Dive Deep with SubInACL
Need to change a security permission? Mr. Roboto has the command-line tool you'll need.
- By Jeffery Hicks
I spend a lot of time in scripting newsgroups and forums, helping out wherever and whenever I can. One topic I see frequently is how to use a script to modify some sort of permission, whether registry, share, file or Active Directory. Usually the poster wants to use VBScript with Windows Management Instrumentation. While you can do this, most security and permission modifications are mind-numbingly tedious. They're definitely not for the beginner. Heck, I don't even bother with them myself.
If I need to modify some sort of security permission with a script, I'll simply call a command-line tool developed just for that purpose. I'd rather use an existing tool and get the job done faster than figure it all out from scratch. One command tool that is well-suited for these tasks is SubInACL.exe from Microsoft. You can find it at the Microsoft Download center. Once it's installed, open a command prompt and type: Subinacl /?
As you can see from the help screen, this is a comprehensive tool. Much of its functionality was intended for domain migrations. Although I still prefer to use the Active Directory Domain Migration Toolkit for something that extensive, you might find SubInACL useful for certain trouble spots.
The basic usage is: Subinacl /option /object_type object_name /action=parameter
The object type in that command line can be a service, file, cluster share, printer, file share, registry key, metabase, process, kernel object or SAM object. You'll need to look at the help screen to make sure you use the correct object syntax.
The action parameter is what you want to do with the specified object type. Based on the help screen, you'll realize I can't go into detail on every feature. I'll try to hit some of the high points that most of you will find useful. A word of warning, though: SubInACL will modify security descriptors and permissions faster than you can imagine. Do not use this in a production environment until you have tested how to safely use it and have adequate backups. I also encourage you to use the /testmode option, which will go through the motions, but not actually change anything.
Suppose you need to reset file permissions on a group of files. You can easily copy the permissions from one file to the other:
C:\Files >subinacl /outputlog=c:\changes.txt /file *.doc /objectcopysecurity=c:\source.doc
Need to the change the file owner?
C:\Files>subinacl /file *.doc /owner=company\rgbiv
Now you can see why I prefer using a command-line tool designed specifically for this task, instead of trying to write a script with WMI.
Imagine a situation where you need to change file share permissions for the Everyone group from Read-Only to Change. Here's how you would do it with SubInACL:
C:\>subinacl /share \\file01\public /grant=everyone=C
You can execute this command from your desk. To see all of the possible options for /grant, you should run: Subinacl /help /grant
You can get similar results with shared printers. Want to add a group to a printer share? This command adds the Help Desk domain group to the printer share, giving them the Manage Documents permission:
C:\>subinacl /printer \\print02\msprint07 /grant="mydomain\help desk"=M
I've just scratched the surface with this tool. If you can execute a SubInACL command from a C: prompt, you can easily put that command in a batch file or call it from a VBScript using the Wscript.Shell's Run or Execute methods. I'm a big proponent of the right tool for the job and when it comes to dealing with security and permissions, SubInACL is hard to beat.
Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with almost 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant.