyone=R
SubInAcl /service RkillSrv /display
One typical usage of the playfile feature is to allow to reapply security settings
saved previously because the output format of the noverbose /display is a playfile
compatible format:
1.a) SubInAcl /noverbose /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display
This command saves all security settings for the files on C: drive.
Sids will be saved in the Domain\user string format
The /display option in a noverbose mode uses an output playfile compatible format
or
1.b) SubInAcl /error=d:\Err.txt /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display=sddl
This command saves all security settings using the Win32 SDDL format.
Sids will be saved in the S-1-x-x form. This will not require SubInacl to translate Sids
This may minimize the elapsed time and resource usage
2) SubInAcl /playfile d:\SubInaclSave.txt
This command will reapply the previously saved settings.
One other advantage of using a playfile is to improve performance and save network
bandwidth because SubInacl maintains a local cache of SIDs.
For instance if you issue :
SubInacl /subdirectories c:\*.* /migrate=domain1=domain2
And
SubInacl /subdirectories d:\*.* /migrate=domain1=domain2
Batching these commands will reduce the network usage bandwidth and improve
performance because SID TO HUMAN NAME resolution process will be reduced.
/OUTPUTLOG
----------
/outputlog=filename
all outputs will be send in filename. You need to use /errlog switch to
redirect all errors in a different file
/ERRORLOG
---------
/errorlog=filename.txt
all errors will be send in the filename.txt
/ALTERNATESAMSERVER
-------------------
/alternatesamserver=Server
SubInAcl queries the Server where the object is located to lookup Sids.
Under some circumstances , you may need ( see server_migration or
domain_migration) to retrieve Sids from another server. If a Sid resolution is
unsuccessful, this option allows SubInAcl to query the alternamesamserver.
/OFFLINESAM
-----------
/offlinesam=FileName
By default, SubInAcl queries the Server where the object is located to lookup
Sids.Under some circumstances (migration where the source server is offline
or if a domain is no longer available, want to avoid network round trip
for SIDs retrievals), you may allow SubInAcl.exe to retrieve SIDs from
the FileName file.
File format is :
__cachefileonly__=s-1-9-cacheonly
domain\simon=S-1-5-21-1190502449-1716722630-1654032285-1105
nat\julien=S-1-5-21-1060284298-436374069-1708537768-1005
where domain\simon and nat\julien can be a domain account or server account.
With the __cachefileonly__ line in the file, SubInAcl.exe will not query
SAM Server(s) anymore. All needed SIDs should be found in the SAM
cache file
/DUMPCACHEDSIDS
---------------
/dumpcachedsids=FileName
At the end of the subinacl execution,
you can dump the contents of the local cache Sids in a file.
This file can later be used for future SubInacl execution (see .
/offlinesam) to speed up the Sids resolution process)
/SETOWNER
---------
/setowner=SID
will change the owner of the object
/owner=SID or /setowner=SID
owner = DomainName\Administrators will retrieve the Administrators Sid on
the server where the object is (see Win32 SDK LookupAccountName function).
/REPLACE
--------
/replace=DomainName\OldAccount=DomainName\New_Account
replace all ACEs (Audit and Permissions) in the object
Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace
all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
retrieves from NEWDOM domain
Warning: if DomainName\New_Account has already an ACE, ACE replacement is
skipped
/ACCOUNTMIGRATION
-----------------
/accountmigration=DomainName\OldAccount=DomainName\New_Account
(see /replace)
will :
- replace owner or primary group if one of them is DomainName\OldAccount.
- duplicate ACE(s) with reference to DomainName\OldAccount for New_Account
Ex: /accountmigration=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will
duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID
retrieves from NEWDOM domain
Warning : if DomainName\New_Account has already an ACE, ACE replacement is
skipped
/CLEANDELETEDSIDSFROM
---------------------
/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]
delete all ACEs containing deleted (no valid) Sids from DomainName
You can specify which part of the security descriptor will be scanned
(default=all)
If the owner is deleted, new owner will be the Administrators group.
If the primary group is deleted, new primary group will be the Users group.
