Command Line-Version (SetACL.exe) – Syntax and Description
For a quick start, tell SetACL the following:
- Object name (-on): This is the path to the object SetACL should operate on.
- Object type (-ot): What kind of object does the object name refer to: file or directory (
file
), registry key (reg
), service (srv
), printer (prn
), network share (shr
)? - Action (-actn): What should SetACL do with the object specified?
Example:
SetACL.exe -on c:\Windows -ot file -actn list
This lists the permissions set on the Windows directory in the default list format (table).
Have a look at the examples section to get an idea what more complex commands look like.
Syntax
SetACL -on ObjectName -ot ObjectType
-actn Action1 ParametersForAction1
[-actn Action2 ParametersForAction2]
[Options]
It basically works like this: you specify one or more actions. Although actions have default parameters where that makes sense, in many cases you need to give SetACL some data to work with. That happens via additional parameters. Example: if the action is “set permissions”, then you need one additional parameter for each permission (ACE) to set, like “full control for everybody”.
Return codes
SetACL returns 0 upon successful execution and a higher number if errors occurred. A complete list of all return codes can be found here.
Parameter List
Lists all command-line parameters SetACL can digest. Some are mandatory, others are required if a certain other parameter has been specified, some are optional.
Click on the links to jump to sections with more detailed explanations.
Required parameters
Object Name
- -on ObjectName
- Sets path and/or name of the object to process.
Required
Object Type
- -ot ObjectType
- Sets the type of object.
Required
Action parameters
ACE
- -actn ace -ace “n:Trustee;p:Permission[;i:Inheritance;m:Mode;w:Where]”
- Adds or modifies access control entries (ACEs).
Multiple ACEs may be specified like this:-actn ace -ace "n:UserX;p:full" -ace "n:GroupY;p:read"
Trustee
- -actn trustee -trst “n1:Trustee1[;n2:Trustee2];ta:TrusteeAction[;w:What]”
- Removes Trustee1‘s ACEs, or
replaces Trustee1 within ACEs with Trustee2, or
copies ACEs from Trustee1 to Trustee2.
Multiple trustees may be specified like this:-actn trustee -trst "n1:UserA;n2:UserB;ta:cpytrst" -trst "n1:UserX;n2:UserY;ta:cpytrst"
or (new in SetACL 3.0)
- -actn trustee -trst “csv:TrusteeInputFile;ta:TrusteeAction[;w:What]”
- Removes ACEs with specified trustees, replaces trustees within ACEs or copies ACEs to different trustees. Input is read from TrusteeInputFile.
Domain
- -actn domain -dom “n1:Domain1[;n2:Domain2];da:DomainAction[;w:What]”
- Removes all ACEs with trustees from Domain1, or
replaces Domain1 trustees in ACEs with corresponding Domain2 trustees, or
copies Domain1 trustee ACEs to corresponding Domain2 trustee ACEs.
Multiple domains may be specified like this:-actn domain -dom "n1:DomainA;n2:DomainB;da:cpydom" -dom "n1:DomainX;n2:DomainY;da:cpydom"
Set Owner
- -actn setowner -ownr “n:Trustee“
- Sets the owner.
Set Primary Group
- -actn setgroup -grp “n:Trustee“
- Sets the primary group.
Set Protection Flags
- -actn setprot -op “dacl:Protection;sacl:Protection“
- Configures protection from inheritance (whether to ‘allow inheritable permissions from the parent object to propagate to this object’).
Reset Children
- -actn rstchldrn -rst Where
- Resets permissions on all sub-objects and enables propagation of inherited permissions.
Clear
- -actn clear -clr Where
- Clears the ACL of any non-inherited ACEs. You can configure whether to remove non-inherited ACEs from the DACL, the SACL or both.
List
- -actn list [-lst “f:Format;w:What;i:ListInherited;s:DisplaySID;oo:OrphanedOnly“] [-bckp Filename]
- Lists permissions. If
-lst
is omitted, a listing of the non-inherited permissions is created in table format. The result can optionally be written to a backup file.
Restore
- -actn restore -bckp Filename
- Restores entire or parts of security descriptors from a file created with the list function. Please note that the listing needs to be in SDDL format.
