SubInACL – Display or modify Access Control Entries in 2003/XP/2000

By admin | Comments (0) | Trackbacks (0) | Email This Post Email This Post

If you're new here, you may want to subscribe to Windows Reference RSS feed Thanks for visiting!


SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user’s files. This gives the user access to the same files from the new domain.


SubInACL enables administrators to do the following:

Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).

Change the owner of an object.

Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.

Migrate security information about objects. This is useful if you have reorganized a network’s domains and need to migrate the security information for files from one domain to another.

Download SubInACL from here

SubInACL Syntax

subinacl /help [/full | Keyword]

Scenario Examples

Scenario Example 1

The task in this example is to adjust the files on \\Server\Share after you move User1 from OldDomain to NewDomain. Type the following at the command line:

subinacl /subdirec \\server\share\*.* /replace=OLDDOMAIN\USER1=NEWDOMAIN\User1

Press ENTER.

Note :- The two domains must have a trust relationship.

Scenario Example 2

The task in this example is to migrate a backup domain controller (BDC) named MigrControl with all its files to NewDomain, and migrate users from OldDomain to NewDomain.

Reinstall MigrControl as a primary domain controller (PDC) of NewDomain, and do not erase the files.

Create the users on NewDomain.

Create a trust relationship with OldDomain.

To migrate the files, type the following at the command line:

subinacl /noverbose /subdirectories x:\*.* /changedomain=OLDDOMAIN=NEWDOMAIN

Press ENTER.

To verify the changes, type the following at the command line:

subinacl /noverbose /subdirectories x:\*.*

Press ENTER.

Scenario Example 3

The task in this example is to move a stand-alone server and its users to NewDomain.

Move the server to NewDomain.

Create the users in NewDomain.

Type the following at the command line:

subinacl /noverbose /subdirectories \\SERVER\SHARE /changedomain=SERVER=NEWDOMAIN

Press ENTER.

Scenario Example 4

The task in this example is to replace “Jim” with “Kim” in each .txt file in the C:\Temp folder, display the security descriptor for each such file, and apply any changes. Type the following at the command line:

subinacl /file c:\temp\*.txt /replace=Jim=Kim/display

  • Share/Bookmark

Random Posts

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically each day to your feed reader.

Tags: , , , ,
Topics: Free Utilities, Windows 2000, Windows Security, Windows XP, Windows-Server-2003

No comments yet.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required)