/CHANGEDOMAIN
-------------
/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
replace all ACEs with a Sid from OldDomainName
with the equivalent Sid found in NewSamServer
Ex: /changedomain=DOM_MARKETING=NEWDOMAIN
replace all ACEs containing DOM_MARKETING\ChairMan SID
with the ChairMan's SID retrieved on NEWDOMAIN computer
The NEWDOMAIN must have a trusted relationship with the server
containing the object
If you want to explicitly specify the users affected , you can specify a
mapping file. The MappingFile file will allow you to specify the list of
users affected and the name of the replacing user in the NewDomain
Below a sample of a MappingFile
simon=julien
administrator=administrator
OldDomainName\Simon will be replaced by NewDomainName\Julien and
OldDomainName\Administrator will be replaced with
NewDomainName\Administrator
If you use /changedomain=OldDomainName=NewDomainName=MappingFile notation
,only users defined in this file will be migrated.
If you use /changedomain=OldDomainName=NewDomainName=MappingFile=Both,
the mapping file will be examined first to determine if a mapping user
exist. If not, SubInacl will try to find the equivalent user in the
NewDomainName
/MIGRATETODOMAIN
----------------
/migratetodomain=FromDomainName=ToDomainName[=MappingFile[=Both]]
same behavior than /changedomain except that news ACEs will added instead
of replacing
Ex: /migratetodomain=DOM1=DOM2
each ace with DOM1\User will be duplicated with DOM2\User
(If DOM2\User exists)
If during the migration there was a serious oversight
you can instruct the user to log back onto DOM1.
N.B: Owner and Primary Group are migrated to DOM2
/FINDSID
--------
/findsid=DomainName\Account[=stop|continue]
display the object name containing a reference to DomainName\Account
in the security descriptor
stop - if Account is found, next parameters will be skipped
and changes will not be applied
- if Account is not found, next parameter will be executed
continue - if Account found, next parameters will be executed
- if Account not found, next parameters will be skipped
and changes will not be applied
/SUPPRESSSID
------------
/suppresssid=DomainName\Account
suppress all ACES containing the DomainName\Account SID.
If the object's owner is DomainName\Account, the owner is set to
Everyone's SID.
/PERM
-----
/perm
suppress all existing permissions aces (PACEs)
/AUDIT
------
/audit
suppress all existing auditing aces (AACEs)
/IFCHANGECONTINUE
-----------------
/ifchangecontinue
continue to process the next actions only if some changes have been
made in the previous actions
/TESTMODE
---------
/testmode
changes will not be applied to the object. This allows to test the
modifications
/ACCESSCHECK
------------
/accesscheck=Domain\Username
display the access granted to the Domain\Username. The password will
be asked. This option requires the SeTcbName privilege (Act as Part
of the Operating System). This option cannot be used with remote object.
Note : the access is checked with the NETWORK security identified
granted to the Domain\UserName
/SETPRIMARYGROUP
----------------
/setprimarygroup=[DomainName\]Group
change the primary group
/DENY
-----
/deny=[DomainName\]User[=Access]
add a denied Permission Ace for the specified User (or group)
If Access is not specified, all accesses will be denied.
File:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
ClusterShare:
F : Full Control
R : Read
C : Change
Printer:
F : Full Control
M : Manage Documents
P : Print
KeyReg:
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Share:
F : Full Control
R : Read
C : Change
Metabase:
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
E : Enum keys- MD_ACR_ENUM_KEYS
D : write Dac- MD_ACR_WRITE_DAC
Process:
F : Full Control
R : Read
W : Write
X : eXecute
SamObject:
F : Full Control
W : Write
R : Read
X : Execute
/REVOKE
-------
/revoke=[DomainName\]User
suppress all Permission Ace(s) for the specified User (or group)
/GRANT
------
/grant=[DomainName\]User[=Access]
will add a Permission Ace for the user.
if Access is not specified, the Full Control access will be granted.
File:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
ClusterShare:
F : Full Control
R : Read
C : Change
Printer:
F : Full Control
M : Manage Documents
P : Print
KeyReg:
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Share:
F : Full Control
R : Read
C : Change
Metabase:
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
E : Enum keys- MD_ACR_ENUM_KEYS
D : write Dac- MD_ACR_WRITE_DAC
Process:
F : Full Control
R : Read
W : Write
X : eXecute
SamObject:
F : Full Control
W : Write
R : Read
X : Execute
/SALLOWDENY
-----------
/sallowdeny=[DomainName\]User[=Access]
will add an Allow/Failed Audit Ace for the user and remove all existing
Audit Ace for this user(or group).
if Access is not specified, the Full Control access mask will be used.
