Subinacl is a powerful and useful command-line tool (available in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit) that lets you directly edit almost any security information—permissions, ownership, or auditing—on objects of all kinds. Not only can you use Subinacl to modify this information on files, directories, file shares, and printer shares, you can also use the tool to control permissions on registry keys, system services, and the Microsoft IIS metabase.
Viewing ACLs
Subinacl's strength is in its views of permissions and object security in general. ACLs govern permissions; each entry on an ACL is called an access control entry (ACE). If, for example, the permissions on a file in a domain give Full Control to administrators and to Mary and give No Access to Jack, the file's ACL contains three ACEs, which describe access for administrators, Mary, and Jack. To show a file's ACL, use the command
subinacl /verbose=1 /file c:\testfile.txt /display
where testfile.txt is the filename. Figure 1 shows the output from this command. The output shows the filename, then the file owner's name. The primary group information typically is relevant only for POSIX applications. Next, the output shows the number of audit ACEs (i.e., aaces) and permission ACEs (i.e., perm. aces, or paces), then provides information about those ACEs. Win2K and NT let you specify in exacting terms what to audit—for example, whenever Mary fails to write to the file or whenever John fails to read the file. Subinacl expresses those terms as audit ACEs. Permission ACEs are the permissions that let users examine or modify a file or directory.
The example contains three permission ACEs because the ACL contains one ACE for administrators, one for Mary, and one for John. Each of the next three lines applies to a permission ACE. The Type value specifies whether the ACE is a Deny ACE or an Allow ACE: 0x1 represents a Deny ACE and 0x0 represents an Allow ACE. The AccessMask value defines the ACE's permissions. To decode the AccessMask value into specific permissions, you can examine the bits in the value or run the Subinacl command with the /verbose=2 option, which displays the permission as text, instead of the /verbose=1 option. Web Table 1 (http://www.winnetmag.com, InstantDoc ID 26362) lists the possible AccessMask values and the permissions they represent. These values represent the lowest-level permissions possible for files. Administrators tend to think in terms of more aggregate permissions, which comprise one or more low-level permissions. For example, the Read permission consists of the low-level permissions Read Data, Read Attributes, Read Extended Attributes, and Read Permissions. (To view low-level permissions through a file's ACL GUI, open Windows Explorer, open any NTFS file's or folder's Properties dialog box, and go to the Security tab. Click Advanced to open the Advanced Control Settings dialog box, click any ACE, then click View/Edit.)
Adding ACEs
You can use Subinacl to modify file and directory permissions. Subinacl can do everything that the Xcacls and Cacls tools can do; it can modify an existing ACE or create a new Allow or Deny ACE. The following command adds an ACE allowing the Read permission for a new user, Larry, in a company named Example.
subinacl /file c:\testfile.txt /grant=example\larry=R
In this command, the /file option tells Subinacl that the command will work on a file ACE. Other options are a system service (/service), a registry key (/keyreg or /subkeyreg), a set of folders and any subfolders within them (/subdirectories), a shared folder (/share), a cluster file share (/clustershare), a kernel object (/kernelobject), or the IIS metabase (/metabase). The c:\testfile.txt parameter specifies the file the command will work on; you can use wildcards in the filename.