Delete Orphaned SIDs
- -actn delorphanedsids [-os Where]
- Deletes ACEs with orphaned SIDs (SIDs from deleted users/groups). You can configure whether to do this for the DACL, the SACL or both (default: DACL).
Multiple Actions
If multiple actions are specified, they are processed in this order:
- restore
- clear
- trustee
- domain
- ace, setowner, setgroup, setprot
- rstchldrn
- list
Optional parameters
Recursion
- -rec Recursion
- Configures recursion.
Log File
- -log Filename
- Sets the name of a log file.
Filter Keyword
- -fltr Keyword
- Adds a filter keyword.
May be specified more than once.
Silent
- -silent
- Enables silent mode (no output written to screen).
Ignore Errors
- -ignoreerr
- Enables the error ignore mode, where SetACL does not stop upon an error.
Raw Mode
- -raw
- In version 2.1.1 filtering of pseudo-inherited ACEs was introduced. This changes pseudo-inherited ACEs into truly inherited ACEs right before they are set. This behavior may not be desired, so it can be switched off with the command-line parameter “-raw” beginning with version 2.2.2.
Parameter Description
ObjectName
Name of the object to process. The format depends on the object type, but you should be able to specify names in all common variations. If you want to access a remote machine, prepend “\\Servername\” to the name of the object.
File system paths can be relative, but should be absolute; only then can SetACL convert them to the format required by the kernel for very long paths – in other words, if you want SetACL to work with paths longer than MAX_PATH (260 characters), use absolute paths. You can use drive letters for local and mapped network drives and UNC paths for remote computers. You can also use volume GUIDs, typically to specify a mounted volume. Here are some examples of valid file system paths:
- C:\Data
- Directory “Data” on local drive C:
- M:\Data
- Directory “Data” on mapped network drive M:
- \\Server\Share\Data
- Directory “Data” on file server “Server” below share “Share”
- \\Server.domain.com\Share\Data
- Same as before, but the server name specified as DNS name instead of NetBIOS name
- \\?\Volume{8a78ee92-4b22-11df-89ee-bb2cb99ebac7}\
- Root directory of a volume identified by its GUID
- \\?\Volume{8a78ee92-4b22-11df-89ee-bb2cb99ebac7}
- (Note the missing backslash at the end)
Volume identify by its GUID. Tip: typically you do not want to set permissions on a volume, but on it’s root directory.
Registry paths can be specified flexibly, using the full hive names (e.g. HKEY_LOCAL_MACHINE) or the well-known short forms (e.g. HKLM).
Note: On remote computers only the hives HKU and HKLM can be accessed!
Examples:
- HKLM\Software
- The registry key “Software” below hive HKEY_LOCAL_MACHINE.
- HKEY_LOCAL_MACHINE\Software
- The registry key “Software” below hive HKEY_LOCAL_MACHINE.
- \\Computer\HKEY_LOCAL_MACHINE\Software
- The registry key “Software” below hive HKEY_LOCAL_MACHINE on the remote computer “Computer”.
Paths to the other supported object types are specified in a way similar to file system paths. Here are some examples:
- LanmanWorkstation
- The workstation service on the local computer.
- \\Server\LanmanWorkstation
- The workstation service on the remote computer “Server”.
- “HP LaserJet 4200 PCL 6”
- The HP 4200 printer on the local computer.
- “\\Server\HP LaserJet 4200 PCL 6”
- The HP 4200 printer on the remote computer “Server”.
- Data$
- The share Data$ on the local computer.
- \\Server\Data$
- The share Data$ on the remote computer “Server”.
- root
- The root of the WMI namespace.
If the object name ends with a backslash and you enclose it in quotes, make sure to escape the last backslash with another backslash. For example, use C:\\
instead of C:\
.
ObjectType
Type of object:
- file
- Directory/file
- reg
- Registry key
- srv
- Service
- prn
- Printer
- shr
- Network share
- wmi
- WMI object
TrusteeAction
Action to perform on the trustee specified:
- remtrst
- Remove all ACEs belonging to trustee specified.
- repltrst
- Replace trustee ‘n1’ by ‘n2’ in all ACEs.
- cpytrst
- Copy the permissions for trustee ‘n1’ to ‘n2’.
TrusteeInputFile
Name (and optionally path) of a file that contains trustees for the specified trustee action. The format depends on the trustee action. For “remtrst” it is one trustee per line, for “repltrst” and “cpytrst” it is:
SourceTrustee,TargetTrustee
Trustees can be specified via their names or SIDs. Details can be found here.
DomainAction
Action to perform on the domain specified:
- remdom
- Remove all ACEs belonging to trustees of the domain specified.
- repldom
- Replace trustees from domain ‘n1’ by trustees with the same name from domain ‘n2’ in all ACEs.
- cpydom
- Copy permissions from trustees from domain ‘n1’ to trustees with the same name from domain ‘n2’ in all ACEs.
Explanation:
For every SID in the ACEs of the ACL(s), the name of the domain and user/group of the corresponding account is looked up. If the domain name is equal to the domain name ‘n1’ specified, the ACE is deleted in the case of ‘remdom’. In the case of ‘repldom’ or ‘cpydom’ a user/group of the same name is searched in the domain ‘n2’ specified. If such a user/group is found, either a new ACE with the same permissions and flags is created (‘cpydom’), or the SID in the ACE is replaced with the SID of the user/group in the domain ‘n2’ specified (‘repldom’).
Trustee
Name or SID of a trustee (a user or group). Supported formats:
- [{computer | domain}\]name
- SID string
Where:
- computer: DNS or NetBIOS name of a computer -> ‘name’ must be a local account on that computer.
- domain: DNS or NetBIOS name of a domain -> ‘name’ must be a domain user or group.
- name: user or group name.
- SID string: String representation of a SID, e.g. S-1-5-32-544 for the group Administrators. Here is a list of well-known SIDs that are the same across Windows versions and languages.
If no computer or domain name is given, SetACL tries to find a SID for ‘name’ in the following order:
- built-in accounts and well-known SIDs
- local accounts
- primary domain
- trusted domains
Specifying trustees as SIDs instead of using their names can be very useful in multi-language environments, because SIDs are language-independent, whereas predefined names are not. An example: the group ‘administrators’ is called ‘administratoren’ in German Windows versions. If you want your SetACL script to run on servers installed in either language you can use the well-known SID of the group ‘administrators’. Well-known SIDs are identical on every system. A list can be found here.
Domain
Name of a domain (NetBIOS or DNS name).
Permission
Permission(s) to set. Comma-separated list.
Here is a list of all permissions that can be set.
Example: ‘read,write_ea,write_dacl’
DisplaySID
Display trustee names as SIDs?
- y
- Yes
- n
- No
- b
- Both (names and SIDs)
Inheritance
Inheritance flags for the ACE. This may be a comma-separated list containing the following:
- so
- sub-objects
- sc
- sub-containers
- np
- no propagation
- io
- inherit only
Example: ‘io,so’
Mode
Access mode of this ACE.
The following access modes are valid with DACLs:
- set
- Replace all permissions for given trustee by those specified.
- grant
- Add permissions specified to existing permissions for given trustee.
- deny
- Deny permissions specified.
- revoke
- Remove permissions specified from existing permissions for given trustee.
These access modes are valid with SACLs:
- aud_succ
- Add an audit success ACE.
- aud_fail
- Add an audit failure ACE.
- revoke
- Remove permissions specified from existing permissions for given trustee.
Where
Apply settings to DACL, SACL, or both (comma-separated list):
- dacl
- Process the DACL (permissions list).
- sacl
- Process the SACL (auditing list).
- dacl,sacl
- Process DACL and SACL.
Recursion
These recursion settings are valid for file system objects:
- no
- No recursion.
- cont
- Recurse, and process directories only.
- obj
- Recurse, and process files only.
- cont_obj
- Recurse, and process directories and files.
These recursion settings are valid for registry objects:
- no
- Do not recurse.
- yes
- Do Recurse.
Recursion is not supported for other object types.
Protection
Controls the flag ‘allow inheritable permissions from the parent object to propagate to this object’:
- nc
- Do not change the current setting.
- np
- Object is not protected, i.e. inherits from parent.
- p_c
- Object is protected, ACEs from parent are copied.
- p_nc
- Object is protected, ACEs from parent are not copied.
Format
Which list format to use:
- sddl
- Standardized SDDL format. Only listings in this format can be restored.
