#1 13 Jan 2010 14:32

Registered: 24 Aug 2009
Posts: 134

Just curious will setACL be added for cmd?

Ive just been messing with this for a script im working on  and i had a hunt on here and its only in the powershell section?

The literature i have is for cmd from Helge Klein so i wondered if it was going to be added ?

I found the stuff here



-on    ObjectName

-ot    ObjectType

-actn  Action

-ace   "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"

-trst  "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"

-dom   "n1:Domain;n2:Domain;da:DomainAction;w:Where"

-ownr  "n:Trustee;s:IsSID"

-grp   "n:Trustee;s:IsSID"

-rec   Recursion

-op    "dacl:Protection;sacl:Protection"

-rst   Where

-lst   "f:Format;w:What;i:ListInherited;s:DisplaySID"

-bckp  Filename

-log   Filename

-fltr  Keyword

-clr   Where




ObjectName:      Name of the object to process (e.g. 'c:\mydir')

ObjectType:      Type of object:

                 file:       Directory/file
                 reg:        Registry key
                 srv:        Service
                 prn:        Printer
                 shr:        Network share

Action:          Action(s) to perform:

                 ace:        Process ACEs specified by parameter(s) '-ace'
                 trustee:    Process trustee(s) specified by parameter(s)
                 domain:     Process domain(s) specified by parameter(s)
                 list:       List permissions. A backup file can be
                             specified by parameter '-bckp'. Controlled by
                             parameter '-lst'.
                 restore:    Restore entire security descriptors backed up
                             using the list function. A file containing the
                             backup has to be specified using the parameter
                             '-bckp'. The listing has to be in SDDL format.
                 setowner:   Set the owner to trustee specified by parameter
                 setgroup:   Set the primary group to trustee specified by
                             parameter '-grp'.
                 clear:      Clear the ACL of any non-inherited ACEs. The
                             parameter '-clr' controls whether to do this for
                             the DACL, the SACL, or both.
                 setprot:    Set the flag 'allow inheritable permissions from
                             the parent object to propagate to this object' to
                             the value specified by parameter '-op'.
                 rstchldrn:  Reset permissions on all sub-objects and enable
                             propagation of inherited permissions. The
                             parameter '-rst' controls whether to do this for
                             the DACL, the SACL, or both.

TrusteeAction:   Action to perform on trustee specified:

                 remtrst:    Remove all ACEs belonging to trustee specified.
                 repltrst:   Replace trustee 'n1' by 'n2' in all ACEs.
                 cpytrst:    Copy the permissions for trustee 'n1' to 'n2'.

DomainAction:    Action to perform on domain specified:

                 remdom:     Remove all ACEs belonging to trustees of domain
                 repldom:    Replace trustees from domain 'n1' by trustees with
                             same name from domain 'n2' in all ACEs.
                 cpydom:     Copy permissions from trustees from domain 'n1' to
                             trustees with same name from domain 'n2' in all

Trustee:         Name or SID of trustee (user or group). Format:
                 a) [(computer | domain)\]name
                 computer:   DNS or NetBIOS name of a computer -> 'name' must
                             be a local account on that computer.
                 domain:     DNS or NetBIOS name of a domain -> 'name' must
                             be a domain user or group.
                 name:       user or group name
                 If no computer or domain name is given, SetACL tries to find
                 a SID for 'name' in the following order:
                 1. built-in accounts and well-known SIDs
                 2. local accounts
                 3. primary domain
                 4. trusted domains
                 b) SID string

Domain:          Name of a domain (NetBIOS or DNS name).

Permission:      Permission to set. Validity of permissions depends on the
                 object type (see below). Comma separated list.

                 Example:    'read,write_ea,write_dacl'

IsSID:           Is the trustee name a SID?

                 y:          Yes
                 n:          No

DisplaySID:      Display trustee names as SIDs?

                 y:          Yes
                 n:          No
                 b:          Both (names and SIDs)

Inheritance:     Inheritance flags for the ACE. This may be a comma separated
                 list containing the following:

                 so:         sub-objects
                 sc:         sub-containers
                 np:         no propagation
                 io:         inherit only
                 Example:    'io,so'

Mode:            Access mode of this ACE:

                 a) DACL:

                 set:        Replace all permissions for given trustee by
                             those specified.
                 grant:      Add permissions specified to existing permissions
                             for given trustee.
                 deny:       Deny permissions specified.
                 revoke:     Remove permissions specified from existing
                             permissions for given trustee.

                 b) SACL:

                 aud_succ:   Add an audit success ACE.
                 aud_fail:   Add an audit failure ACE.
                 revoke:     Remove permissions specified from existing
                             permissions for given trustee.

