Archive.org mirror (2004)
Display or modify Access Control Entries (ACEs) for file and folder Permissions, Ownership and Domain.
Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.
Syntax
SUBINACL [/noverbose] /object_type object_name [/action=parameter] [/help]
Key
object_types service e.g. /service Messenger \\ServerName\Messenger
keyreg e.g. /keyreg HKEY_CURRENT_USER\Software
/keyreg \\Srv\HKEY_LOCAL_MACHINE\KeyPath
file e.g. /file *.obj /file c:\test.txt
/file \\ServerName\Share\Path
subdirectories Manipulate files in specified directory and all subdirectories
object_name The object we are applying permissions to.
action setowner=owner
Change the owner of the object e.g. /setowner=ss64dom\Administrators
grant=domain\principle=ACE
deny=domain\principle=ACE
replace=DomainName\Old_Account=DomainName\New_Account
This will replace all Permission ACEs on the object.
e.g. /replace=ss64dom\Finance=ss64dom\accounts
changedomain=OldDomainName=NewDomainName
Replace all ACEs with a Sid from OldDomainName
with the equivalent Sid found in NewSamServer
e.g. /changedomain=MyOldDomain=NEWDOMAIN
This option requires a trust relationship with the server containing the object.
Help Run SUBINACL /Help (or SUBINACL /Help /action) for more
detail on the many other options.
SUBINACL is a powerful command that can do everything cacls and xcacls can do and more besides.
When running subinacl against a subfolder, its important to include the trailing backslash, (or \*.*) if this is missed out subinacl will interpret the path as a filename and search the entire drive for it, this can be very slow!
If the file/folder is currently open (locked) it may not be possible to change the permissions or ownership without first closing the file locks. This can be done in Computer Management ➞ Shared Folders ➞ Open files.
The following Permission ACEs (PACEs) may be used with the /grant and /deny actions, dependent on the object type being modified.
Files Shares Cluster Share Printers Process Registry Services Security Accounts Manager (SAM) objects Full Control F F F F F F F F Change C C C C (Service Change Configuration) Read R R R R R R (Generic Read) R Change Permissions P Ownership O (Take Ownership) O (Write Owner) eXecute X E X (Generic eXecute) E Read eXecute E Write W W W (Write DAC) W (Generic Write) W Delete D D Manage Documents M P ReAd ControL A L Query Value Q Q (Query Service Configuration) Set Value S Create SubKey C Enumerate Subkeys E E (Enumerate Dependent Services) NotifY Y Create Link L Start Service T Stop Service O Pause/Continue Service P Interrogate Service I Query Service Status S Service User-Defined Control Commands U
Save permissions to a log file:
subinacl /noverbose /nostatistic /outputlog=SS64.log /subdirectories "C:\Program Files\My Folder\*.*" /display
Restore Permissions from a log file:
subinacl /nostatistic /playfile SS64.log
Change owner :
subinacl /file C:\demofile.doc /setowner=SS64Dom\AliceT
More examples on the Technet wiki.
“It's easier to ask forgiveness than it is to get permission” ~ Rear Admiral Grace Hopper
TAKEOWN - Take ownership of a file.
ATTRIB - Display or change file attributes.
CACLS - Change file permissions.
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders.
PERMS - Show permissions for a user.
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders.
Q288129 - Grant users the right to manage services with SUBINACL.
Equivalent PowerShell: Set-Acl - Set permissions.
Equivalent bash command (Linux): chmod - Change access permissions.