Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 10080. FILEACL.EXE freeware allows to manipulate ACLs on NTFS volumes.
Jerold Schulman
January 23, 2006
12 Min Read
Download FILEACL 2.8.0.1 from Microsoft. (Copyright Guillaume Bordier 1999, [email protected])
FILEACL allows you to:
View ACLs on any NTFS local or remote drive |
Set ACLs on any NTFS local or remote |
View Ownership |
Change Ownership |
Uses Backup and Restore Rights to view/change ACL/ownership on non accessible files/dir |
recurse through files and directories |
[WIN2K] Inheritance auto-propogation aware |
shows RAW SID and/or Access Mask for an ACE |
Apply RAW SID and/or Access Mask (you could put ACL related to non-available domain trustees !) |
Address Deny rights |
Configure ALL inheritance matters of NTFS |
Batch Mode to dump permissions to a file and reapply later (/BATCH) |
Command Line :
fileacl
[/{S|G|R|T|O|D} {trustee}:[[!]RWXDOPF][/[!]RWXDOPF][/[!]RWXDOPF]
[options]
or
fileacl
[/{S|G|R|T|O|D} {trustee}:[RWXDOPF] [:IO|OI|NP|CI|FO|F|FF|FSF|FS|SFF|SF
[options]
commands:
/S | Set permissions (overwrite any ACEs related to the trustee) |
/G | Grant permissions (enlarge ACEs related to the trustee) |
/R | Revoke trustee (deletes all ACEs related to the trustee) |
/T | special : Suppress all DENY ACEs for the trustee. |
/O | Give ownership to the trustee (require TakeOwnership privilege) |
/D | Put a Deny Access ACE |
Trustee could be user or group, domaintrustee or SID (S-1-x ....).
Simple Rights
Right | Meaning for Directories | Meaning for Files |
R | Read | Read |
X | Change dir | Execute |
W | Write | Write |
D | Delete | Delete |
O | Allowed to take/give ownership | idem |
P | Write permissions | Write permissions |
U | Unspecified (0 right) | Unspecified (0 right) |
Switches:
Display mode Options
/LINE | operate in single-line mode display all ACEs on a file or directory on One row |
/ADVANCED | Show detailed rights |
/OWNER | Get the owner name as well |
/NOINHERITED | do not print inherited rights |
/SIMPLE | Merge inherited and direct ACL |
/BATCH | Generate a batch file for reapplying the same permissions, use with /SUB |
/RAW[SID|MASK] | Show the RAW ACE SID and/or Mask |
/RAWSECDESC | [WIN2K] Show the RAW Security Descriptor with Textual Form ou may use this to generate Win2K securitytemplates and apply them with secedit |
/QUOTE | add quotes to file and directory names |
Change mode options | |
/PROTECT | This permissions will be protected from upper levels permissions propagation [WIN2K] |
/INHERIT | Force Propagation from upper levels [WIN2K] |
/NOROOT | use with /SUB, apply rights to all subdirs/subfile except the root dir |
/REPLACE | deletes existing ACL and replace with specified (SET ) |
Both mode options | |
/SUB[:n] | treats n levels of subdirectories as well |
/FILES | treats files in directories as well |
/NODIRS | treats files only |
/FORCE | uses SeBackupPrivilege and SeRestorePrivilege to Treat Objects without any rights nor ownership |
/NT4 | Enforce NT 4.0 compatibility for Write Masks later version will test dest computer |
FILEACL allows for "apply to objects and sub-folders in this folder only"
With standard FILEACL syntax, just add “!” in front of your access mask to limit propagation to the first level.
Ex:
FILEACL c:temptestacl /s user:R/!W/F will limit inheritance of Write access for files to the testacl directory.
You also can use a different syntax adding your inheritance flag manually at the end of a single mask command line.
Inheritance can be :
Flag with first syntax | Syntax 2 | Meaning |
FO | FO | Folder Only |
F | OI/IO | Files only / Inherit Only + Object Inherit |
FF | OI | Folder and Files / Object Inherit |
FSFF | CI/OI | Folder and subfolders and Files / Container Inherit + Object Inherit |
FSF | CI | Folder and subfolders / Container Inherit |
SF | CI/IO | Subfolders / Container Inherit + Inherit only |
SFF | CI/OI/IO | Subfolders and Files / Container Inherit + Object Inherit + Inherit only |
NP | NP | Non Propagation, can be appended on either of the later |
FILEACL c:temptestacl /s user:R/!W/F
Would then translate into
FILEACL c:temptestacl /s user:R:FO /s user:W/F/NP /s user:F:SF
or
FILEACL c:temptestacl /s user:R:FO /s user:W/OI/IO/NP /s user:F/CI/IO
Error Codes:
0 | Success |
100 | Return usage |
101 | Bad OS version |
102 | Bad syntax |
103 | Bad path |
104 | Bad fileSystem |
105 | Error adding ACL |
106 | Error setting ownership |
107 | Error listing ACLs |
108 | Error reading directory |
109 | Bad Inheritance Flag |
Typical :
FILEACL d:tempacltest /S user1:RW
gives Read/Write access on directory d:tempacltest to trustee user1
FILEACL \serversharedir /S admingroup1:F /S usergroup1:RX/W/D /O admingroup1 /SUB:3 /FILES
give admingroup1 Full right to network dir, and give usergroup1 RX to dir; right to modify existing files to dir, and delete files on 3 sub-levels of directories and files.
