|
|
||||||||
| Documentation | Examples | Download | Project page | Forums | News | Bug reports | Feature requests | |
|
|
||||||||
| File system | ||
|
|
||
| Example 1 |
|
SetACL.exe -on "C:\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
Sets 'change' permissions on the directory 'c:\my dir' for user 'user1' in domain 'domain1'.
|
|
|
||
| Example 2 |
|
SetACL.exe -on "C:\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:read,write_dacl"
Same as Example 1, but sets the following two permissions:
|
|
|
||
| Example 3 |
|
SetACL.exe -on "C:\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:administrators;p:full"
Same as Example 1, but additionally sets 'full' permissions for the group 'administrators'.
|
|
|
||
| Example 4 |
|
SetACL.exe -on "C:\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
An improved version of Example 3: 'administrators' is a built-in group, whose name is dependent on the
language of the operating system. Therefore it is better to use its well-known SID which never changes.
|
|
|
||
| Example 5 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
Same as Example 4, but using a UNC name to access the server 'server1' remotely via the
network share 'share1'.
|
|
|
||
| Example 6 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
Same as Example 5, but additionally setting an auditing entry for all ('full') failed
attempts of 'user2' from domain 'domain2'.
|
|
|
||
| Example 7 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
-actn clear -clr "dacl,sacl"
Same as Example 6, but first (see ordering of actions in the documentation) the DACL and SACL
are cleared of any non-inherited entries, and then the ACEs specified are set. This effectively 'cleans up' messed-up ACLs.
|
|
|
||
| Example 8 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
-actn clear -clr "dacl,sacl"
-actn rstchldrn -rst "dacl,sacl"
Same as Example 7, but even more housekeeping is done. Propagation of inherited permissions is enabled for
all sub-objects whose permissons are also reset, resulting in only the specified permissions being active for a whole directory tree.
|
|
|
||
| Example 9 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
-actn clear -clr "dacl,sacl"
-actn rstchldrn -rst "dacl,sacl"
-log "c:\my files\setacl log.txt"
Same as Example 8, but all output is written to the screen and to the log file given.
|
|
|
||
| Example 10 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
-actn clear -clr "dacl,sacl"
-actn rstchldrn -rst "dacl,sacl"
-log "c:\my files\setacl log.txt"
-silent
Same as Example 9, but no output is written to the screen, only to the log file given.
|
|
|
||
| Example 11 |
|
SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
-ace "n:domain1\user1;p:change"
-ace "n:S-1-5-32-544;p:full;s:y"
-ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
-actn clear -clr "dacl,sacl"
-actn rstchldrn -rst "dacl,sacl"
-log "c:\my files\setacl log.txt"
-silent
-fltr "secrets" -fltr "top secret"
Same as Example 10, but files/directories containing the strings 'secrets' or 'top secret' are not affected.
|
|
|
||
| Example 12 |
|
SetACL.exe -on "\\server1\share1\users" -ot file -actn setprot
-op "dacl:np;sacl:nc"
-rec cont_obj
-actn setowner -ownr "n:S-1-5-32-544;s:y"
Resets a whole directory tree to what most administrators dream of: the owner of all files and directories is set to the
group 'administrators' and the flag 'allow inheritable permissions from the parent object to propagate to this object'
is enabled for all object's DACLs; the SACLs are left unchanged.
|
|
|
||
| Example 13 |
|
SetACL.exe -on "\\server1\share1\users" -ot file -actn list
-lst "f:sddl;w:d,s,o,g"
-rec cont
-bckp "d:\data\setacl listing.txt"
Creates a complete listing of DACL, SACL, owner and primary group in SDDL format of the directory '\\server1\share1\users'
and all sub-folders. The listing is stored in unicode format in the file specified.
|
|
|
||
| Example 14 |
|
SetACL.exe -on "dummy entry" -ot file -actn restore
-bckp "d:\data\setacl listing.txt"
Restores all (!) security descriptor data (DACL, SACL, owner, primary group) from the backup file to its original location.
BEWARE: If you have the appropriate user rights (usually, being a member of the administrators group on the target system is sufficient) ALL data in the security descriptor is overwritten! Comment: Only data contained in the backup file is overwritten, ie. if you create a backup of the SACL only, when you restore it, the DACL, owner and primary group are left unchanged! |
|
|
||
| Example 15 |
|
SetACL.exe -on "\\server1\share1\users" -ot file -actn trustee
-rec cont_obj
-trst "n1:domain1\user1;n2:domain2\user2;ta:cpytrst;w:dacl"
This might be useful in a migration scenario where users from domain1 are migrated (copied) to domain2. This command copies
all ACEs belonging to 'domain1\user1' to 'domain2\user2' resulting in a duplication of permissions: after the process domain2\user2
has the same permissions as domain1\user1.
|
|
|
||
| Example 16 |
|
SetACL.exe -on "\\server1\share1\users" -ot file -actn domain
-rec cont_obj
-dom "n1:domain1;n2:domain2;da:repldom;w:dacl"
This is useful in a domain migration scenario where users from domain1 are migrated (copied) to domain2. This command replaces
all SIDs belonging to users/groups from domain1 with SIDs of users/groups with the same names from domain2 resulting in a replacement
of permissions: after the process domain2\user1 has the permissions domain1\user1 previously had.
|
|
|
||
| Registry | ||
|
|
||
| Example 17 |
|
SetACL.exe -on "hklm\software\microsoft\policies" -ot reg -actn ace
-ace "n:domain1\user1;p:full"
Sets 'full' permissions on the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Policies' for user 'user1' in domain 'domain1'.
|
|
|
||
| Example 18 |
|
SetACL.exe -on "\\machine2\hklm\software\microsoft\policies" -ot reg -actn ace
-ace "n:domain1\user1;p:full"
Same as Example 17, but accesses the registry on machine 'machine2'.
|
|
|
||
| Example 19 |
|
SetACL.exe -on "hkcu" -ot reg -actn ace
-ace "n:domain1\user1;p:full"
Sets 'full' permissions on the registry root key 'HKEY_CURRENT_USER' for user 'user1' in domain 'domain1'.
|
|
|
||
| Printers | ||
|
|
||
| Example 20 |
|
SetACL.exe -on "\\server1\HP LaserJet 4050" -ot prn -actn listLists current permissions on printer 'HP LaserJet 4050' on server 'server1'. |
|
|
||
| Example 21 |
|
SetACL.exe -on "\\server1\HP LaserJet 4050" -ot prn -actn ace
-ace "n:domain1\HelpDesk;p:man_docs"
Sets permissions to manage documents for group 'HelpDesk' from domain 'domain1' on printer 'HP LaserJet 4050' on server 'server1'.
|
|
|
||
| Shares | ||
|
|
||
| Example 22 |
|
SetACL.exe -on "\\server1\Data$" -ot shr -actn listLists current permissions on share 'Data$' on server 'server1'. |
|
|
||
| Services | ||
|
|
||
| Example 23 |
|
SetACL.exe -on "\\server1\W32Time" -ot srv -actn ace
-ace "n:domain1\group1;p:start_stop"
Sets permissions to start and stop the Windows time service on server 'server1' for group 'group1' in domain 'domain1'.
|
|
|
||
|
|
||
|
Hosting and many more services provided generously by SourceForge.
|
||