What is SubInACL?

A. Microsoft's SubInACL utility, which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en , is a command-line tool that you can use to manage security on files, registry keys, and services; set ownership information; and replace security rights (e.g., change all permissions that domain1user1 has to domain2user2).The following example shows how to change the permissions on a file for user Bruce from his account in domain r2demo.test to his account in savilltech.com

D:migrateddemor2env01tomigrate>subinacl /file SupermanvsBatman.jpg /[email protected][email protected]:migrateddemor2env01tomigrateSupermanvsBatman.jpg : replace Perm. ACE 2 [email protected] with [email protected]:migrateddemor2env01tomigrateSupermanvsBatman.jpg : 1 change(s)

The above command produced the following output:

Elapsed Time: 00 00:00:00Done: 1, Modified 1, Failed 0, Syntax errors 0Last Done : D:migrateddemor2env01tomigrateSupermanvsBatman.jpg

You can also use the SubInACL utility to replace all SIDs from one domain to another, as the following example and output shows. (In the command below, change /noverbose to /verbose=1 for an easier-to-read list of permissions.)

D:migrateddemor2env01tomigrate>subinacl /noverbose /file SupermanvsBatman.jpg /display========================================================

+File D:migrateddemor2env01tomigrateSupermanvsBatman.jpg

========================================================/control=0x0/owner =builtinadministrators/primary group =r2demodomain users/audit ace count =0/perm. ace count =9/pace =r2demoadministrator Type=0x0 Flags=0x0 AccessMask=0x1200a9/pace =builtinadministrators Type=0x0 Flags=0x0 AccessMask=0x1f01ff/pace =savilltechbruce Type=0x0 Flags=0x0 AccessMask=0x1201bf/pace =r2democlark Type=0x0 Flags=0x0 AccessMask=0x1f01ff/pace =r2demodiana Type=0x0 Flags=0x0 AccessMask=0x120089/pace =savilltechhal2 Type=0x0 Flags=0x0 AccessMask=0x1301bf/pace =builtinadministrators Type=0x0 Flags=0x10 AccessMask=0x1f01ff/pace =system Type=0x0 Flags=0x10 AccessMask=0x1f01ff/pace =builtinusers Type=0x0 Flags=0x10 AccessMask=0x1200a9Elapsed Time: 00 00:00:00Done: 1, Modified 0, Failed 0, Syntax errors 0Last Done : D:migrateddemor2env01tomigrateSupermanvsBatman.jpg

To change the ACLs, use the following command, which replaces all ACLs on a file from domain r2demo to savilltech. Note that this command just checks for an equivalent names account in the new domain. This execution doesn't check SIDHistory values or mapping tables, which utilities such as Active Directory Migration Toolkit (ADMT) make use of.

D:migrateddemor2env01tomigrate>subinacl /file SupermanvsBatman.jpg /changedomain=r2demo=savilltechD:migrateddemor2env01tomigrateSupermanvsBatman.jpg : replace Perm. ACE 0 r2demoadministrator with savilltechadministratorD:migrateddemor2env01tomigrateSupermanvsBatman.jpg : replace Perm. ACE 3 r2democlark with savilltechclarkD:migrateddemor2env01tomigrateSupermanvsBatman.jpg : replace Perm. ACE 4 r2demodiana with savilltechdianaD:migrateddemor2env01tomigrateSupermanvsBatman.jpg : savilltechdomain users is the new Primary GroupD:migrateddemor2env01tomigrateSupermanvsBatman.jpg replace Primary Group r2demodomain users with savilltechdomain usersD:migrateddemor2env01tomigrateSupermanvsBatman.jpg : 4 change(s)Elapsed Time: 00 00:00:00Done: 1, Modified 1, Failed 0, Syntax errors 0Last Done : D:migrateddemor2env01tomigrateSupermanvsBatman.jpg

If the execution doesn't find an equivalent account in the target domain, it displays a 1337 error and leaves the ACL entry unchanged.