- csv/own
- SetACL’s own format. Easier to read than SDDL.
- tab
- SetACL’s table format. Humans prefers this over CSV and SDDL (especially over SDDL).
What
Which components of security descriptors to include in the listing (comma-separated list):
- d
- DACL
- s
- SACL
- o
- Owner
- g
- Primary group
Example: ‘d,s’
ListInherited
List inherited permissions? If no, only permissions set directly on an object are listed (default).
- y
- Yes
- n
- No
Filename
Name of a file used for list/backup/restore operations or logging. The file is written in UNICODE.
Keyword
Keyword to filter object names by. Names and paths containing this keyword are not processed.
OrphanedOnly
Requires at least SetACL 3.0.
If enabled, only objects with orphaned SIDs are listed. Orphaned SIDs are SIDs that cannot be resolved to a name.
- y
- Yes
- n
- No
Valid Standard Permissions
Standard permissions sets provide easy access to the most commonly used combinations of specific permissions (for a list of the latter, see below).
Files / Directories
- read
- Read (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_READ_ATTRIBUTES + READ_CONTROL)
- write
- Write (FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_WRITE_EA + FILE_WRITE_ATTRIBUTES)
- list_folder
- List folder (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + READ_CONTROL)
- read_ex
- Read, execute (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + READ_CONTROL)
- change
- Change (FILE_LIST_DIRECTORY + FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_READ_EA + FILE_WRITE_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + READ_CONTROL + DELETE)
- full
- Full access (FILE_LIST_DIRECTORY + FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_READ_EA + FILE_WRITE_EA + FILE_TRAVERSE + FILE_DELETE_CHILD + FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
Registry
- read
- Read (KEY_ENUMERATE_SUB_KEYS + KEY_EXECUTE + KEY_NOTIFY + KEY_QUERY_VALUE + KEY_READ + READ_CONTROL)
- full
- Full access (KEY_CREATE_LINK + KEY_CREATE_SUB_KEY + KEY_ENUMERATE_SUB_KEYS + KEY_EXECUTE + KEY_NOTIFY + KEY_QUERY_VALUE + KEY_READ + KEY_SET_VALUE + KEY_WRITE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
Printers
- Print (PRINTER_ACCESS_USE + READ_CONTROL)
- man_printer
- Manage printer (PRINTER_ACCESS_ADMINISTER + PRINTER_ACCESS_USE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
- man_docs
- Manage documents (JOB_ACCESS_ADMINISTER + JOB_ACCESS_READ + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
- full
- Full access (manage printer + manage documents)
Services
- read
- Read (SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL)
- start_stop
- Start / Stop (SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_PAUSE_CONTINUE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_START + SERVICE_STOP + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL)
- full
- Full access (SERVICE_CHANGE_CONFIG + SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_PAUSE_CONTINUE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_START + SERVICE_STOP + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
Shares
- read
- Read (SHARE_CHANGE + READ_CONTROL + SYNCHRONIZE)
- change
- Change (SHARE_READ + DELETE + READ_CONTROL + SYNCHRONIZE)
- full
- Full access (SHARE_READ + SHARE_CHANGE + SHARE_WRITE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE + SYNCHRONIZE)
WMI
- full
- Full access (WBEM_ENABLE + WBEM_METHOD_EXECUTE + WBEM_FULL_WRITE_REP + WBEM_PARTIAL_WRITE_REP + WBEM_WRITE_PROVIDER + WBEM_REMOTE_ACCESS + READ_CONTROL + WRITE_DAC)
- execute
- Execute access (WBEM_ENABLE + WBEM_METHOD_EXECUTE + WBEM_WRITE_PROVIDER)
- remote_access
- Remote access (WBEM_ENABLE + WBEM_REMOTE_ACCESS + WBEM_WRITE_PROVIDER)
- enable_account
- Enable account (WBEM_ENABLE)
Valid Specific Permissions
Files / Directories
- traverse
- Traverse Folder/Execute File
Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse folder takes effect only when the group or user is not granted the “Bypass traverse checking” user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)
Execute File allows or denies running program files (applies to files only).
Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. - list_dir
- List Folder/Read Data
List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. Applies to folders only.
