How to use SubInAcl.exe?
SubInAcl version 5.2.3790.1180 USAGE ----- Usage : SubInAcl [/option...] /object_type object_name [[/action[=parameter]...] /options : /outputlog=FileName /errorlog=FileName /noverbose /verbose (default) /notestmode (default) /testmode /alternatesamserver=SamServer /offlinesam=FileName /stringreplaceonoutput=string1=string2 /expandenvironmentsymbols (default) /noexpandenvironmentsymbols /statistic (default) /nostatistic /dumpcachedsids=FileName /separator=character /applyonly=[dacl,sacl,owner,group] /nocrossreparsepoint (default) /crossreparsepoint /object_type : /service /keyreg /subkeyreg /file /subdirectories[=directoriesonly|filesonly] /clustershare /kernelobject /metabase /printer /onlyfile /process /share /samobject /action : /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default) /setowner=owner /replace=[DomainName\]OldAccount=[DomainName\]New_Account /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]] /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]] /findsid=[DomainName\]Account[=stop|continue] /suppresssid=[DomainName\]Account /confirm /ifchangecontinue /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all] /testmode /accesscheck=[DomainName\]Username /setprimarygroup=[DomainName\]Group /grant=[DomainName\]Username[=Access] /deny=[DomainName\]Username[=Access] /sgrant=[DomainName\]Username[=Access] /sdeny=[DomainName\]Username[=Access] /sallowdeny==[DomainName\]Username[=Access] /revoke=[DomainName\]Username /perm /audit /compactsecuritydescriptor /pathexclude=pattern /objectexclude=pattern /sddl=sddl_string /objectcopysecurity=object_path /pathcopysecurity=path_container Usage : SubInAcl [/option...] /playfile file_name Usage : SubInAcl /help [keyword] SubInAcl /help /full keyword can be : features usage syntax sids view_mode test_mode object_type domain_migration server_migration substitution_features editing_features - or - any [/option] [/action] [/object_type] SYNTAX ------ describe SubInAcl syntax The SubInAcl syntax is analog to the UNIX find tool. For each object, SubInAcl : 1. retrieves the security descriptor of the object 2. applies the /action(s). The /actions are executed in the order of the command line 3. If : - the security descriptor has been modified and - the /testmode switch has not been specified the changes are applied to the object For instance : - SubInAcl /outputlog=result.txt /subdirectories \\Server\c$\temp\*.* /grant=Dom\John=F /noverbose /display For each file below \\Server\c$\temp, SubInAcl will - open the file - grant full control for dom\john - display the security setting in noverbose mode - save the security descriptor. All outputs will be saved in result.txt You can specify as many /actions as you wish. You must specify at least 3 characters for each action. The command line is not case-sensitive Ex: SubInAcl /file c:\temp\*.txt /replace=John=Smith /display for each *.txt file will - replace John with Smith - display the whole security descriptor - apply the changes if any SubInAcl error messages are sent to the Standard error. You can use the /output switch to save both outputs and errors in the same file. FEATURES -------- describes SubInAcl main features SubInAcl was designed to help administrators to manage security on various objects. It provides : - a unified way to manipulate security for different kinds of objects (files, registry keys, services, printer,...) - a console tool that allows to write scripts to automate security tasks - some features that help administrators to modify security if some changes occur in their organization: - user, group deletions (/suppresssid, /cleandeletedsidsfrom ) - user, group migrations (/replace , /accountmigration) - domain, server migration (/changedomain, /migratetodomain) ... - security descriptor editing features : - owner ( /setowner ) - primary group ( /setprimarygroup ) - permissions ( /grant , /deny , /revoke ) - audit ( /sgrant, /sdeny, /sallowdeny) - access to remote objects - save and restore permissions (/playfile , /outputlog , /display ) You need SeBackupPrivilege SeRestorePrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool Type SubInAcl /help to get extended help SIDS ---- sids : explain how SubInAcl retrieves and translates SIDs The security descriptor references users and groupswith a SID (Security Identifier). A