zoukankan      html  css  js  c++  java
  • Command Line-Version (SetACL.exe) – Syntax and Description

    For a quick start, tell SetACL the following:

    • Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
    • Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
    • Action (-actn): What should SetACL do with the object specified?

    Example:

    SetACL.exe -on c:Windows -ot file -actn list

    This lists the permissions set on the Windows directory in the default list format (CSV).

    Have a look at the examples section to get an idea what more complex commands look like.

    Syntax

    SetACL -on ObjectName -ot ObjectType
           -actn Action1 ParametersForAction1
           [-actn Action2 ParametersForAction2]
           [Options]

    It basically works like this: you specify one or more actions. Although actions have default parameters where that makes sense, in many cases you need to give SetACL some data to work with. That happens via additional parameters. Example: if the action is “set permissions”, then you need one additional parameter for each permission (ACE) to set, like “full control for everybody”.

    Return codes

    SetACL returns 0 upon successful execution and a higher number if errors occurred. A complete list of all return codes can be found here.

    Parameter List

    Lists all command-line parameters SetACL can digest. Some are mandatory, others are required if a certain other parameter has been specified, some are optional.

    Click on the links to jump to sections with more detailed explanations.

    Required parameters

    Object Name
    -on ObjectName
    Sets path and/or name of the object to process.
    Required
    Object Type
    -ot ObjectType
    Sets the type of object.
    Required

    Action parameters

    ACE
    -actn ace -ace “n:Trustee;p:Permission[;i:Inheritance;m:Mode;w:Where]“
    Adds or modifies access control entries (ACEs).
    Multiple ACEs may be specified like this: -actn ace -ace "n:UserX;p:full" -ace "n:GroupY;p:read"
    Trustee
    -actn trustee -trst “n1:Trustee1[;n2:Trustee2];ta:TrusteeAction[;w:What]“
    Removes Trustee1‘s ACEs, or
    replaces Trustee1 within ACEs with Trustee2, or
    copies ACEs from Trustee1 to Trustee2.
    Multiple trustees may be specified like this: -actn trustee -trst "n1:UserA;n2:UserB;ta:cpytrst" -trst "n1:UserX;n2:UserY;ta:cpytrst"

    or (new in SetACL 3.0)

    -actn trustee -trst “csv:TrusteeInputFile;ta:TrusteeAction[;w:What]“
    Removes ACEs with specified trustees, replaces trustees within ACEs or copies ACEs to different trustees. Input is read from TrusteeInputFile.
    Domain
    -actn domain -dom “n1:Domain1[;n2:Domain2];da:DomainAction[;w:What]“
    Removes all ACEs with trustees from Domain1, or
    replaces Domain1 trustees in ACEs with corresponding Domain2 trustees, or
    copies Domain1 trustee ACEs to corresponding Domain2 trustee ACEs.
    Multiple domains may be specified like this: -actn domain -dom "n1:DomainA;n2:DomainB;ta:cpydom" -dom "n1:DomainX;n2:DomainY;da:cpydom"
    Set Owner
    -actn setowner -ownr “n:Trustee
    Sets the owner.
    Set Primary Group
    -actn setgroup -grp “n:Trustee
    Sets the primary group.
    Set Protection Flags
    -actn setprot -op “dacl:Protection;sacl:Protection
    Configures protection from inheritance (whether to ‘allow inheritable permissions from the parent object to propagate to this object’).
    Reset Children
    -actn rstchldrn -rst Where
    Resets permissions on all sub-objects and enables propagation of inherited permissions.
    Clear
    -actn clear -clr Where
    Clears the ACL of any non-inherited ACEs. You can configure whether to remove non-inherited ACEs from the DACL, the SACL or both.
    List
    -actn list [-lst "f:Format;w:What;i:ListInherited;s:DisplaySID;oo:OrphanedOnly"] [-bckp Filename]
    Lists permissions. If -lst is omitted, a listing of the non-inherited permissions is created in tabular format. The result can optionally be written to a backup file.
    Restore
    -actn restore -bckp Filename
    Restores entire or parts of security descriptors from a file created with the list function. Please note that the listing needs to be in SDDL format.
    Delete Orphaned SIDs
    -actn delorphanedsids [-os Where]
    Deletes ACEs with orphaned SIDs (SIDs from deleted users/groups). You can configure whether to do this for the DACL, the SACL or both (default: DACL).