admingroup1 is set as owner for all files and dirs
FILEACL \serversharedir /S S-1-5-21-1606980848-1383384898-842925246-1008:R
give Read right to a user given its SID, even if the DC for that domain is not online or the account is not created/synchronized yet !
or even :
FILEACL \serversharedir /S S-1-5-21-1606980848-1383384898-842925246-1008:0x120089/0x100116
to set a special mask
FILEACL d:tempacltest /INHERIT /REPLACE
Reset permissions and allow propagation from upper levels
FILEACL d:tempacltest /owner /raw
gives ACEs (one trustee per line) and owner with RAW sid and access mask
What are ACL and ACE ?
ACE stands for Access control entry, it specifies :
a trustee
an access mask
an ACE type (could be deny ACE, audit ACE)
an inheritance flag
ACL stands for Access control List, it is a list of ACEs.
What does ACLs levels means ?
Multi-level ACLs treat inheritance (ONLY for directories !)
If you see/give one level
(/S trustee:RW = /S trustee:RW/RW/RW )
ACL is built with RW rights for the directory, and all inherited files and sub-directories.
If you see/give two levels of ACE
(/S trustee:RW/X = /S trustee:RW/X/RW )
ACL is built with RW rights for the directory and all inherited sub-directories, and X right for all inherited
If you see/give three levels of ACE
(/S trustee:RW/X/R )
ACL is built with RW rights for the directory, X right for inheriting files and R right for inheriting sub-directories.
Difference between OSes
NT4 SP3, NT4 SP4 and later and Windows 2000 treats ACLs in a slightly different manner :
NT4 SP3 uses GENERIC_RIGHTS (ie 0x10000000 to 0x80000000 access masks) to grant access to files and inherited files.
NT4 SP4 and later do not use GENERIC_RIGHTS any more (although it understands it), it uses the same masks for directories and files masks.
On directories NT4 (All sps) always build a 2 ACEs ACL for a trustee,
First ACE is set with Directory Inherit flag (0x2).
Second ACE is set with Files inherit only flag (0x9).
This means that the first ACE addresses the directory and its inherited sub-directories, and the second ACE addresses only inherited files.
In only one case does NT4 build a single ACE ACL for a trustee :
When you select "Take ownership" for a directory, it deletes the ACL and replace it with a 0x3 ACE (Inherit on files and directories).
Windows 2000 is much more consistent about all that : it only create separate ACE if needed, each time a single ACE can be used, it is.
Differences in Access Masks :
Windows 2000 does not need READ_CONTROL (0x20000) mask for writing to a directory and NT4 does need it.
A Write ACE would typically be (0x120116) with NT4 and (0x100116) with Windows 2000, be sure to use /NT4 switch if your ACLs will be read by NT 4.0 workstation .
Windows 2000 introduce "Delete file and subfolder" right (0x110040).
Windows 2000 has an Autopropagation feature, all rights on a parent are propagated on children.
FILEACL keeps the protection status of a folder unless /PROTECT or /INHERIT
Go Windows 2000 now !
Questions ? : this
OUTPUT :
d:test;Administrators:F[I] Administrators have Inherited Full Control from Autopropagation([I])
d:test;Everyone:F/RWEveryone has Full Control over this directory and future sub-directories and RW on future Files
d:test;Guest:F/W/RGuest has Full Control in the dir, W on future files, and Read on future subdirs
Detailed Rights
Right | Meaning for Directories | Meaning for Files |
Rr | List Directory | Read Data |
Ra/Wa | Read / Write Attributes | Read / Write Attributes |
Re/We | Read / Write Extended Attributes | Read / Write Extended Attributes |
X | Change dir | Execute |
Ww | Add Files to directory | Write Data |
A | Add subdir to directory | Append data to file |
D | Delete | Delete |
Dc | Delete Child (sub file or sub dir); | No Meaning |
O | Allowed to take/give ownership | idem |
p/P | Read / Write Permissions | Read / Write Permissions |
U | Unspecified (0 right) | Unspecified (0 right) |
R | Rr+Ra+Re+p |
File Deletion is performed if :
Parent dir has Rr and Dc access OR file has D
Minimum Access for reading a file is Rr on parent dir and RrRep on file
Minimum Access for saving an open file is Rr on parent and RrRepW on file
Minimum Access for creating new file is Ww on parent dir
Minimum Access for creating new dir is A on parent dir
Access masks are defined this way :
31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
GR | GW | GE | GA | Reserved | AS | Standard Access Rights | Object-Specific Access Rights |
GR = Generic Read
GW = Generic Write
GE = Generic Execute
GA = Generic All
AS = Access to Audit ACL (SACL)
Known Issues :
RWXDDc (every right except ownership and write permissions) may appear as “F” (Full Access) in display mode.
Use /ADVANCED to show detailed rights.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
