SetACL’s Feature Set
- Supported object types: files and folders, registry keys, printers, services, network shares, WMI
- Works on local or remote systems in trusted or untrusted domains or workgroups
- All functions can be used concurrently: this allows for very powerful commands that run fast, since time consuming steps (like recursing a large file system) are performed only once
- Edit permission and auditing entries
- Set the owner to any user/group
- List permissions, auditing and ownership information
- Backup and restore entire security descriptors or only DACL/SACL/owner
- Copy permissions between users or domains
Detailed feature set
- Set multiple permissions for multiple users/groups at once
- Exclude (filter) object names not to be processed by keyword(s)
- All standard and specific permissions of Windows are supported
- Control how permissions are inherited by sub-objects (permission applies to: sub-folders, files, …)
- Block permission inheritance (“protect” objects)
- All operations work on a single object or recursively on a (directory/registry) tree
- List mode reads security information of every object, regardless of permissions (like a backup program)
- Unicode support: object names with Unicode characters are processed correctly
- Very long paths: SetACL works with paths longer than 260 characters (MAX_PATH)
- Reset permissions on all sub-objects and enable propagation of inherited permissions
- Clear ACLs: remove any non-inherited entries (ACEs)
- Remove a user/group from an ACL: completely removes any entry belonging to a certain user/group. A CSV input file can be used for bulk operations.
- Replace a user/group: replace all entries of one user/group by another user/group. A CSV input file can be used for bulk operations.
- Copy a user/group: copy all entries of one user/group to another user/group. A CSV input file can be used for bulk operations.
- Remove all ACEs belonging to users/groups of a certain domain
- Replace all ACEs belonging to users/groups of a certain domain with ACEs for users/groups of the same name in a second domain
- Copy all ACEs belonging to users/groups of a certain domain to ACEs for users/groups of the same name in a second domain
- List and optionally remove orphaned SIDs.
SetACL works on all Windows NT-based operating systems from Windows 7 onwards. The newer, the better. This includes Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022.