    Multiple Actions

    If multiple actions are specified, they are processed in this order:

    1. restore
    2. clear
    3. trustee
    4. domain
    5. ace, setowner, setgroup, setprot
    6. rstchldrn
    7. list

    Optional parameters

    Recursion
    -rec Recursion
    Configures recursion.
    Log File
    -log Filename
    Sets the name of a log file.
    Filter Keyword
    -fltr Keyword
    Adds a filter keyword.
    May be specified more than once.
    Silent
    -silent
    Enables silent mode (no output written to screen).
    Ignore Errors
    -ignoreerr
    Enables the error ignore mode, where SetACL does not stop upon an error.
    Raw Mode
    -raw
    In version 2.1.1 filtering of pseudo-inherited ACEs was introduced. This changes pseudo-inherited ACEs into truly inherited ACEs right before they are set. This behavior may not be desired, so it can be switched off with the command-line parameter “-raw” beginning with version 2.2.2.

    Parameter Description

    ObjectName

    Name of the object to process. The format depends on the object type, but you should be able to specify names in all common variations. If you want to access a remote machine, prepend “\Servername” to the name of the object.

    File system paths can be relative, but should be absolute; only then can SetACL convert them to the format required by the kernel for very long paths – in other words, if you want SetACL to work with paths longer than MAX_PATH (260 characters), use absolute paths. You can use drive letters for local and mapped network drives and UNC paths for remote computers. You can also use volume GUIDs, typically to specify a mounted volume. Here are some examples of valid file system paths:

    C:Data
    Directory “Data” on local drive C:
    M:Data
    Directory “Data” on mapped network drive M:
    \ServerShareData
    Directory “Data” on file server “Server” below share “Share”
    \Server.domain.comShareData
    Same as before, but the server name specified as DNS name instead of NetBIOS name
    \?Volume{8a78ee92-4b22-11df-89ee-bb2cb99ebac7}
    Root directory of a volume identified by its GUID
    \?Volume{8a78ee92-4b22-11df-89ee-bb2cb99ebac7}
    (Note the missing backslash at the end)
    Volume identify by its GUID. Tip: typically you do not want to set permissions on a volume, but on it’s root directory.

    Registry paths can be specified flexibly, using the full hive names (e.g. HKEY_LOCAL_MACHINE) or the well-known short forms (e.g. HKLM).

    Note: On remote computers only the hives HKU and HKLM can be accessed!

    Examples:

    HKLMSoftware
    The registry key “Software” below hive HKEY_LOCAL_MACHINE.
    HKEY_LOCAL_MACHINESoftware
    The registry key “Software” below hive HKEY_LOCAL_MACHINE.
    \ComputerHKEY_LOCAL_MACHINESoftware
    The registry key “Software” below hive HKEY_LOCAL_MACHINE on the remote computer “Computer”.

    Paths to the other supported object types are specified in a way similar to file system paths. Here are some examples:

    LanmanWorkstation
    The workstation service on the local computer.
    \ServerLanmanWorkstation
    The workstation service on the remote computer “Server”.
    “HP LaserJet 4200 PCL 6″
    The HP 4200 printer on the local computer.
    “\ServerHP LaserJet 4200 PCL 6″
    The HP 4200 printer on the remote computer “Server”.
    Data$
    The share Data$ on the local computer.
    \ServerData$
    The share Data$ on the remote computer “Server”.
    root
    The root of the WMI namespace.

    If the object name ends with a backslash and you enclose it in quotes, make sure to escape the last backslash with another backslash. For example, useC:\ instead of C:.

    ObjectType

    Type of object:

    file
    Directory/file
    reg
    Registry key
    srv
    Service
    prn
    Printer
    shr
    Network share
    wmi
    WMI object

    TrusteeAction

    Action to perform on the trustee specified:

    remtrst
    Remove all ACEs belonging to trustee specified.
    repltrst
    Replace trustee ‘n1′ by ‘n2′ in all ACEs.
    cpytrst
    Copy the permissions for trustee ‘n1′ to ‘n2′.

