Documentation

Examples

Download

Project page

Forums

News

Bug reports

Feature requests

Basics

Reference

Command line options
-on		ObjectName
-ot		ObjectType
-actn		Action
-ace		"n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"
-trst		"n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"
-dom		"n1:Domain;n2:Domain;da:DomainAction;w:Where"
-ownr		"n:Trustee;s:IsSID"
-grp		"n:Trustee;s:IsSID"
-rec		Recursion
-op		"dacl:Protection;sacl:Protection"
-rst		Where
-lst		"f:Format;w:What;i:ListInherited;s:DisplaySID"
-bckp		Filename
-log		Filename
-fltr		Keyword
-clr		Where
-silent
-ignoreerr
Command line parameters
ObjectName		Name of the object to process (e.g. "c:\my dir\subdir")
ObjectType		Type of object: file: Directory/file reg: Registry key srv: Service prn: Printer shr: Network share
Action		Action(s) to perform: ace: Process ACEs specified by parameter(s) '-ace' trustee: Process trustee(s) specified by parameter(s) '-trst'. domain: Process domain(s) specified by parameter(s) '-dom'. list: List permissions. A backup file needs to be specified by parameter '-bckp'. Controlled by parameter '-lst'. restore: Restore entire security descriptors backed up using the list function. A file containing the backup has to be specified using the parameter '-bckp'. The listing has to be in SDDL format. setowner: Set the owner to trustee specified by parameter '-ownr'. setgroup: Set the primary group to trustee specified by parameter '-grp'. clear: Clear the ACL of any non-inherited ACEs. The parameter '-clr' controls whether to do this for the DACL, the SACL, or both. setprot: Set the flag 'allow inheritable permissions from the parent object to propagate to this object' to the value specified by parameter '-op'. rstchldrn: Reset permissions on all sub-objects and enable propagation of inherited permissions. The parameter '-rst' controls whether to do this for the DACL, the SACL, or both.
TrusteeAction		Action to perform on the trustee specified: remtrst: Remove all ACEs belonging to trustee specified. repltrst: Replace trustee 'n1' by 'n2' in all ACEs. cpytrst: Copy the permissions for trustee 'n1' to 'n2'.
DomainAction		Action to perform on the domain specified: remdom: Remove all ACEs belonging to trustees of the domain specified. repldom: Replace trustees from domain 'n1' by trustees with the same name from domain 'n2' in all ACEs. cpydom: Copy permissions from trustees from domain 'n1' to trustees with the same name from domain 'n2' in all ACEs. Explanation: For every SID in the ACEs of the ACL(s), the name of the domain and user/group of the corresponding account is looked up. If the domain name is equal to the domain name 'n1' specified, the ACE is deleted in the case of 'remdom'. In the case of 'repldom' or 'cpydom' a user/group of the same name is searched in the domain 'n2' specified. If such a user/group is found, either a new ACE with the same permissions and flags is created ('cpydom'), or the SID in the ACE is replaced with the SID of the user/group in the domain 'n2' specified ('repldom').
Trustee		Name or SID of a trustee (a trustee is a user or a group). Format: a) [(computer | domain)\]name Where: computer: DNS or NetBIOS name of a computer -> 'name' must be a local account on that computer. domain: DNS or NetBIOS name of a domain -> 'name' must be a domain user or group. name: user or group name. If no computer or domain name is given, SetACL tries to find a SID for 'name' in the following order: built-in accounts and well-known SIDs local accounts primary domain trusted domains b) SID string
Domain		Name of a domain (NetBIOS or DNS name).
Permission		Permission to set. Validity of permissions depends on the object type (see below). Comma separated list. Example: 'read,write_ea,write_dacl'
IsSID		Is the trustee name a SID? y: Yes n: No Specifying trustees as SIDs instead of using their names can be very useful in multi-language environments, because SIDs are language-independent, whereas predefined names are not. An example: the group 'administrators' is called 'administratoren' in german Windows versions. If you want your SetACL script to run on servers installed in either language you can use the well-known SID of the group 'administrators'. Well-known SIDs are identical on every system. A list can be found here.
DisplaySID		Display trustee names as SIDs? y: Yes n: No b: Both (names and SIDs)
Inheritance		Inheritance flags for the ACE. This may be a comma separated list containing the following: so: sub-objects sc: sub-containers np: no propagation io: inherit only Example: 'io,so'
Mode		Access mode of this ACE: a) DACL: set: Replace all permissions for given trustee by those specified. grant: Add permissions specified to existing permissions for given trustee. deny: Deny permissions specified. revoke: Remove permissions specified from existing permissions for given trustee. a) SACL: aud_succ: Add an audit success ACE. aud_fail: Add an audit failure ACE. revoke: Remove permissions specified from existing permissions for given trustee.
Where		Apply settings to DACL, SACL, or both (comma separated list): dacl sacl dacl,sacl
Recursion		Recursion settings, depends on object type: a) file: no: No recursion. cont: Recurse, and process directories only. obj: Recurse, and process files only. cont_obj: Recurse, and process directories and files. a) reg: no: Do not recurse. yes: Do Recurse.
Protection		Controls the flag 'allow inheritable permissions from the parent object to propagate to this object': nc: Do not change the current setting. np: Object is not protected, i.e. inherits from parent. p_c: Object is protected, ACEs from parent are copied. p_nc: Object is protected, ACEs from parent are not copied.
Format		Which list format to use: sddl: Standardized SDDL format. Only listings in this format can be restored. csv/own: SetACL's own format. Easier to read than SDDL. tab: SetACL's tabular format.
What		Which components of security descriptors to include in the listing. (comma separated list): d: DACL s: SACL o: Owner g: Primary group Example: 'd,s'
ListInherited		List inherited permissions? y: Yes n: No
Filename		Name of a (unicode) file used for list/backup/restore operations or logging.
Keyword		Keyword to filter object names by. Names containing this keyword are not processed.
Remarks
		Required parameters (all others are optional): -on (Object name) -ot (Object type)
		Parameters that may be specified more than once: -actn (Action) -ace (Access control entry) -trst (Trustee) -dom (Domain) -fltr (Filter keyword)
		Only actions specified by parameter(s) '-actn' are actually performed, regardless of the other options set.
		Order in which multiple actions are processed: restore clear trustee domain ace, setowner, setgroup, setprot rstchldrn list
Valid Permissions
a) Standard permission sets (combinations of specific permissions)
Files / Directories		read: Read write: Write list_folder: List folder read_ex: Read, execute change: Change profile: = change + write_dacl full: Full access
Printers		print: Print man_printer: Manage printer man_docs: Manage documents full: Full access
Registry		read: Read full: Full access
Service		read: Read start_stop: Start / Stop full: Full access
Share		read: Read change: Change full: Full access
b) Specific permissions
Files / Directories		traverse: Traverse folder / execute file list_dir: List folder / read data read_attr: Read attributes read_ea: Read extended attributes add_file: Create files / write data add_subdir: Create folders / append data write_attr: Write attributes write_ea: Write extended attributes del_child: Delete subfolders and files delete: Delete read_dacl: Read permissions write_dacl: Write permissions write_owner: Take ownership
Registry		query_val: Query value set_val: Set value create_subkey: Create subkeys enum_subkeys: Enumerate subkeys notify: Notify create_link: Create link delete: Delete write_dacl: Write permissions write_owner: Take ownership read_access: Read control
Please also visit my blog.
Hosting and many more services provided generously by SourceForge.