SetACL’s Feature Set

General information

  • Supported object types: files and folders, registry keys, printers, services, network shares, WMI
  • Works on local or remote systems in trusted or untrusted domains or workgroups
  • All functions can be used concurrently: this allows for very powerful commands that run fast, since time consuming steps (like recursing a large file system) are performed only once

Main functionality

  • Edit permission and auditing entries
  • Set the owner to any user/group
  • List permissions, auditing and ownership information
  • Backup and restore entire security descriptors or only DACL/SACL/owner
  • Copy permissions between users or domains

Detailed feature set

  • Set multiple permissions for multiple users/groups at once
  • Exclude (filter) object names not to be processed by keyword(s)
  • All standard and specific permissions of Windows are supported
  • Control how permissions are inherited by sub-objects (permission applies to: sub-folders, files, …)
  • Block permission inheritance (“protect” objects)
  • All operations work on a single object or recursively on a (directory/registry) tree
  • List mode reads security information of every object, regardless of permissions (like a backup program)
  • Unicode support: object names with Unicode characters are processed correctly
  • Very long paths: SetACL works with paths longer than 260 characters (MAX_PATH)
  • Reset permissions on all sub-objects and enable propagation of inherited permissions
  • Clear ACLs: remove any non-inherited entries (ACEs)
  • Remove a user/group from an ACL: completely removes any entry belonging to a certain user/group. A CSV input file can be used for bulk operations.
  • Replace a user/group: replace all entries of one user/group by another user/group. A CSV input file can be used for bulk operations.
  • Copy a user/group: copy all entries of one user/group to another user/group. A CSV input file can be used for bulk operations.
  • Remove all ACEs belonging to users/groups of a certain domain
  • Replace all ACEs belonging to users/groups of a certain domain with ACEs for users/groups of the same name in a second domain
  • Copy all ACEs belonging to users/groups of a certain domain to ACEs for users/groups of the same name in a second domain
  • List and optionally remove orphaned SIDs.

System Requirements

SetACL works on all Windows NT-based operating systems from Windows Vista onwards. The newer, the better. This includes Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 10, Windows Server 2016, Windows Server 2019.