SetACL is a set of routines for managing Windows permissions (ACLs) from the command line, from scripts and from programs. These routines can be used from various container or interface programs. (http://setacl.sourceforge.net/).
If you start with setacl.exe the syntax might be a bit cryptic. But when you split up the syntax it gets quite easier to read. I use some variables the split it up:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | : –DACL — access control / SACL — audit control set Users_ReadEx=-actn ace –ace “n:S-1–5-32–545;p:read_ex;s:y;“ set Users_Change=-actn ace –ace “n:S-1–5-32–545;p:change;s:y“ set Users_Full=-actn ace –ace “n:S-1–5-32–545;p:full;s:y“ set Admins_Full=-actn ace –ace “n:S-1–5-32–544;p:full;s:y“ set SYSTEM_Full=-actn ace –ace “n:S-1–5-18;p:full;s:y“ set _DOMAIN-Grp3_Full=-actn ace –ace “n:_DOMAIN_\_DOMAIN-Grp3_;p:full;s:n“ set _DOMAIN-Grp2_ReadEx=-actn ace –ace “n:_DOMAIN_\_DOMAIN-Grp2_;p:read_ex;s:n“ set Owner_DOMAIN-Grp3=-actn setowner –ownr “n:_DOMAIN_\_DOMAIN-Grp3_;s:n“ :this well-known sid is only aviable on Windows Vista! set TrustedInstaller_List= –actn ace –ace “n:S-1–5-80–956008885-3418522649–1831038044-1853292631–2271478464;p:full;s:y;i:sc“ set ClearInherits=-actn setprot –op “dacl:p_nc;sacl:p_nc“ set ResetInherits=-actn rstchldrn –rst “dacl,sacl“ set ResetPermAndEnableInherits=-actn setprot –op “dacl:np;sacl:np” –actn rstchldrn –rst “dacl,sacl“ set RecurseRegistry=-rec yes set RecurseFolders=-rec cont set RecurseFiles=-rec obj set RecurseBoth=-rec cont_obj set CopyInherits= –actn setprot –op “dacl:p_c;sacl:p_c“ set ExcludeFilter= –fltr .EXE –fltr .COM –fltr .DLL :remove the “-silent” to get extra verbose messages set DebugSw=-silent |
Relace the string _DOMAIN_ above with your domain (or Workstation) name, do the same for the _DOMAIN-GrpX.
Now some examples using those pre-defined variables:Add change permission for a complete directory tree:
1 2 3 4 | MYDIR=”%ProgramFiles%FolderToProcess“ setacl.exe –on %MYDIR% –ot file %CopyInherits% %RecurseFiles% %DebugSw% setacl.exe –on %MYDIR% –ot file %Users_Change% %RecurseFiles% %DebugSw% setacl.exe –on %MYDIR% –ot file %Admins_Full% %SYSTEM_Full% %TrustedInstaller_List% %Users_Change% %ClearInherits% %DebugSw% |
[ad#AdBrite-Text]
Remove change permission for a single file:
1 2 | MYFILE=”%ProgramFiles%FolderToProcessfile2.xml“ setacl.exe –on %MYFILE% –ot file %Admins_Full% %SYSTEM_Full% %Users_ReadEx% %ClearInherits% %DebugSw% |
Of Course you can add wildcard support for this, an example how to process all xml files (hint: this should be on ONE line):
1 2 3 4 5 6 7 8 9 10 11 | call :FILES_REMOVE-CHANGE-PERM “%ProgramFiles%FolderToProcess” “*.xml“ goto:EOF :FILE_REMOVE-CHANGE-PERM setacl.exe –on %1 –ot file %Admins_Full% %SYSTEM_Full% %Users_ReadEx% %ClearInherits% %DebugSw% goto:EOF :FILES_REMOVE-CHANGE-PERM for /f “tokens=*” %%i in (‘dir %1%2 /b /s’) do call :FILE_REMOVE-CHANGE-PERM “%%i“ goto:EOF |
Another example how a user group can remove its user permission on a folder tree. Please note that this user group needs to have the windows right “restore files and directories”, because they need to change the file owner (Local Security Settings, Local Policies, User Rights Assignment).
1 2 3 4 5 6 7 | MYDIR=”%ProgramFiles%FolderToProcess“ :change owner setacl.exe –on %1 –ot file %Owner_DOMAIN-Grp3% %RecurseBoth% :set the new permission setacl.exe –on %1 –ot file %ClearAll% %ClearInherits% %Admins_Full% %SYSTEM_Full% %_DOMAIN-Grp3_Full% %_DOMAIN-Grp2_ReadEx% |
3 Comments
1 thor wrote:
You really simplified the examples here. this should be on setacl homepage!
I have just one question at the moment, what is in the variabel %ClearAll%?
it’s not in your page…
2 PCP wrote:
Same here — great work, really makes it easyer — but where do you define ClearAll?
3 shimon doodkin wrote:
set ClearALL=-actn clear –clr “dacl,sacl”