Read Data allows or denies viewing data in files (applies to files only). - read_attr
- Read Attributes
Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS. - read_ea
- Read Extended Attributes
Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. - add_file
- Create Files/Write Data
Create Files allows or denies creating files within the folder (applies to folders only).
Write Data allows or denies making changes to the file and overwriting existing content (applies to files only). - add_subdir
- Create Folders/Append Data
Create Folders allows or denies creating folders within the folder (applies to folders only).
Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only). - write_attr
- Write Attributes
Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see “Create Files/Write Data”, “Create Folders/Append Data”, “Delete Subfolders and Files”, and “Delete”. - write_ea
- Write Extended Attributes
Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see “Create Files/Write Data”, “Create Folders/Append Data”, “Delete Subfolders and Files”, and “Delete”. - del_child
- Delete Subfolders and Files
Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders) - delete
- Delete
Allows or denies deleting the file or folder. If you don’t have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder. - read_dacl
- Read Permissions
Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write. - write_dacl
- Write Permissions
Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write. - write_owner
- Take Ownership
Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.
Registry
- query_val
- Query value
- set_val
- Set value
- create_subkey
- Create subkeys
- enum_subkeys
- Enumerate subkeys
- notify
- Notify
- create_link
- Create link
- delete
- Delete
- write_dacl
- Write permissions
- write_owner
- Take ownership
- read_access
- Read control
Services
- SERVICE_CHANGE_CONFIG
- Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
- SERVICE_ENUMERATE_DEPENDENTS
- Required to call the EnumDependentServices function to enumerate all the services dependent on the service.
- SERVICE_INTERROGATE
- Required to call the ControlService function to ask the service to report its status immediately.
- SERVICE_PAUSE_CONTINUE
- Required to call the ControlService function to pause or continue the service.
- SERVICE_QUERY_CONFIG
- Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
- SERVICE_QUERY_STATUS
- Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service. Required to call the NotifyServiceStatusChange function to receive notification when a service changes status.
- SERVICE_START
- Required to call the StartService function to start the service.
- SERVICE_STOP
- Required to call the ControlService function to stop the service.
- SERVICE_USER_DEFINED_CONTROL
- Required to call the ControlService function to specify a user-defined control code.
WMI
- WBEM_METHOD_EXECUTE
- Allows the execution of methods.
- WBEM_FULL_WRITE_REP
- Allows a user account to write to classes in the WMI repository as well as instances.
- WBEM_PARTIAL_WRITE_REP
- Allows you to write data to instances only, not classes.
- WBEM_WRITE_PROVIDER
- Allows writing classes and instances to providers.
- WBEM_REMOTE_ACCESS
- Allows a user account to remotely perform any operations allowed by their permissions.
- WBEM_RIGHT_SUBSCRIBE
- Specifies that a consumer can subscribe to the events delivered to a sink.
- WBEM_RIGHT_PUBLISH
- Specifies that the account can publish events to the instance of __EventFilter that defines the event filter for a permanent consumer.
- DELETE
- Delete
- WRITE_DAC
- Write permissions
- WRITE_OWNER
- Take ownership
- READ_CONTROL
- Read control
- SYNCHRONIZE
- Synchronize
20 Comments
Can I add a TRACELOG_LOG_EVENT permission to WRITE RESTRICTED for a EventLog-Application in Data Collector Sets\Event Trace (perfmon) with this tool?
Those permissions are placed as REG_BINARY in HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security!
Hello Helge,
I noticed that I cannot set WMI permissions “READ_CONTROL” “WRITE_DAC” when granting permissions to WMI namespaces.
All other permissions work, “READ_CONTROL” “WRITE_DAC” throw error “WMI permissions specified are invalid”.
Is this a known issue; is there any wokraround?
Hope to hear from you!
I just tried setting
READ_CONTROL
andWRITE_DAC
WMI permissions with SetACL 3.1.2 – it worked like a charm. Example:Hello,
very nice tool but, in my case there is a bug: using option “da:cpydom” is not copying permissions, everybody will have “Full Access”.
Also tried with an old version (https://github.com/1508/Deployment-Utilities/raw/master/SetACL.exe) and it worked fine.
Please fix it.
