Sidebar
software:utilities:aclutil
ACLUTIL
An utility to work with DACL(ACL) and ACE entries on either files(local or remote). Simlar to xCacls/icacls, but with some special features.
NOTE: This is NOT an utility you should consider using, without deep knownledge on DACL/ACE, most likely you are better of with xcacls, and it worst case you will make a huge mess
(Hint, if you do not know difference between ACE/ACL/DACL/SACL, go away!)
To use this utility with full effect, the user should be a member of the “Backup Operator” group (On the server where files are located!)
The reason behind this utility was to avoid the dreadful “Take OwnerShip” (Replacing all ACE entries, loosing old info).
Running under “Backupmode” this utility will always be able to view, add and remove ACE entries.
(Basically taking backup of the DACL, adding/removing and then “Restore” the DACL to the file or directory).
And to get around the 256 charater limit (well, this is fixed in later versions of xCalc/iCacls and Powershell now)
It is also very handy in migrating ACL from one AD to another. (Output of -GET can be used directly as -SET, just repalce the group/AD name)
Special features:
- Verify that all ACEs is correct in a structure (Inherit is set correct, list any files/dirs with wrong DACL (Typical if user did not have access to all files when applying, or was using take ownership, propegation was canceled or directories below is mounted from somewhere else)
- “Emergency Access” (Grant/Remove Access on a directory “top” without propegate down)
- “Backup and Restore” - You can backup the DACL and restore it (files and dirs).
Be aware that acltutil will cache the WHOLE directory structure in memory. If you have alot of files, this might several Gigabytes of memory!
| Operator | Parameter | Description |
|---|---|---|
| Operations Parameters | ||
| -SET | [ACE,DACL,OWNER] | Add an ACE entry, Set a DACL setting, or set a new owner |
| -GET | [ACE,DACL,OWNER,VOLUMEINFO] | Get all ACE entries, Get DACL settings,get owner or VolumeInfo |
| -DEL | ACE | Delete ACE entry |
| -COPY | DACL | Copy DACL from source to target |
| -SECURITY | [DACL] | Set DACL bits directly (CAREFUL!!!) on a target |
| -EMPTY | [DACL] | Remove all explicit ACE entries for a target |
| -SET/DEL | DACLInherit,DACLInheritowner | Turn on or off Inherit of ACE entries/owner for target |
| -VERIFY | ACE | Start at target, and check if all files and folders have correct INHERITED ACE entries |
| GET additonal options Parameters | ||
| -RECURSIVEMODE | [DIR,FILE,BOTH] | List Files only, Dir only or BOTH |
| -RECURSIVE | start {Start,Stop} | How deep into directory tree. Notice you can also start x numbers of layers down |
| -THREADS | {NrOfThreads} | Run multiple threads to speed up. Makes more stress on fileserver! |
| SET / DEL required additonal parameters | ||
| -USER | {username} | Username (in domain\user format) |
| -ACE | {acestring} | Ace parameters (NOTE: Internal format!) |
| File/Dir Parameters | ||
| -SOURCE | {FILE/DIR} | Filename or directory of Source |
| -TARGET | {FILE/DIR} | Filename or directory of destination |
| Optional | ||
| -MODE | [ANSI,UNICODE] | Output data in Ansi or Unicode(Default) |
| -UNRESOLV | [SKIP,IGNORE,SID] | Skip =do not list entires where SID cannot be translated(Default). IGNORE=List as unresolved, SID=List as SID |
| -HUMAN | By default output(GET) is written as ready commands for ACLUTIL as input, if you spesify this, output will be human readable, but NOT scriptable | |
| -PROPEGATE | {NO/YES} | CAREFUL! If you say NO, ACE, DACL entires is added WITHOUT propegates to childs (dirs/files). Useful when you run in “restore” mode when you do not want the OS to propegate before you are finished, or need “emergency access” |
| -TEST | Explain what will be done, without actually doing anything | |
| -DUMP | Dump DACL and ACE as a script (backup) Script can be run as restore for ACLs | |
| -HELP | {option} | Show help, or help on subject |
Examples:
To get spesific ACE(S) for group Users on drive C:
aclutil.exe -source c:\ -user Users -get ACE
To get all explicit ACE(S) drive C:
aclutil.exe -source c:\ -get ACE
To set Standard Read Access for group users on drive c:
aclutil.exe -target c:\ -user Users -set ACE -ACE AM;GA:AP;0x1200a9:IN:0x03
To DELETE all ACE(S) for group Users on drive C:
aclutil.exe -target c:\ -user Users -del ACE
To delete a SPESIFIC ACE for group users on drive c:
aclutil.exe -target c:\ -user Users -del ACE -ACE AM;GA:AP;0x1200a9:IN:0x03
To get ACL Control Bits for a directory:
aclutil.exe -get dacl -source c:\dir
TO SET ACL control Bits for a directory:
aclutil.exe -set dacl -target c:\\dir -security 0x8404
To REMOVE inherit from parent:
aclutil.exe -target c:\dir -del DACLInherit
To SET inherit from parent:
aclutil.exe -target c:\\dir -set DACLInherit
To delete ALL Explicit ACE Entries in an ACL:
acltutil.exe -target c:\dir -del DACL
To Set inheritsmode ON for all SUBDIRS:
aclutil.exe -target c:\dir\* -recursive 255 -set DACLINHERIT
To Set inheritsmode ON for all FILES in subdir:
aclutil.exe -target c:\dir\* -recursive 255 -set DACLINHERIT - recursivemode FILE
To get all DIRS (exluding Unknown Sids) and no 256 bytes max filelenght:
aclutil.exe -get ACE -source \\?\UNC\fileserver\\test -unresolv skip
To Get Volumeinfo on drive C:
aclutil.exe -get VOLUMEINFO -source c:
To add a ACE to an Directory without propegateing down to files or directores below
aclutil.exe -target c:\ -user Users -set ACE -ACE AM;GA:AP;0x1200a9:IN:0x03 -propegate NO
To dump a complete structure info (for mirrioring)
aclutil.exe -DUMP -source c:\Directory
To verify(list all errors) all inherits are correct:
aclutil -verify ACE -source \\?\UNC\fileserver\path -recursivemode BOTH - recursive 200000
software/utilities/aclutil.txt · Last modified: 2021/06/30 01:12 (external edit)
Page Tools