Ex: SubInacl /file c:\windows\explorer.exe /sallowdeny=everyone=R
will set the audit for everyone's successful and failed access
/SGRANT
-------
/sgrant=[DomainName\]User[=Access]
will add a Successfull (Allow) Audit Ace for the user and remove all existing
Audit Ace for this user(or group).
if Access is not specified, the Full Control access mask will be used.
Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R
will set the audit for everyone's successful access
File:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
ClusterShare:
F : Full Control
R : Read
C : Change
Printer:
F : Full Control
M : Manage Documents
P : Print
KeyReg:
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Share:
F : Full Control
R : Read
C : Change
Metabase:
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
E : Enum keys- MD_ACR_ENUM_KEYS
D : write Dac- MD_ACR_WRITE_DAC
Process:
F : Full Control
R : Read
W : Write
X : eXecute
SamObject:
F : Full Control
W : Write
R : Read
X : Execute
/SDENY
------
/sdeny=[DomainName\]User[=Access]
will add a Failed Audit Ace for the user and remove all existing
Audit Ace for this user(or group).
if Access is not specified, the Full Control access mask will be used.
File:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
ClusterShare:
F : Full Control
R : Read
C : Change
Printer:
F : Full Control
M : Manage Documents
P : Print
KeyReg:
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Share:
F : Full Control
R : Read
C : Change
Metabase:
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
E : Enum keys- MD_ACR_ENUM_KEYS
D : write Dac- MD_ACR_WRITE_DAC
Process:
F : Full Control
R : Read
W : Write
X : eXecute
SamObject:
F : Full Control
W : Write
R : Read
X : Execute
/OBJECTEXCLUDE
--------------
/objectexclude=pattern
all objects matching the pattern string will be skipped (eXcluded).
The only wildcard valid is *. It can be used everywhere in the string.
Pattern may be a name ( *Name.exe ) or a path ( *dir\subdir\*ToExclude* ).
/PATHEXCLUDE
------------
/pathexclude=pattern
all containers matching the pattern string will not be enumerated.
See /objectexclude
N.B: the Actions specified will not be applied to the container too.
/STATISTIC
----------
/statistic
will display statistics when processing is finished.
/CROSSREPARSEPOINT
------------------
/crossreparsepoint
When processing a file system path, SubInacl will enumerate
file and directories below a reparsepoint except if /nocrossreparsepoint.
is specified.
/STRINGREPLACEONOUTPUT
----------------------
/stringreplaceonoutput=string1=string2
All occurrences of string1 will be replaced by string2 in subinacl output.
/SDDL
-----
/sddl=sddl_string
specify the Security descriptor for the object using the Win32 security
descriptor definition language (SDDL)
/APPLYONLY
----------
/applyonly=dacl,sacl,owner,group
Some subinacl options may change parts (owner,group,dacl,sacl) of the security descriptor.
You may restrict the change to some parts of the security descriptor only .
For instance /applyonly=dacl,sacl,owner will not modify the primary group field
/PATHCOPYSECURITY
-----------------
/pathcopysecurity=path_container
SubInacl will reset the security descriptor for the object with the same named object
in the container path.
Ex: - SubInacl /file c:\temp\*.txt /pathcopysecurity=d:\test
will replace the security (acls,owner,primarygroup) for c:\temp\1.txt with the security
retrieved from d:\test\1.txt (if this file exists)
-SubInacl /service Messenger /pathcopysecurity=\\Server
will update the security on the service Messenger with the security existing on the remote
messenger service
/OBJECTCOPYSECURITY
-------------------
/objectcopysecurity=object_path
SubInacl will reset the security descriptor with the object object_path
in the container path.
Ex: - SubInacl /file c:\temp\*.txt /objectcopysecurity=d:\test\mask.txt
will replace the security (acls,owner,primarygroup) for all txt files
in c: emp with the security retrieved on d:\test\amsk.txt
will update the security on the service Messenger with the security existing on the remote
messenger service
With help from this awesome post: http://www.vanstechelman.eu/windows/how_to_use_subinacl
This Blog is for all people working or related to the MSI and App-V. There are lots of issues we face in everyday work regarding the technology. The sole purpose of my blog is to help others with whatever I learn. All you people out there, please help by commenting, voting, propagating and sharing my blog with your friends and colleagues but with due credit and acknowledgement to the material posted here with my name and blog url as I still do hold the copyright of the posts here.