SubInAcl Topics | SubInAcl Syntax | Previous | Next
SubInAcl Syntax: action[=parameter]
Values:
- /display (default)
- Displays the security descriptor.
The /noverbose display can be used to reapply the security descriptor (see /playfile).
- /owner=owner or /setowner=owner
- Changes the owner of the object.
owner is a valid security identifier (SID), which can be expressed in several forms.
Example:
/owner=DomainName\Administrators
Retrieves the Administrators' SID on
the server where the object is located (see Win32 SDK LookupAccountName function).
- /replace=[DomainName\]OldAccount=[DomainName\]NewAccount
- Replaces all access control entries (ACEs) (Audit and Permissions) in the object.
Example:
/replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan
replaces all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieved from NEWDOM domain.
- /changedomain=OldDomainName=NewDomainName
- Replaces all ACEs with a SID from OldDomainName with the equivalent SID found in NewSamServer.
Example:
/changedomain=DOM_MARKETING=NEWDOMAIN
Replaces all ACEs containing DOM_MARKETING\ChairMan SID with the ChairMan's SID retrieved on NEWDOMAIN computer The NEWDOMAIN must have a trusted relationship with the server containing the object.
- /migratetodomain=SourceDomain=DestDomain
- Same behavior as /changedomain, except that new ACEs are added to a new domain and ACEs for the old domain are preserved.
Example:
/migratetodomain=DOM1=DOM2
Each ACE with DOM1\User is duplicated with DOM2\User (If DOM2\User exists). If during the migration there was a serious oversight you can instruct the user to log back onto DOM1.
Note
Owner and Primary Group are migrated to DOM2.
- /findsid=[DomainName\]Account[=stop]
- Displays the object name containing a reference to DomainName\Account in the security descriptor.
- /suppresssid=[DomainName\]Account
- Suppresses all ACEs containing the DomainName\Account SID. If the object's owner is DomainName\Account, the owner is set to Everyone's SID.
- /confirm
- /perm
- Suppresses all existing permissions aces (PACEs).
- /audit
- Suppresses all existing auditing ACEs (AACEs).
- /ifchangecontinue
- Continues to process the next actions only if some changes have been made in the previous actions.
- /cleandeletedsidsfrom=DomainName
- Deletes all ACEs containing deleted (not valid) SIDs from DomainName.
- /accesscheck=[DomainName\]UserName
- Displays the access granted to the Domain\UserName. The password is requested. This option requires the SeTcbName privilege (Act as Part of the Operating System), and cannot be used with remote objects.
Note: The access is checked with the NETWORK security identified granted to the Domain\UserName.
- /setprimarygroup=[DomainName\]Group
- Changes the primary group.
- /grant=[DomainName\]UserName[=Access]
- Adds a Permission ACE for UserName. If Access is not specified, Full Control access is granted.
- /deny=[DomainName\]UserName[=Access]
- Adds a denied Permission ACE for the specified UserName (or group). If Access is not specified, all accesses will be denied.
- /revoke=[DomainName\]UserName
- Suppresses all Permission ACEs for the specified User (or group).
Permission ACEs
Used with /grant and /deny:
File:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
ClusterShare:
F : Full Control
R : Read
C : Change
Printer:
F : Full Control
M : Manage Documents
P : Print
KeyReg:
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
Share:
F : Full Control
R : Read
C : Change
Metabase:
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure Props Read - MD_ACR_UNSECURE_PROPS_READ
E : Enum Keys - MD_ACR_ENUM_KEYS
D : Write DAC - MD_ACR_WRITE_DAC