Difference between revisions of "Windows/SetACL"

SetACL is a very powerful commandline tool that can help automate some of the more tedious permission setting tasks on Windows.

Windows ACLs are quite a bit more sophisticated than the Unix implementations I have come across so far. So SetACL is not for the faint of heart. Since I don't use it on a regular basis I forget most of the stuff until the next time. This document should help list some of the pain.

Howto

List permission

SetACL -on "<Path>" 
       -ot file 
       -actn list -lst "w:d,s,o,g"

And to do it for the whole sub-tree

       -rec cont_obj

Revoke user privileges

SetACL -on "<Path>" 
       -ot file 
       -actn ace -ace "n:domain\user;p:full;m:revoke"

And do it recursivley with the line below

       -rec cont_obj

Owner change

Recursively change owner on directories and files

SetACL -on "<Path>" 
       -ot file 
       -actn setowner -ownr "n:domain\user"
       -rec cont_obj

Inheritance of directories

Take away inheritance, don't copy permission

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:p_nc;sacl:nc"

Ensure there are non-inherited users already present or add a line like the one below

       -actn ace -ace "n:domain\user;p:full"

With an addtional line we can reset the permission of all the sub-directories and files and only inherit from the path specified in -on

       -actn rstchldrn -rst "dacl"

Take away inheritance, copy permission

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:p_c;sacl:nc"

Inherit from parent

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:np;sacl:nc"

References

• SetACL documentation
• Microsoft KB for well-known security identifiers