SetACL’s Feature Set

General information

  • Supported object types: files and folders, registry keys, printers, services, network shares, WMI
  • Works on local or remote systems in trusted or untrusted domains or workgroups
  • All functions can be used concurrently: this allows for very powerful commands that run fast, since time consuming steps (like recursing a large file system) are performed only once

Main functionality

  • Edit permission and auditing entries
  • Set the owner to any user/group
  • List permissions, auditing and ownership information
  • Backup and restore entire security descriptors or only DACL/SACL/owner
  • Copy permissions between users or domains

Detailed feature set

  • Set multiple permissions for multiple users/groups at once
  • Exclude (filter) object names not to be processed by keyword(s)
  • All standard and specific permissions of Windows are supported
  • Control how permissions are inherited by sub-objects (permission applies to: sub-folders, files, …)
  • Block permission inheritance (“protect” objects)
  • All operations work on a single object or recursively on a (directory/registry) tree
  • List mode reads security information of every object, regardless of permissions (like a backup program)
  • Unicode support: object names with Unicode characters are processed correctly
  • Very long paths: SetACL works with paths longer than 260 characters (MAX_PATH)
  • Reset permissions on all sub-objects and enable propagation of inherited permissions
  • Clear ACLs: remove any non-inherited entries (ACEs)
  • Remove a user/group from an ACL: completely removes any entry belonging to a certain user/group. A CSV input file can be used for bulk operations.
  • Replace a user/group: replace all entries of one user/group by another user/group. A CSV input file can be used for bulk operations.
  • Copy a user/group: copy all entries of one user/group to another user/group. A CSV input file can be used for bulk operations.
  • Remove all ACEs belonging to users/groups of a certain domain
  • Replace all ACEs belonging to users/groups of a certain domain with ACEs for users/groups of the same name in a second domain
  • Copy all ACEs belonging to users/groups of a certain domain to ACEs for users/groups of the same name in a second domain
  • List and optionally remove orphaned SIDs.

System Requirements

SetACL works on all Windows NT-based operating systems from Windows 7 onwards. The newer, the better. This includes Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022.