Hello Helge,
Is there any Possibility to control how SetACL is processing (or not) NTFS-Links like Symbolic Links, Hard Links or Junctions? In ICACLS for Example there´s an Option Switch (/L) to specify, if the specified Operation is performed on a Link itself or on the Target File/Folder the Link points to. The TakeOwn Command in Windows in Analogy has a Parameter /SkipSL to skip those Links.
One Issue I encountered for Example is that SetACL seems to be stuck in an endless Loop when performing the “SetOwner” Operation in recurse (cont_obj) on a Folder that contains certain Links to other Files/Folders within that Folder, like the User Profile Folder (C:\Users\UserProfileDir).
One Workaround would be to not use the recurse Option (rec) and instead enumerate the desired Files/Folders to process them one by one by using a FOR-Loop in Combination with a DIR Command to Filter out unwanted Elements like:
Example: Take Ownership of a Folder and all its Content BUT DO NOT TOUCH ANY LINKS:
FOR /F “tokens=* delims=” %%A IN (‘DIR /A:-L /B /S “[FolderPath]*” “[FolderPath]\*.*” 2^>NUL’) DO (
SetACL -on “%%A” -ot file -actn setowner -ownr “n:Administrators”
)
But this would only Skip all the Links. A secondary inverse Loop (with a DIR /A:L) would be neccessary to Filter for all Links an then process them by using ICACLS …… /setowner… (with Option /L).
Thanks in advance and I´m glad to hear from You.
Best Regards
Stefan
Where should I report an issue?
There is a problem with SYNCHRONIZE permission.
For example, when I set up Read & Execute permission (on directory) from UI, different tools show it in the following ways:
1) icacls, human-readable (console) output – RX
2) icacls /save – 0x1200a9 (note that 0x100000 is SYNCHRONIZE)
3) SetACL – read_execute
Either this documentation (above) is incorrect, and read_execute standard permission indeed includes SYNCHRONIZE.
Or SetACL incorrectly ignores SYNCHRONIZE.
Note that for Windows UI it is the first option: SYNCHRONIZE permission is set indirectly, in combination with other permissions.
See e.g. https://stackoverflow.com/a/35743804/2576070
How to disable modification of existing permissions of subdirectories like SubInACL does?
I’ve read the manual and tested many times, and I find that the subdirectories are cleared or inherited from the target directory.
You can’t set the subprojects all over again, especially with permissions as complex as the system files and registry keys.
The permissions of subdirectories will be cleared like this:
SetACL -silent -on “new” -ot file -actn setprot -op “dacl:p_nc;sacl:p_nc” -actn ace -ace “n:S-1-5-32-545;p:change;i:np;m:set”
The command “-rec no” does not work at all:
SetACL -silent -on “new” -ot file -actn setprot -op “dacl:p_nc;sacl:p_nc” -actn ace -ace “n:S-1-5-32-545;p:change;m:set” -rec no
Also, I would like SetACL can merge permissions automatically.
Thank you, very much!
Could this be used to add and set full permissions for the NETWORK SERVICES account on the HKEY_USERS\S-1-5-20 key? We have some computers were this is missing after a feature update to windows and needs this account added back in with full rights.
when setting perms I noticed the log does not show any errors or access denied when the account running does not have access. it only show what it was able to perm. Is there a verbose flag so we can search the logs for folders that are not able to be permed.
I tried the following, as suggested by “https://innov8tiv.com/fix-remote-procedure-call-failed-error-in-windows-8-and-windows-8-1/”:
SetACL -on “hkcu\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\winstore_cw5n1h2txyewy” -ot reg -actn ace -ace “n:S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493;p:full;i:so,sc;m:grant;w:dacl”
I get the following:
ERROR in command line: No parameter found for option Settings\Software\Microsoft
\Windows\CurrentVersion\AppContainer\Storage\winstore_cw5n1h2txyewy”!
It appears the space in “Local Settings” is causing the confusion. This confuses me as the entire string is in quotes. Is there a work around I am missing, or something I have done wrong?
Hi Helge,
I love SetACL. What power in such a versatile tool. Thank you for providing this. I do have a question for which I am looking for advice.
We are planning to change domains for a fileserver. In preparation, we need to copy the existing ACL’s from the old to the new domain.
We are using the guidance from https://helgeklein.com/blog/howto-reacling-a-file-server-in-a-domain-migration-with-setacl-3-0/ with the latest version from the website.
