Managing File System Permissions with SetACL.exe

Example 1.1 – Setting Permissions

SetACL.exe -on "C:\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"

Sets ‘change’ permissions on the directory ‘c:\my dir’ for user ‘user1’ in domain ‘domain1’.

Example 1.2 – Setting Multiple Permissions

SetACL.exe -on "C:\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:read,write_dacl"

Same as the previous example, but sets the following two permissions:

read (standard permission set)
write_dacl (specific permission)

Example 1.3 – Adding Multiple ACEs

SetACL.exe -on "C:\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:administrators;p:full"

Same as the first example, but additionally sets ‘full’ permissions for the group ‘administrators’.

Example 1.4 – Specifying SIDs

SetACL.exe -on "C:\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"

An improved version of the previous example: ‘administrators’ is a built-in group, whose name is dependent on the language of the operating system. Therefore it is better to use its well-known SID which never changes.

Example 1.5 – Remote Systems

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"

Same as the previous example, but using a UNC name to access the server ‘server1’ remotely via the network share ‘share1’.

Example 1.6 – Auditing Entries (SACL)

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"

Same as the previous example, but additionally setting an auditing entry for all (‘full’) failed attempts of ‘user2’ from domain ‘domain2’.

Example 1.7 – Cleaning up ACLs

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
           -actn clear -clr "dacl,sacl"

Same as the previous example, but first (see ordering of actions in the documentation) the DACL and SACL are cleared of any non-inherited entries, and then the specified ACEs are set. This effectively ‘cleans up’ messed-up ACLs.

Example 1.8 – Resetting Child Objects

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
           -actn clear -clr "dacl,sacl"
           -actn rstchldrn -rst "dacl,sacl"

Same as the previous example, but even more housekeeping is done. Propagation of inherited permissions is enabled for all sub-objects whose permissions are also reset, resulting in only the specified permissions being active for a whole directory tree.

Example 1.9 – Using the Log File

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
           -actn clear -clr "dacl,sacl"
           -actn rstchldrn -rst "dacl,sacl"
           -log "c:\my files\setacl log.txt"

Same as the previous example, but all output is written both to the screen and to the log file ‘c:\my files\setacl log.txt’.

Example 1.10 – Silent Mode

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
           -actn clear -clr "dacl,sacl"
           -actn rstchldrn -rst "dacl,sacl"
           -log "c:\my files\setacl log.txt"
           -silent

Same as the previous example, but no output is written to the screen, only to the log file ‘c:\my files\setacl log.txt’.

Example 1.11 – Filtering and Excluding Objects

SetACL.exe -on "\\server1\share1\my dir" -ot file -actn ace
           -ace "n:domain1\user1;p:change"
           -ace "n:S-1-5-32-544;p:full"
           -ace "n:domain2\user2;p:full;m:aud_fail;w:sacl"
           -actn clear -clr "dacl,sacl"
           -actn rstchldrn -rst "dacl,sacl"
           -log "c:\my files\setacl log.txt"
           -silent
           -fltr "secrets" -fltr "top secret"

Same as the previous example, but files/directories containing the strings ‘secrets’ or ‘top secret’ are excluded.

Example 1.12 – Setting the Owner

SetACL.exe -on "\\server1\share1\users" -ot file -actn setprot
           -op "dacl:np;sacl:nc"
           -rec cont_obj
           -actn setowner -ownr "n:S-1-5-32-544"

Resets a whole directory tree to what most administrators dream of: the owner of all files and directories is set to the group ‘administrators’ and the flag ‘allow inheritable permissions from the parent object to propagate to this object’ is enabled for all object’s DACLs; the SACLs are left unchanged.

Example 2 – Listing and Backup

SetACL.exe -on "\\server1\share1\users" -ot file -actn list
           -lst "f:sddl;w:d,s,o,g"
           -rec cont
           -bckp "d:\data\setacl listing.txt"

Creates a complete listing of DACL, SACL, owner and primary group in SDDL format of the directory ‘\\server1\share1\users’ and all sub-folders. The listing is stored in unicode format in the backup file specified.