    TrusteeInputFile

    Name (and optionally path) of a file that contains trustees for the specified trustee action. The format depends on the trustee action. For “remtrst” it is one trustee per line, for “repltrst” and “cpytrst” it is:

    SourceTrustee,TargetTrustee

    Trustees can be specified via their names or SIDs. Details can be found here.

    DomainAction

    Action to perform on the domain specified:

    remdom
    Remove all ACEs belonging to trustees of the domain specified.
    repldom
    Replace trustees from domain ‘n1′ by trustees with the same name from domain ‘n2′ in all ACEs.
    cpydom
    Copy permissions from trustees from domain ‘n1′ to trustees with the same name from domain ‘n2′ in all ACEs.

    Explanation:

    For every SID in the ACEs of the ACL(s), the name of the domain and user/group of the corresponding account is looked up. If the domain name is equal to the domain name ‘n1′ specified, the ACE is deleted in the case of ‘remdom’. In the case of ‘repldom’ or ‘cpydom’ a user/group of the same name is searched in the domain ‘n2′ specified. If such a user/group is found, either a new ACE with the same permissions and flags is created (‘cpydom’), or the SID in the ACE is replaced with the SID of the user/group in the domain ‘n2′ specified (‘repldom’).

    Trustee

    Name or SID of a trustee (a user or group). Supported formats:

    1. [{computer | domain}]name
    2. SID string

    Where:

    • computer: DNS or NetBIOS name of a computer -> ‘name’ must be a local account on that computer.
    • domain: DNS or NetBIOS name of a domain -> ‘name’ must be a domain user or group.
    • name: user or group name.
    • SID string: String representation of a SID, e.g. S-1-5-32-544 for the group Administrators. Here is a list of well-known SIDs that are the same across Windows versions and languages.

    If no computer or domain name is given, SetACL tries to find a SID for ‘name’ in the following order:

    1. built-in accounts and well-known SIDs
    2. local accounts
    3. primary domain
    4. trusted domains

    Specifying trustees as SIDs instead of using their names can be very useful in multi-language environments, because SIDs are language-independent, whereas predefined names are not. An example: the group ‘administrators’ is called ‘administratoren’ in German Windows versions. If you want your SetACL script to run on servers installed in either language you can use the well-known SID of the group ‘administrators’. Well-known SIDs are identical on every system. A list can be found here.

    Domain

    Name of a domain (NetBIOS or DNS name).

    Permission

    Permission(s) to set. Comma-separated list.
    Here is a list of all permissions that can be set.

    Example: ‘read,write_ea,write_dacl’

    DisplaySID

    Display trustee names as SIDs?

    y
    Yes
    n
    No
    b
    Both (names and SIDs)

    Inheritance

    Inheritance flags for the ACE. This may be a comma-separated list containing the following:

    so
    sub-objects
    sc
    sub-containers
    np
    no propagation
    io
    inherit only

    Example: ‘io,so’

    Mode

    Access mode of this ACE.

    The following access modes are valid with DACLs:

    set
    Replace all permissions for given trustee by those specified.
    grant
    Add permissions specified to existing permissions for given trustee.
    deny
    Deny permissions specified.
    revoke
    Remove permissions specified from existing permissions for given trustee.

    These access modes are valid with SACLs:

    aud_succ
    Add an audit success ACE.
    aud_fail
    Add an audit failure ACE.
    revoke
    Remove permissions specified from existing permissions for given trustee.

    Where

    Apply settings to DACL, SACL, or both (comma-separated list):

    dacl
    Process the DACL (permissions list).
    sacl
    Process the SACL (auditing list).
    dacl,sacl
    Process DACL and SACL.

    Recursion

    These recursion settings are valid for file system objects:

    no
    No recursion.
    cont
    Recurse, and process directories only.
    obj
    Recurse, and process files only.
    cont_obj
    Recurse, and process directories and files.