Results are partially as expected. What seems strange is:
– Some accounts/groups in the new domain get the required permissions, but set to deny instead of allow.
– Some groups had modify permissions in the source domain, and the groups in the new domain have full control.
We are using the following parameters:
-on \\servers\groupdata -ot file -rec cont_obj -actn domain -dom n1:sourceDomain;n2:destinationDomain;da:cpydom -log logfile.log -ignoreerr
Are we using the right parameters for our scenario? I hope you are willing to help. Cheers!
We’re also experiencing this issue. Did you manage to resolve this?
Domain copy is not working. always says group/user not found in destination domain. however if using trustee with the destination group object specifically it finds the user/group without any issue. would be nice to use this tool for file server migrations if it was working
Recently upgraded to Version 3.1.2 and encountered a problem – when saving a backup, 2kb files are created, I don’t see any reason for this, it happens at random. Not always the correct data is written (often it stops halfway through) and I see (“\\?\D:\\Last_03.05.24″,1,”O:BAG:S-1-0x40000000000”).
The command I send is (%Acl% -on “%FilePath%” -ot file -actn list -lst “f:sddl;w:d,s,o,g” -rec cont -bckp “%bakfile%” -silent), everything works fine on Version 3.0.6
Congratulations folks, we have a real windows API bug here I think! It fails intermittently! I think you were just lucky that when you tried an older version it ran ok. Run it on a single item like C:\ and it fails most of the time but succeedes every so often! Only with the types O and G (Owner and Group!) DACL and SACL seem to work every time.
C:\>c:\\setacl -on “C:\\” -ot file -actn list -lst “f:sddl;w:g”
Parsing the SD of failed with: The security ID structure is invalid.
SetACL finished with error(s):
SetACL error message: A SD could not be converted to/from string format
Operating system error message: The security ID structure is invalid.
C:\PSTools>echo %errorlevel%
27
C:\>c:\\setacl -on “C:\\” -ot file -actn list -lst “f:sddl;w:g”
“\\?\C:\”,1,”G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464″
SetACL finished successfully.
C:\PSTools>echo %errorlevel%
0
Hi Helge, actually it does look like the problem does not exist in setacl 3.0.6.0 but does exist in the latest. I have a huge file server with a few hundred thousand user profile folders redirercted (some created by Windows XP client GPOS!) and so there is a very old and diverse ACL structure. I found a copy of setacl.exe 3.0.6.0 and it runs every time without the errors. I am super curious what is happening? Email me if you like.
Hi there,
Would it be possible for me to get a copy of version 3.0.6 from you? I’m getting this same error trying to restore from a previously created backup file. I can’t do the restore with the version I have, and I have the same error with the latest version we can download here, so I’m hoping 3.0.6 might solve my issue.
Hallo,
ich habe eine Frage zum Systemdienst-Principal “SID S-1-15-2-2” oder “ALLE EINGESCHRÄNKTEN ANWENDUNGSPAKETE”.
Mit dem Windows Build-In CLI Programm “icacls.exe” kann mit der Befehlszeile “icacls.exe C:\AnyDir /grant *S-1-15-2-2:(OI)(CI)RX”
angeblich die angeführte SID zu einem beliebigen Ordner in dessen ACL hinzugefügt werden. Funktioniert dies auch mit
SetACL.exe mit der Befehlszeile “SetACL.exe -on “AnyDir” -ot file -actn ace -ace “n:S-1-15-2-2;p:read_ex” in Win-10 oder Win-11?
Ich kann dies derzeit leider nicht selbst testen.
LG Robert
Hallo Robert,
hast du bezüglich deiner Frage zum Systemdienst-Principal “SID S-1-15-2-2” oder “ALLE EINGESCHRÄNKTEN ANWENDUNGSPAKETE” eine Antwort bekommen? Ich kann die Platzierung dieser SID in einer ACL auch
nicht selbst testen. Deshalb interessiert es auch mich, ob diese SID mit SetACL.exe gesetzt werden kann.
Falls du diesbezüglich schon informiert bist, ersuche ich dich mich per E-Mail zu kontaktieren.
LG Helmut
Great explanation of the SetACL command line! I appreciate the detailed syntax breakdown and examples. It’s super helpful for managing permissions effectively. Thanks for sharing!