SID can be expressed in one of the following form: + DomainName\Account (ex: DOM\Administrators ) + StandaloneServer\Group + Account ( see LookupAccount API ) + s-1-x-x-x-x . x is expressed in decimal (ex: S-1-5-21-56248481-1302087933-1644394174-1001) Warning : In that case, no check is done to verify the existence of this SID. SubInAcl maintains a local cache of SIDs to minimize SID to "Human Name" translation network cost. SubInAcl queries the server where the ressource object is located to translate or retrieve SIDs. If needed, you can specify another SAM server to translate SIDs (see /alternatesamserver). If you try to replace SIDs and the originated domain or server is not online, you can provide a file containing the needed SIDs (see /offlinesam). You can dump the local cache of SIDs in a file (see /dumpcachedsids). VIEW_MODE --------- /noverbose /verbose SubInAcl can be used in a quiet mode (/noverbose) or a in verbose mode (/verbose , /Noverbose ) You can specify these switches either : - for the entire comand line : SubInAcl /noverbose /file *.dat /display - after a specific action : SubInacl /file *.dat /display /noverbose /display TEST_MODE --------- /testmode /notestmode (default) If /testmode is specified, the changes will not be reflected to the object security descriptor. This option is useful to test the validity of a comand. Ex : SubInacl /subdirec \\server\share\*.* /changedomain=DOMA=DOMB /ifchangecontinue /noverbose /display /testmode For each file modified this comand displays the modified security descriptor. But these changes will not physically apply to the files OBJECT_TYPE ----------- /file /subdirectories /onlyfile /keyreg /subkeyreg /service /share /clustershare /printer /kernelobject /metabase /process /samobject SubInAcl can work with various objects: - Files : /file /subdirectories /onlyfile - Registry keys : /keyreg /subkeyreg - Services : /service - Shares : /share /clustershare - Printer : /printer - Kernel named objects : /kernelobject - IIS adminidstration rights : /metabase // - Process : /process - Sam : /SamObject The actions are valid for all objects Most of them support the enumeration with the * character DOMAIN_MIGRATION ---------------- explain how to migrate security between domain SIDs The main purpose of SubInAcl is to help administrators to migrate user(s) if the domain architecture has changed. For instance, the user John has moved and is now member of the DOMB domain. You can reflect this change with : SubInAcl /subdirec \\server\share\*.* /replace=OldDomain\John=DOMB\John N.B: A trust relationship must be enabled between the domain of server and OldDomain and NEWDOMAIN N.B: If a trust relationship cannot be enabled, you can use the /alternatesamserver=Server. Server should be the name of Domain Controller Server Sample : You have worked with a unique domain. You want to migrate a BDC named MIGRCONTROL with all the files and the users utilized on a new domain 1. Reinstall the BDC as PDC to the NEWDOMAIN (without erasing the files) 2. Create the users on NEWDOMAIN 3. Create a "trusted relationship" with OLDDOMAIN 4. Run SubInAcl /noverbose /subdirectories x:\*.* /changedomain=OLDDOMAIN=NEWDOMAIN 5. Verify the changes with SubInAcl /noverbose /subdirectories x:\*.* Sample : You have worked with a standalone server named SERVER in a workgroup environment. You want to move this server (including users) to a domain DOM. 1. Move SERVER to the domain DOM 2. Create the users in the DOM domain 3. SubInAcl /noverbose /subdirectories \\server\share /changedomain=SERVER=DOM See /changedomain /migratedomain /replace actions SERVER_MIGRATION ---------------- explain how to migrate SIDs when objects are moved from one server to another one Migrating file system from one local server to another local server is not a trivial task. SubInAcl Version 2.2 has been enhanced to help this migration process. To migrate file system files from one local server and to preserve security, you can perform the following steps: 1. use scopy to copy files and ACLs on destination server 2. create local groups on the destination server 3. Use /changedomain or /changedomain with the /alternatesamserver option : By default SubInAcl queries the server where the objects are located to retrieve SIDS. This server is not aware of the SIDs valid on another standalone server To address this issue, you can use the /alternatesamserver option to ask SubInAcl to to use the alternamesamserver server if a SID resolution is not successfull on the initial server. Sample : SubInAcl /alternatesamserver=SourceServer /subdirect \\DestServer\Share\*.