    These recursion settings are valid for registry objects:

    no
    Do not recurse.
    yes
    Do Recurse.

    Recursion is not supported for other object types.

    Protection

    Controls the flag ‘allow inheritable permissions from the parent object to propagate to this object’:

    nc
    Do not change the current setting.
    np
    Object is not protected, i.e. inherits from parent.
    p_c
    Object is protected, ACEs from parent are copied.
    p_nc
    Object is protected, ACEs from parent are not copied.

    Format

    Which list format to use:

    sddl
    Standardized SDDL format. Only listings in this format can be restored.
    csv/own
    SetACL’s own format. Easier to read than SDDL.
    tab
    SetACL’s tabular format. Humans prefers this over CSV and SDDL (especially over SDDL).

    What

    Which components of security descriptors to include in the listing (comma-separated list):

    d
    DACL
    s
    SACL
    o
    Owner
    g
    Primary group

    Example: ‘d,s’

    ListInherited

    List inherited permissions? If no, only permissions set directly on an object are listed (default).

    y
    Yes
    n
    No

    Filename

    Name of a file used for list/backup/restore operations or logging. The file is written in UNICODE.

    Keyword

    Keyword to filter object names by. Names and paths containing this keyword are not processed.

    OrphanedOnly

    Requires at least SetACL 3.0.

    If enabled, only objects with orphaned SIDs are listed. Orphaned SIDs are SIDs that cannot be resolved to a name.

    y
    Yes
    n
    No

    Valid Standard Permissions

    Standard permissions sets provide easy access to the most commonly used combinations of specific permissions (for a list of the latter, see below).

    Files / Directories

    read
    Read (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_READ_ATTRIBUTES + READ_CONTROL)
    write
    Write (FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_WRITE_EA + FILE_WRITE_ATTRIBUTES)
    list_folder
    List folder (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + READ_CONTROL)
    read_ex
    Read, execute (FILE_LIST_DIRECTORY + FILE_READ_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + READ_CONTROL)
    change
    Change (FILE_LIST_DIRECTORY + FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_READ_EA + FILE_WRITE_EA + FILE_TRAVERSE + FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + READ_CONTROL + DELETE)
    full
    Full access (FILE_LIST_DIRECTORY + FILE_ADD_FILE + FILE_ADD_SUBDIRECTORY + FILE_READ_EA + FILE_WRITE_EA + FILE_TRAVERSE + FILE_DELETE_CHILD + FILE_READ_ATTRIBUTES + FILE_WRITE_ATTRIBUTES + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)

    Registry

    read
    Read (KEY_ENUMERATE_SUB_KEYS + KEY_EXECUTE + KEY_NOTIFY + KEY_QUERY_VALUE + KEY_READ + READ_CONTROL)
    full
    Full access (KEY_CREATE_LINK + KEY_CREATE_SUB_KEY + KEY_ENUMERATE_SUB_KEYS + KEY_EXECUTE + KEY_NOTIFY + KEY_QUERY_VALUE + KEY_READ + KEY_SET_VALUE + KEY_WRITE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)

    Printers

    print
    Print (PRINTER_ACCESS_USE + READ_CONTROL)
    man_printer
    Manage printer (PRINTER_ACCESS_ADMINISTER + PRINTER_ACCESS_USE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
    man_docs
    Manage documents (JOB_ACCESS_ADMINISTER + JOB_ACCESS_READ + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)
    full
    Full access (manage printer + manage documents)

    Services

    read
    Read (SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL)
    start_stop
    Start / Stop (SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_PAUSE_CONTINUE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_START + SERVICE_STOP + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL)
    full
    Full access (SERVICE_CHANGE_CONFIG + SERVICE_ENUMERATE_DEPENDENTS + SERVICE_INTERROGATE + SERVICE_PAUSE_CONTINUE + SERVICE_QUERY_CONFIG + SERVICE_QUERY_STATUS + SERVICE_START + SERVICE_STOP + SERVICE_USER_DEFINED_CONTROL + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE)

