SUBINACL

SubInACL is a Microsoft utility which can be downloaded for free.

Quoting Microsoft's SubInACL download page:

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

At first sight, SubInACL's help screen may look a bit intimidating:

SubInAcl version 5.2.3790.1180
USAGE
-----
Usage :
 SubInAcl [/option...] /object_type object_name [[/action[=parameter]...]
 /options :
 /outputlog=FileName /errorlog=FileName
 /noverbose /verbose (default)
 /notestmode (default) /testmode
 /alternatesamserver=SamServer /offlinesam=FileName
 /stringreplaceonoutput=string1=string2
 /expandenvironmentsymbols (default) /noexpandenvironmentsymbols
 /statistic (default) /nostatistic
 /dumpcachedsids=FileName /separator=character
 /applyonly=[dacl,sacl,owner,group]
 /nocrossreparsepoint (default) /crossreparsepoint
 /object_type :
 /service /keyreg /subkeyreg
 /file /subdirectories[=directoriesonly|filesonly]
 /clustershare /kernelobject /metabase
 /printer /onlyfile /process
 /share /samobject
 /action :
 /display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
 /setowner=owner
 /replace=[DomainName\]OldAccount=[DomainName\]New_Account
 /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
 /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
 /migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
 /findsid=[DomainName\]Account[=stop|continue]
 /suppresssid=[DomainName\]Account
 /confirm
 /ifchangecontinue
 /cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
 /testmode
 /accesscheck=[DomainName\]Username
 /setprimarygroup=[DomainName\]Group
 /grant=[DomainName\]Username[=Access]
 /deny=[DomainName\]Username[=Access]
 /sgrant=[DomainName\]Username[=Access]
 /sdeny=[DomainName\]Username[=Access]
 /sallowdeny==[DomainName\]Username[=Access]
 /revoke=[DomainName\]Username
 /perm
 /audit
 /compactsecuritydescriptor
 /pathexclude=pattern
 /objectexclude=pattern
 /sddl=sddl_string
 /objectcopysecurity=object_path
 /pathcopysecurity=path_container
Usage : SubInAcl [/option...] /playfile file_name
Usage : SubInAcl /help [keyword]
 SubInAcl /help /full
 keyword can be :
 features usage syntax sids view_mode test_mode object_type
 domain_migration server_migration substitution_features editing_features
 - or -
 any [/option] [/action] [/object_type]

Note, however, that this is only the initial help screen!
Each command line switch has its own help screen, which can be summoned using the command SUBINACL /help /switch

For example, SUBINACL /help /grant will call the following help screen:

SubInAcl version 5.2.3790.1180
/GRANT
------
/grant=[DomainName\]User[=Access]
 will add a Permission Ace for the user.
 if Access is not specified, the Full Control access will be granted.
 File:
 F : Full Control
 C : Change
 R : Read
 P : Change Permissions
 O : Take Ownership
 X : eXecute
 E : Read eXecute
 W : Write
 D : Delete
 ClusterShare:
 F : Full Control
 R : Read
 C : Change
 Printer:
 F : Full Control
 M : Manage Documents
 P : Print
 KeyReg:
 F : Full Control
 R : Read
 A : ReAd Control
 Q : Query Value
 S : Set Value
 C : Create SubKey
 E : Enumerate Subkeys
 Y : NotifY
 L : Create Link
 D : Delete
 W : Write DAC
 O : Write Owner
 Service:
 F : Full Control
 R : Generic Read
 W : Generic Write
 X : Generic eXecute
 L : Read controL
 Q : Query Service Configuration
 S : Query Service Status
 E : Enumerate Dependent Services
 C : Service Change Configuration
 T : Start Service
 O : Stop Service
 P : Pause/Continue Service
 I : Interrogate Service
 U : Service User-Defined Control Commands
 Share:
 F : Full Control
 R : Read
 C : Change
 Metabase:
 F : Full Control
 R : Read - MD_ACR_READ
 W : Write - MD_ACR_WRITE
 I : Restricted Write - MD_ACR_RESTRICTED_WRITE
 U : Unsecure props read - MD_ACR_UNSECURE_PROPS_READ
 E : Enum keys- MD_ACR_ENUM_KEYS
 D : write Dac- MD_ACR_WRITE_DAC
 Process:
 F : Full Control
 R : Read
 W : Write
 X : eXecute
 SamObject:
 F : Full Control
 W : Write
 R : Read
 X : Execute

Some examples of granting access permissions:

• Allow the group "MYDOMAIN\Marketing" Read access to the folder "D:\Departments\Marketing" and all of its subfolders, but not on the files:
  
  SUBINACL /verbose=1 /subdirectories "D:\Departments\Marketing" /grant=Users=R
• Grant Read access to "Everyone" on a share:
  
  SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R
• Allow the group "MYDOMAIN\Marketing" to Print and Manage documents on the printer "Color Laser":
  
  SUBINACL /verbose=1 /printer "Color Laser" /grant=MYDOMAIN\Marketing=MP
• Allow "Authenticated Users" to start and stop the "Printer Spooler" service (use its short name: "Spooler"):
  
  SUBINACL /verbose=1 /service Spooler /grant="Authenticated Users"=LQSTOP
• Grant "Authenticated Users" write access to "HKEY_LOCAL_MACHINE\SOFTWARE\MyWackyProgram", but not to subkeys:
  
  SUBINACL /verbose=1 /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\MyWackyProgram" /grant="Authenticated Users"=QEDS

To check permissions, remove the /grant switch: if no "action" is specified, the default /display is used.

Related Stuff

• Security Configuration using MMC/Security Templates & SeCEdit