Example 3 – Restore

SetACL.exe -on "dummy entry" -ot file -actn restore
           -bckp "d:\data\setacl listing.txt"

Restores all (!) security descriptor data (DACL, SACL, owner, primary group) from the backup file to its original location.

BEWARE: If you have the appropriate user rights (usually, being a member of the administrators group on the target system is sufficient) ALL data in the security descriptor is overwritten!

Comment: Only data contained in the backup file is overwritten, i.e. if you create a backup of the SACL only, when you restore it, the DACL, owner and primary group are left unchanged!

Example 4 – Copying Permissions Between Users

SetACL.exe -on "\\server1\share1\users" -ot file -actn trustee
           -rec cont_obj
           -trst "n1:domain1\user1;n2:domain2\user2;ta:cpytrst;w:dacl"

This command copies all ACEs belonging to ‘domain1\user1’ to ‘domain2\user2’ resulting in a duplication of permissions: after the process domain2\user2 has the same permissions as domain1\user1. This might be useful in a migration scenario where users from domain1 are migrated (copied) to domain2.

Example 5 – Migrating Permissions Between Domains

SetACL.exe -on "\\server1\share1\users" -ot file -actn domain
           -rec cont_obj
           -dom "n1:domain1;n2:domain2;da:repldom;w:dacl"

This is useful in a domain migration scenario where users from domain1 are migrated (copied) to domain2. This command replaces all SIDs belonging to users/groups from domain1 with SIDs of users/groups with the same names from domain2 resulting in a replacement of permissions: after the process domain2\user1 has the permissions domain1\user1 previously had.

Example 6 – Removing all Permissions of a User

SetACL.exe -on "c:\\" -ot file -actn trustee 
           -trst "n1:UserOrGroup;ta:remtrst;w:dacl,sacl" -rec cont_obj -ignoreerr

Removes “UserOrGroup” from the ACLs of all files on drive C:.

5 Comments

Michael Trieu

March 29, 2022 at 21:12

How do I filter out objects that do not have the inheritance flag set? I do not want to change their permissions, only the ones that inherit.

Chris

February 22, 2023 at 05:34

This was confusing for me at first since I didn’t understand how to run the command. After trial and error, I see that the syntax should all be on one line. Thanks for a great cmdlet!

Roberto

May 18, 2023 at 11:25

this command doesn’t work, even if the name of users and groups are the same in the domain1 and domain2, it acts as “cpydom”:
it copies permission, it doesn’t replace permission, old domain1 permissions still stay on

SetACL.exe -on “\\server1\share1\users” -ot file -actn domain
-rec cont_obj
-dom “n1:domain1;n2:domain2;da:repldom;w:dacl”

Pavel

August 17, 2023 at 11:53

I have a problem with copying permissions between users… The problem is that I use the example provided on the instructions for copying permissions between users in domain1 and domain2. It works well when the path is local like C:\Folder, however if you use a share for processing like shown in your example, the permissions are copied for the user, however in the process it also removes all inherited permissions for the folder.. (like System, Administrators etc)

Example 4 – Copying Permissions Between Users

SetACL.exe -on “\\server1\share1\users” -ot file -actn trustee
-rec cont_obj
-trst “n1:domain1\user1;n2:domain2\user2;ta:cpytrst;w:dacl”

This command copies all ACEs belonging to ‘domain1\user1’ to ‘domain2\user2’ resulting in a duplication of permissions: after the process domain2\user2 has the same permissions as domain1\user1. This might be useful in a migration scenario where users from domain1 are migrated (copied) to domain2.

Michael B. Smith

August 5, 2024 at 16:02

This is a feature request: I wish that “-fltr” included the capability to exclude a drive prefix. For example now I use ‘-fltr “System Volume Information”‘. I’d like to be able to use ‘-fltr “E:\System Volume Information\”‘ in case some user has a file/folder named “System Volume Information”.

Currently, I do not get an error, but the filter just doesn’t work.