SubiNACL Quick reference
SubiNACL is Microsoft’s recommended utility for setting permissions of registry keys and folders.
To grant modify rights to a particular directory:
SubiNACL /subdirectories C:\WINDOWS\Directory /grant=Users=crxew
To recursively grant full rights to directories (be aware that this does not include rights changes to the “named” directory):
SubiNACL /subdirectories C:\WINDOWS\Directory\* /grant=Users=F
To grant full rights to a particular Registry key:
SubiNACL /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\A1 /grant=Users=F
To grant full rights to files in a particular directory and then ensure that executables are read only:
SubiNACL /file C:\Program Files\Test\*.* /grant=Users=F
SubiNACL /file C:\Program Files\Test\*.exe /grant=Users=R
SetACL Quick reference
SetACL is a widely used alternative to SubiNACL.
To set rights for users to a particular registry key:
SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Attachmate\KEA!"
-ot reg -actn ace -ace "n:users;p:full;m:set;w:dacl" -rec yes
To grant fights to a particular file or directory:
SetACL.exe -on "C:\Documents" -ot file -actn ace -ace "n:users;p:full"
Permission Problems
Don’t forget that when MSI directory notations are used, all directories end in a trailing backslash. When this is used in conjunction with quote marks it escapes the quote character and everything falls apart. To resolve this problem, we need to ensure that a directory notation is followed with an extra backslash as this will prevent escaping problems (as demonstrated below).
- Log in to post comments