* /migratedomain=SourceServer=DestServer See /alternatesamserver /migratedomain /offlinesam EDITING_FEATURES ---------------- how to edit parts of the security descriptor SubInAcl allows to modify each part of a a security descriptor : - owner see /owner=SID or /setowner=SID - primary group see /setprimarygroup=GroupSID - system ACL (SubInAcl name = Audit ACL) with Access Control Entries (SubInAcl name= AAce = Audit ACE) see /audit /sgrant /sdeny /sallowdeny - discretionnary ACL (SubInAcl name = Perm ACL ) with Access Control Entries (SubInAcl name= PAce = Perm ACE) see /perm /pace=xxx /revoke=SID /grant=SID=Access /deny=SID=access /sgrant=SID=Access /sdeny=SID=access /sallowdeny=SID=access- or the full security descriptor see /sddl=sddl_string /SERVICE -------- /service service_name manipulate service - \\ServerName\Messenger - \\ServerName\M* - Messenger N.B: /driver can be used also. /driver * will display all driversm /service * will display all services /KEYREG ------- /keyreg registry_key manipulate registry keys - HKEY_CURRENT_USER\Software - HKEY_CURRENT_USER\Software\*Version - \\Srv\HKEY_LOCAL_MACHINE\KeyPath /SUBKEYREG ---------- /subkeyreg registry_key manipulate registry keys and subkeys - HKEY_CURRENT_USER\Software - HKEY_CURRENT_USER\Software\*Version - \\Srv\HKEY_LOCAL_MACHINE\KeyPath /FILE ----- /file filename manipulate files N.B: SubInAcl is not supported on DFS volumes - *.obj - c:\temp\*.obj - \\servername\share\*.exe - c:\ /file=directoriesonly will apply parameters on directories only /file=filesonly will apply parameters on files only /SUBDIRECTORIES --------------- /subdirectories file_path manipulate files in specified directory and all subdirectories - c:\temp\*.obj : work with all obj files - c:\temp\test : work with all test files below the c:\temp directory - c:\temp\test\*.* : work with all files below temp\test - c:\temp\test\ : work with all files below temp\test /subdirectories=directoriesonly will apply parameters on directories only /subdirectories=filesonly will apply parameters on files only /ONLYFILE --------- /onlyfile file_name open a file without using the FindFilexxx mechanism. Can be used to access named pipes or mailslot - \\.\pipe\pipename /SAMOBJECT ---------- /samobject samobject allow to access ACL associated to SAM objects(users,localgroup,globalgroup). Can be used to allow a localgroup(alias) created by a power users on a member to be updated by another power users member - \\samserver\localgroup - \\samserver\*users* - *group* - Subinacl /samobject \\sams\testgroup /grant=poweruser1=f /SHARE ------ /share file_share_name access a network file share. - \\server\share - \\server\test* /CLUSTERSHARE ------------- /clustershare \\clustername\fileshareresource access a cluster file share resource. - \\clustername\FileShare_Resource_Name - \\clustername\s* /KERNELOBJECT ------------- /kernelobject kernel_object_name access a named kernel object. Can be used to view mutex, sections, events objects /PROCESS -------- /process pid_or_executable_pattern access a process object. - notepad.* or pid_in_decimal /METABASE ---------- /metabase metabase_path access to IIS metabase AdminACL metabase property Note that this property can only be used with these Metabase paths /LM/MSFTPSVC , /LM/MSFTPSVC/n , /LM/W3SVC , /LM/W3SVC/ This object doesn't support enumeration. - SubInAcl /metabase \\ServerName\LM\W3SVC /grant=administrator=F /PRINTER --------- /printer printername access to printer - \\server\printer1 - \\server\* /DISPLAY -------- /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] display the security descriptor You can also view part of the security descriptor. /display=dacl will display the discretionary acl. /display=sddl will display the security using the Win32 SDDL security descriptor string format (see Platform SDK) The /noverbose display can be used to reapply the security descriptor (see /playfile) /PLAYFILE --------- /playfile playfile The /playfile feature allows SubInacl to run in a batch mode. The format of the playfile command file is : + object_type object_name /action[=parameter]... /action[=parameter]... +object_type object_name /action[=parameter]... SubInacl /playfile=playfile.txt with With playfile : +subdirec *.txt /grant=everyone=R +service RkillSrv /display will give the same result than SubInAcl /subdirectories *.txt /grant=everyone=R SubInAcl /service RkillSrv /display One typical usage of the playfile feature is to allow to reapply security settings saved previously because the output format of the noverbose /display is a playfile compatible format: 1.a) SubInAcl /noverbose /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display This command saves all security settings for the files on C: drive. Sids will be saved in the Domain\user string format The /display option in a noverbose mode uses an output playfile compatible format or 1.b) SubInAcl /error=d:\Err.txt /outputlog=d:\SubInaclSave.txt /subdirectories c:\*.* /display=sddl This command saves all security settings using the Win32 SDDL format. Sids will be saved in the S-1-x-x form. This will not require SubInacl to translate Sids This may minimize the elapsed time and resource usage 2) SubInAcl /playfile d:\SubInaclSave.txt This command will reapply the previously saved settings. One other advantage of using a playfile is to improve performance and save network bandwidth because SubInacl maintains a local cache of SIDs. For instance if you issue : SubInacl /subdirectories c:\*.* /migrate=domain1=domain2 And SubInacl /subdirectories d:\*.* /migrate=domain1=domain2 Batching these commands will reduce the network usage bandwidth and improve performance because SID TO HUMAN NAME resolution process will be reduced. /OUTPUTLOG ---------- /outputlog=filename all outputs will be send in filename. You need to use /errlog switch to redirect all errors in a different file /ERRORLOG --------- /errorlog=filename.txt all errors will be send in the filename.txt /ALTERNATESAMSERVER ------------------- /alternatesamserver=Server SubInAcl queries the Server where the object is located to lookup Sids. Under some circumstances , you may need ( see server_migration or domain_migration) to retrieve Sids from another server. If a Sid resolution is unsuccessful, this option allows SubInAcl to query the alternamesamserver. /OFFLINESAM ----------- /offlinesam=FileName By default, SubInAcl queries the Server where the object is located to lookup Sids.Under some circumstances (migration where the source server is offline or if a domain is no longer available, want to avoid network round trip for SIDs retrievals), you may allow SubInAcl.exe to retrieve SIDs from the FileName file. File format is : __cachefileonly__=s-1-9-cacheonly domain\simon=S-1-5-21-1190502449-1716722630-1654032285-1105 nat\julien=S-1-5-21-1060284298-436374069-1708537768-1005 where domain\simon and nat\julien can be a domain account or server account. With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file /DUMPCACHEDSIDS --------------- /dumpcachedsids=FileName At the end of the subinacl execution, you can dump the contents of the local cache Sids in a file. This file can later be used for future SubInacl execution (see . /offlinesam) to speed up the Sids resolution process) /SETOWNER --------- /setowner=SID will change the owner of the object /owner=SID or /setowner=SID owner = DomainName\Administrators will retrieve the Administrators Sid on the server where the object is (see Win32 SDK LookupAccountName function). /REPLACE -------- /replace=DomainName\OldAccount=DomainName\New_Account replace all ACEs (Audit and Permissions) in the object Ex: /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will replace all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieves from NEWDOM domain Warning: if DomainName\New_Account has already an ACE, ACE replacement is skipped /ACCOUNTMIGRATION ----------------- /accountmigration=DomainName\OldAccount=DomainName\New_Account (see /replace) will : - replace owner or primary group if one of them is DomainName\OldAccount. - duplicate ACE(s) with reference to DomainName\OldAccount for New_Account Ex: /accountmigration=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan will duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieves from NEWDOM domain Warning : if DomainName\New_Account has already an ACE, ACE replacement is skipped /CLEANDELETEDSIDSFROM --------------------- /cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all] delete all ACEs containing deleted (no valid) Sids from DomainName You can specify which part of the security descriptor will be scanned (default=all) If the owner is deleted, new owner will be the Administrators group. If the primary group is deleted, new primary group will be the Users group. /CHANGEDOMAIN ------------- /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]] replace all ACEs with a Sid from OldDomainName with the equivalent Sid found in NewSamServer Ex: /changedomain=DOM_MARKETING=NEWDOMAIN replace all ACEs containing DOM_MARKETING\ChairMan SID with the ChairMan's SID retrieved on NEWDOMAIN computer The NEWDOMAIN must have a trusted relationship with the server containing the object If you want to explicitly specify the users affected , you can specify a mapping file. The MappingFile file will allow you to specify the list of users affected and the name of the replacing user in the NewDomain Below a sample of a MappingFile simon=julien administrator=administrator OldDomainName\Simon will be replaced by NewDomainName\Julien and OldDomainName\Administrator will be replaced with NewDomainName\Administrator If you use /changedomain=OldDomainName=NewDomainName=MappingFile notation ,only users defined in this file will be migrated. If you use /changedomain=OldDomainName=NewDomainName=MappingFile=Both, the mapping file will be examined first to determine if a mapping user exist. If not, SubInacl will try to find the equivalent user in the NewDomainName /MIGRATETODOMAIN ---------------- /migratetodomain=FromDomainName=ToDomainName[=MappingFile[=Both]] same behavior than /changedomain except that news ACEs will added instead of replacing Ex: /migratetodomain=DOM1=DOM2 each ace with DOM1\User will be duplicated with DOM2\User (If DOM2\User exists) If during the migration there was a serious oversight you can instruct the user to log back onto DOM1. N.B: Owner and Primary Group are migrated to DOM2 /FINDSID -------- /findsid=DomainName\Account[=stop|continue] display the object name containing a reference to DomainName\Account in the security descriptor stop - if Account is found, next parameters will be skipped and changes will not be applied - if Account is not found, next parameter will be executed continue - if Account found, next parameters will be executed - if Account not found, next parameters will be skipped and changes will not be applied /SUPPRESSSID ------------ /suppresssid=DomainName\Account suppress all ACES containing the DomainName\Account SID. If the object's owner is DomainName\Account, the owner is set to Everyone's SID. /PERM ----- /perm suppress all existing permissions aces (PACEs) /AUDIT ------ /audit suppress all existing auditing aces (AACEs) /IFCHANGECONTINUE ----------------- /ifchangecontinue continue to process the next actions only if some changes have been made in the previous actions /TESTMODE --------- /testmode changes will not be applied to the object. This allows to test the modifications /ACCESSCHECK ------------ /accesscheck=Domain\Username display the access granted to the Domain\Username. The password will be asked. This option requires the SeTcbName privilege (Act as Part of the Operating System). This option cannot be used with remote object. Note : the access is checked with the NETWORK security identified granted to the Domain\UserName /SETPRIMARYGROUP ---------------- /setprimarygroup=[DomainName\]Group change the primary group /DENY ----- /deny=[DomainName\]User[=Access] add a denied Permission Ace for the specified User (or group) If Access is not specified, all accesses will be denied. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Process: F : Full Control R : Read W : Write X : eXecute SamObject: F : Full Control W : Write R : Read X : Execute /REVOKE ------- /revoke=[DomainName\]User suppress all Permission Ace(s) for the specified User (or group) /GRANT ------ /grant=[DomainName\]User[=Access] will add a Permission Ace for the user. if Access is not specified, the Full Control access will be granted. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Process: F : Full Control R : Read W : Write X : eXecute SamObject: F : Full Control W : Write R : Read X : Execute /SALLOWDENY ----------- /sallowdeny=[DomainName\]User[=Access] will add an Allow/Failed Audit Ace for the user and remove all existing Audit Ace for this user(or group). if Access is not specified, the Full Control access mask will be used. Ex: SubInacl /file c:\windows\explorer.exe /sallowdeny=everyone=R will set the audit for everyone's successful and failed access /SGRANT ------- /sgrant=[DomainName\]User[=Access] will add a Successfull (Allow) Audit Ace for the user and remove all existing Audit Ace for this user(or group). if Access is not specified, the Full Control access mask will be used. Ex: SubInacl /file c:\windows\explorer.exe /sgrant=everyone=R will set the audit for everyone's successful access File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Process: F : Full Control R : Read W : Write X : eXecute SamObject: F : Full Control W : Write R : Read X : Execute /SDENY ------ /sdeny=[DomainName\]User[=Access] will add a Failed Audit Ace for the user and remove all existing Audit Ace for this user(or group). if Access is not specified, the Full Control access mask will be used. File: F : Full Control C : Change R : Read P : Change Permissions O : Take Ownership X : eXecute E : Read eXecute W : Write D : Delete ClusterShare: F : Full Control R : Read C : Change Printer: F : Full Control M : Manage Documents P : Print KeyReg: F : Full Control R : Read A : ReAd Control Q : Query Value S : Set Value C : Create SubKey E : Enumerate Subkeys Y : NotifY L : Create Link D : Delete W : Write DAC O : Write Owner Service: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands Share: F : Full Control R : Read C : Change Metabase: F : Full Control R : Read - MD_ACR_READ W : Write - MD_ACR_WRITE I : Restricted Write - MD_ACR_RESTRICTED_WRITE U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ E : Enum keys- MD_ACR_ENUM_KEYS D : write Dac- MD_ACR_WRITE_DAC Process: F : Full Control R : Read W : Write X : eXecute SamObject: F : Full Control W : Write R : Read X : Execute /OBJECTEXCLUDE -------------- /objectexclude=pattern all objects matching the pattern string will be skipped (eXcluded). The only wildcard valid is *. It can be used everywhere in the string. Pattern may be a name ( *Name.exe ) or a path ( *dir\subdir\*ToExclude* ). /PATHEXCLUDE ------------ /pathexclude=pattern all containers matching the pattern string will not be enumerated. See /objectexclude N.B: the Actions specified will not be applied to the container too. /STATISTIC ---------- /statistic will display statistics when processing is finished. /CROSSREPARSEPOINT ------------------ /crossreparsepoint When processing a file system path, SubInacl will enumerate file and directories below a reparsepoint except if /nocrossreparsepoint. is specified. /STRINGREPLACEONOUTPUT ---------------------- /stringreplaceonoutput=string1=string2 All occurrences of string1 will be replaced by string2 in subinacl output. /SDDL ----- /sddl=sddl_string specify the Security descriptor for the object using the Win32 security descriptor definition language (SDDL) /APPLYONLY ---------- /applyonly=dacl,sacl,owner,group Some subinacl options may change parts (owner,group,dacl,sacl) of the security descriptor. You may restrict the change to some parts of the security descriptor only . For instance /applyonly=dacl,sacl,owner will not modify the primary group field /PATHCOPYSECURITY ----------------- /pathcopysecurity=path_container SubInacl will reset the security descriptor for the object with the same named object in the container path. Ex: - SubInacl /file c:\temp\*.txt /pathcopysecurity=d:\test will replace the security (acls,owner,primarygroup) for c:\temp\1.txt with the security retrieved from d:\test\1.txt (if this file exists) -SubInacl /service Messenger /pathcopysecurity=\\Server will update the security on the service Messenger with the security existing on the remote messenger service /OBJECTCOPYSECURITY ------------------- /objectcopysecurity=object_path SubInacl will reset the security descriptor with the object object_path in the container path. Ex: - SubInacl /file c:\temp\*.txt /objectcopysecurity=d:\test\mask.txt will replace the security (acls,owner,primarygroup) for all txt files in c: emp with the security retrieved on d:\test\amsk.txt will update the security on the service Messenger with the security existing on the remote messenger service