The free version of SetACL allows you to manage permissions for Windows objects such as folders or printers by manging their access control list on the command line.
Submitted by Helge Klein
If you look under the hood of Windows you find permissions everywhere. Files and folders, registry keys, network shares, printers, services and WMI objects – all of these have security descriptors storing ownership, permission and auditing information. That opens up powerful management options and SetACL is the great tool for the job. It sets and lists permissions practically anywhere in the system, locally and over the network, from the command line, scripts or programs.
SetACL – Manage access control lists
Managing Windows permissions
With nearly 500,000 downloads SetACL is a proven tool for automating and managing permissions. SetACL does everything Explorer does and much more. It has, for example, no problem whatsoever processing very long paths with more than 260 characters.
When you start to work with SetACL the command line options may first seem intimidating. That is because the program packs many features you will appreciate, like being able to bypass security when listing permissions.
If you have always wanted to check out the content of the “System Volume Information” folder stored in the root of every drive, try the following command on an elevated command prompt:
SetACL.exe -on "c:\System Volume Information" -ot file -actn list -lst f:tab -rec cont_obj
This instructs SetACL to list (-actn list) the permissions of the file system object (-ot file) System Volume Information (-on) recursively (-rec cont_obj), i.e. including all subfolders and files. The listing is printed in easy-to-read tabular format (-list f:tab) on the screen.
Automatic re-acling in migrations
Obviously SetACL is very good at setting permissions and changing object ownership. But let us rather skip to some very special capabilities, one of which is the re-acling feature. Copying existing permissions between domains can be extremely useful when you are performing a domain migration.
Suppose you have a domain OldDom whose user accounts you need to recreate in NewDom. You have already created all user accounts in NewDom with identical attributes as in OldDom, but the new user accounts still have no access to the company’s file shares. That is because although the user names in NewDom are the same as in OldDom, the users’ SIDs are different, and SIDs are what is stored in security descriptors, not user names.
In such a situation the following SetACL command would help:
SetACL.exe -on "\\server1\share1" -ot file -actn domain -rec cont_obj -dom "n1:OldDom;n2:NewDom;da:cpydom;w:dacl"
This instructs SetACL to copy all permission entries from OldDom to the corresponding account in NewDom for every file and folder below “\\server1\share1″.
SetACL can do much more than could be described in this article. To learn more, download SetACL, check out the program’s documentation and have a look at the examples. Any remaining questions are likely answered quickly in the support forum