Where:           Apply settings to DACL, SACL, or both (comma separated list):


Recursion:       Recursion settings, depends on object type:

                 a) file:
                 no:         No recursion.
                 cont:       Recurse, and process directories only.
                 obj:        Recurse, and process files only.
                 cont_obj:   Recurse, and process directories and files.
                 b) reg:
                 no:         Do not recurse.
                 yes:        Do Recurse.

Protection:      Controls the flag 'allow inheritable permissions from the
                 parent object to propagate to this object':

                 nc:         Do not change the current setting.
                 np:         Object is not protected, i.e. inherits from
                 p_c:        Object is protected, ACEs from parent are
                 p_nc:       Object is protected, ACEs from parent are not

Format:          Which list format to use:

                 sddl:       Standardized SDDL format. Only listings in this
                             format can be restored.
                 csv:        SetACL's csv format.
                 tab:        SetACL's tabular format.

What:            Which components of security descriptors to include in the
                 listing. (comma separated list):

                 d:          DACL
                 s:          SACL
                 o:          Owner
                 g:          Primary group
                 Example:    'd,s'

ListInherited:   List inherited permissions?

                 y:          Yes
                 n:          No

Filename:        Name of a (unicode) file used for list/backup/restore
                 operations or logging.

Keyword:         Keyword to filter object names by. Names containing this
                 keyword are not processed.


Required parameters (all others are optional):

                 -on         (Object name)
                 -ot         (Object type)

Parameters that may be specified more than once:

                 -actn       (Action)
                 -ace        (Access control entry)
                 -trst       (Trustee)
                 -dom        (Domain)
                 -fltr       (Filter keyword)

Only actions specified by parameter(s) '-actn' are actually performed,
regardless of the other options set.

Order in which multiple actions are processed:

                 1.          restore
                 2.          clear
                 3.          trustee
                 4.          domain
                 5.          ace, setowner, setgroup, setprot
                 6.          rstchldrn
                 7.          list


a) Standard permission sets (combinations of specific permissions)

Files / Directories:

              read:          Read
              write:         Write
              list_folder:   List folder
              read_ex:       Read, execute
              change:        Change
              profile:       = change + write_dacl
              full:          Full access


              print:         Print
              man_printer:   Manage printer
              man_docs:      Manage documents
              full:          Full access


              read:          Read
              full:          Full access


              read:          Read
              start_stop:    Start / Stop
              full:          Full access


              read:          Read
              change:        Change
              full:          Full access

b) Specific permissions

Files / Directories:

              traverse:      Traverse folder / execute file
              list_dir:      List folder / read data
              read_attr:     Read attributes
              read_ea:       Read extended attributes
              add_file:      Create files / write data
              add_subdir:    Create folders / append data
              write_attr:    Write attributes
              write_ea:      Write extended attributes
              del_child:     Delete subfolders and files
              delete:        Delete
              read_dacl:     Read permissions
              write_dacl:    Write permissions
              write_owner:   Take ownership


              query_val:     Query value
              set_val:       Set value
              create_subkey: Create subkeys
              enum_subkeys:  Enumerate subkeys
              notify:        Notify
              create_link:   Create link
              delete:        Delete
              write_dacl:    Write permissions
              write_owner:   Take ownership
              read_access:   Read control


#2 13 Jan 2010 19:44

Simon Sheppard
Super Administrator
Registered: 27 Aug 2005
Posts: 1,069

Re: Just curious will setACL be added for cmd?

I've limited the main SS64 page to only the standard Microsoft commands and Resource Kits, if I started adding every third party utility out there, we would end up with thousands of commands and duplicate functionality.

Also SetACL looks like a great and very powerful tool, but I've always struggled to get my head around the syntax - they really should release a 'lite' version or else split it into several commands.


Board footer

Powered by FluxBB