    Shares

    read
    Read (SHARE_CHANGE + READ_CONTROL + SYNCHRONIZE)
    change
    Change (SHARE_READ + DELETE + READ_CONTROL + SYNCHRONIZE)
    full
    Full access (SHARE_READ + SHARE_CHANGE + SHARE_WRITE + READ_CONTROL + WRITE_OWNER + WRITE_DAC + DELETE + SYNCHRONIZE)

    WMI

    full
    Full access (WBEM_ENABLE + WBEM_METHOD_EXECUTE + WBEM_FULL_WRITE_REP + WBEM_PARTIAL_WRITE_REP + WBEM_WRITE_PROVIDER + WBEM_REMOTE_ACCESS + READ_CONTROL + WRITE_DAC)
    execute
    Execute access (WBEM_ENABLE + WBEM_METHOD_EXECUTE + WBEM_WRITE_PROVIDER)
    remote_access
    Remote access (WBEM_ENABLE + WBEM_REMOTE_ACCESS + WBEM_WRITE_PROVIDER)
    enable_account
    Enable account (WBEM_ENABLE)

    Valid Specific Permissions

    Files / Directories

    traverse
    Traverse Folder/Execute File
    Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders (applies to folders only). Traverse folder takes effect only when the group or user is not granted the “Bypass traverse checking” user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)
    Execute File allows or denies running program files (applies to files only).
    Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.
    list_dir
    List Folder/Read Data
    List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. Applies to folders only.
    Read Data allows or denies viewing data in files (applies to files only).
    read_attr
    Read Attributes
    Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS.
    read_ea
    Read Extended Attributes
    Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
    add_file
    Create Files/Write Data
    Create Files allows or denies creating files within the folder (applies to folders only).
    Write Data allows or denies making changes to the file and overwriting existing content (applies to files only).
    add_subdir
    Create Folders/Append Data
    Create Folders allows or denies creating folders within the folder (applies to folders only).
    Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data (applies to files only).
    write_attr
    Write Attributes
    Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS.
    The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see “Create Files/Write Data”, “Create Folders/Append Data”, “Delete Subfolders and Files”, and “Delete”.
    write_ea
    Write Extended Attributes
    Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program.
    The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see “Create Files/Write Data”, “Create Folders/Append Data”, “Delete Subfolders and Files”, and “Delete”.
    del_child
    Delete Subfolders and Files
    Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (applies to folders)
    delete
    Delete
    Allows or denies deleting the file or folder. If you don’t have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
    read_dacl
    Read Permissions
    Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
    write_dacl
    Write Permissions
    Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
    write_owner
    Take Ownership
    Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

    Registry

    query_val
    Query value
    set_val
    Set value
    create_subkey
    Create subkeys
    enum_subkeys
    Enumerate subkeys
    notify
    Notify
    create_link
    Create link
    delete
    Delete
    write_dacl
    Write permissions
    write_owner
    Take ownership
    read_access
    Read control

    Services

    SERVICE_CHANGE_CONFIG
    Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
    SERVICE_ENUMERATE_DEPENDENTS
    Required to call the EnumDependentServices function to enumerate all the services dependent on the service.
    SERVICE_INTERROGATE
    Required to call the ControlService function to ask the service to report its status immediately.
    SERVICE_PAUSE_CONTINUE
    Required to call the ControlService function to pause or continue the service.
    SERVICE_QUERY_CONFIG
    Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
    SERVICE_QUERY_STATUS
    Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service. Required to call the NotifyServiceStatusChange function to receive notification when a service changes status.
    SERVICE_START
    Required to call the StartService function to start the service.
    SERVICE_STOP
    Required to call the ControlService function to stop the service.
    SERVICE_USER_DEFINED_CONTROL
    Required to call the ControlService function to specify a user-defined control code.
  • 相关阅读:
    Python中修改字符串的四种方法
    一些有用的资源分享(工具+电子书)
    什么是DFX测试
    测试笔,测试纸杯
    测试用例八大要素
    软件测试的16种测试类型
    python作业(二)
    python作业(一)
    菜鸟学python(第一天)函数及模块使用
    [Spring MVC]
  • 原文地址:https://www.cnblogs.com/edward2013/p/3536740.html
Copyright © 2011-2022 走看看