Difference between revisions of "Windows/SetACL"

From braindump
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 5: Line 5:


== Howto ==
== Howto ==
=== List permission ===
SetACL -on "<span class="input"><Path></span>"
-ot file
<span class="highlight">-actn list -lst "<span class="input">w:d,s,o,g</span>"</span>
And to do it for the whole sub-tree
-rec cont_obj
=== Revoke user privileges ===
SetACL -on "<span class="input"><Path></span>"
-ot file
<span class="highlight">-actn ace -ace "n:<span class="input">domain\user</span>;p:full;m:<span class="input">revoke</span>"
And do it recursivley with the line below
-rec cont_obj</span>

=== Owner change ===
==== Recursively change owner on directories and files ====
SetACL -on "<span class="input"><Path></span>"
-ot file
<span class="highlight">-actn setowner -ownr "n:<span class="input">domain\user</span>"
-rec cont_obj</span>

=== Inheritance of directories ===
=== Inheritance of directories ===
=== Take away inheritance, don't copy permission ===
==== Take away inheritance, don't copy permission ====
Make sure there are non inherited users already present or do add them like on the last line.
SetACL -on "<span class="input"><Path></span>"
SetACL -on "<span class="input"><Path></span>"
-ot file
-ot file
<span class="highlight">-actn setprot -op "dacl:<span class="input">p_nc</span>;sacl:nc"</span>
<span class="highlight">-actn setprot -op "dacl:<span class="input">p_nc</span>;sacl:nc"</span>
Ensure there are non-inherited users already present or add a line like the one below
-actn ace -ace "n:<span class="input">domain\user</span>;p:full"
-actn ace -ace "n:<span class="input">domain\user</span>;p:full"
=== Take away inheritance, copy permission ===
With an addtional line we can reset the permission of all the sub-directories and files and only inherit from the path specified in <tt>-on</tt>
-actn rstchldrn -rst "dacl"

==== Take away inheritance, copy permission ====
SetACL -on "<span class="input"><Path></span>"
SetACL -on "<span class="input"><Path></span>"
-ot file
-ot file
<span class="highlight">-actn setprot -op "dacl:<span class="input">p_c</span>;sacl:nc"</span>
<span class="highlight">-actn setprot -op "dacl:<span class="input">p_c</span>;sacl:nc"</span>
=== Inherit from parent ===
==== Inherit from parent ====
SetACL -on "<span class="input"><Path></span>"
SetACL -on "<span class="input"><Path></span>"
-ot file
-ot file
<span class="highlight">-actn setprot -op "dacl:<span class="input">np</span>;sacl:nc"</span>
<span class="highlight">-actn setprot -op "dacl:<span class="input">np</span>;sacl:nc"</span>

== References ==
== References ==
* [http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/ SetACL documentation]
* [http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/ SetACL documentation]
* [http://support.microsoft.com/kb/243330/en-us Microsoft KB for well-known security identifiers]
* [http://support.microsoft.com/kb/243330/en-us Microsoft KB for well-known security identifiers]
[[Category:Windows]]

Latest revision as of 22:37, 17 June 2012

SetACL is a very powerful commandline tool that can help automate some of the more tedious permission setting tasks on Windows.

Windows ACLs are quite a bit more sophisticated than the Unix implementations I have come across so far. So SetACL is not for the faint of heart. Since I don't use it on a regular basis I forget most of the stuff until the next time. This document should help list some of the pain.

Howto

List permission

SetACL -on "<Path>" 
       -ot file 
       -actn list -lst "w:d,s,o,g"

And to do it for the whole sub-tree

       -rec cont_obj

Revoke user privileges

SetACL -on "<Path>" 
       -ot file 
       -actn ace -ace "n:domain\user;p:full;m:revoke"

And do it recursivley with the line below

       -rec cont_obj

Owner change

Recursively change owner on directories and files

SetACL -on "<Path>" 
       -ot file 
       -actn setowner -ownr "n:domain\user"
       -rec cont_obj

Inheritance of directories

Take away inheritance, don't copy permission

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:p_nc;sacl:nc"

Ensure there are non-inherited users already present or add a line like the one below

       -actn ace -ace "n:domain\user;p:full"

With an addtional line we can reset the permission of all the sub-directories and files and only inherit from the path specified in -on

       -actn rstchldrn -rst "dacl"

Take away inheritance, copy permission

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:p_c;sacl:nc"

Inherit from parent

SetACL -on "<Path>" 
       -ot file 
       -actn setprot -op "dacl:np;sacl:nc"

References