Petri

SubInACL: Setting Permissions

In a previous article, “SubInACL: Download and Deployment,” I introduced you to a legacy command line tools from Microsoft called subInAcl.exe. While this tool doesn’t appear to be supported on anything after Windows Server 2003, I’ve rarely run into problems with it, and sometimes it is exactly what I need to handle a tricky permission automation task. Sometimes the old ways are still the best ways.

Sponsored

SubInACL Permission Types

You can use subinacl.exe to manage permissions on a variety of object types. The permission setting varies depending on the object. You can find the permission values with this command.

In the screen shot, I am running subinacl.exe from a network share. All I had to do was copy just the exe file.

subinacl-permissions-fig1

 

In order for this to work, I am running the CMD session with elevated privileges. Use the correct permission abbreviation for the object you wish to manage.

SubInACL File Share Example

From my Windows 8 system, I can see the current share permission for \\CHI-FP01\Sales.

 

subinacl-permissions-fig2

I want to remove the Everyone group and grant the Chicago Sales Users group change permission. I can do this with a single command:

subinacl-permissions-fig3

From PowerShell I can quickly verify this change.

Sponsored

SubInACL Printer Share Example

This will also work with shared printers. First, here’s the current set of permissions for the printer share \\CHI-FP01\HP1600.

subinacl-permissions-fig4

 

In this particular case I am running SubInACL on the print server. Sometimes you’ll get an RPC error even though everything is working correctly, so it is just as easy to run the command locally. I need to remove the Everyone group, grant Chicago Sales Users the option to print, and Chicago Sales Managers permission to manage documents.

I found the permission types from looking at help.

Now when I look at permissions again, they are as I need them to be.

subinacl-permissions-fig5

 

Sponsored

Clearing Permissions

There is one more setting I’ll discuss because it is very easy to make things worse with subinacl.exe. When you look through help you’ll see a /perm action. You might think this will display current permissions. This is not the case and where you have to be careful. When you use /perm, subinacl will wipe out all existing permissions. This has the effect of resetting to a blank state, with the assumption that you will be immediately setting new permissions. The action can certainly be helpful if that is what you intend to do.

Subinacl.exe is worth exploring in a non-production environment. I would also make sure any existing permissions are documented before applying any changes. Over the last decade Microsoft has given us new tools to handle many of the tasks that we used handle with subinacl.exe. But for those exceptions, this is a tool still worth keeping in your admin toolbelt. And if subinacl has ever solved a problem for you, leave a comment below and let me know how it worked out.

Tagged ,

Sponsored
  • Pingback: WWW.DINFOBLOG.NET » Iso Perm – professional option perms, Option 2

  • Dave

    Good article, Jeff – unfortunately, I only read it after doing -exactly- what you warned against doing at the very end – assuming /perm would display the permissions on a service I was wanting to look at.

    Any idea on -how- I put the permissions back? I can’t seem to take ownership (or read it, or anything) from either the administrator or System accounts…

  • Jeffery Hicks

    Oh heavens. I guess you missed my note about testing in a non-production environment as well. ;-)

    The first thing that comes to mind is to attempt to restore a system state backup. It sounds like you can’t even use subinacl any more to set new permissions even if you wanted. If that is the case, then I don’t think you have many options. If the service is part of a third party product, I’d try re-installing the product. If it is a Windows service, you could try re-installing a service pack or doing a repair installation.

  • Dave

    Thanks Jeff – no, didn’t even go looking for documentation till after I did it – still I wasn’t testing it on a production system at least – not quite that dumb! I’ve decided to just wipe the system and reinstall windows – I nuked the permissions on the BITS service, so I could kiss goodbye to any more Windows Updates.. Well – you learn by doing (and not doing again)

Join The Conversation

Sponsors

Sponsors