Re: Command Line Utility for Audit List?

I find the syntax (and for that matter the default output format)
of SetAcl pretty dense and ill documented, hence SetAcl is
not something I often mention.

Like Joe (well, perhaps language and/or api choice varies)
I do this with a script. (see other reply about xcacls.vbs)

Much of what you outline as a "would be nice" actually can
be fairly closely be done with the Security Templates mmc
snap-in. A saved template is only a text file. One can edit
to reorient as group of settings for use with different dirs.
One may analyze for a report on variance, or apply to bring
into compliance with the spec. As we are talking about
SACL here, if one wants to use a template to alter only the
SACL, one needs only edit to remove the D: ( ) DACL
specification that one cannot avoid creating when defining
the filesystem section of a template with the snapin.


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
I positioned to the folder above the Cookies folder and let loose with a
variant of the command you suggested. It would probably take me 30
minutes just to grasp the syntax for setting the permission, then 10
to make sure that what I had set was correct. SetACL looks incredibly
powerful, but fairly complex for occasional use.

It would be great to have a tool that would let you create a test folder,
set the desired permissions or audit set, then "snapshot" this to a file
that could then be refed to the command to imprint upon other objects
maybe using backup and restore / replace functions to overwrite what is
there by default. I've seen a number of systems that have been hacked or
corrupted where the folder permissions no longer behave normally and don't
respond to commands like this one. I've used the FileACL command in such
cases to overwrite whatever permissions are there by inheriting from the
parent. Then I'm able to administer through the GUI.


SetACL finished with error(s):
SetACL error message: The call to GetNamedSecurityInfo () failed
Operating system error message: The system cannot find the file specified.


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
The cookies folder is I believe called a special folder, a form
of shell extension.
It appears that SetACL can handle the cookies folder as if it
were a "file" object type (in SetACL's syntax). Try
setacl -actn list -ot file -lst w:s -on <path>

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
subinacl will show audit ACEs.

Is there a tool that will also set audit permissions from command line?

I'm trying to do this on users' Cookies folder, which for some strange
reason Microsoft doesn't let you set an ACL on through the GUI.



Relevant Pages

  • Re: subinacl - cant grant multiple permissions?
    ... I was able to use the -ace parameter twice in the command ... You don't seem to have had must trouble with the SetAcl ... > "Herb Martin" wrote: ... >> line but it will change more any permissions programatically. ...
  • Re: Command Line Utility for Audit List?
    ... variant of the command you suggested. ... corrupted where the folder permissions no longer behave normally and don't ... SetACL finished with error: ... It appears that SetACL can handle the cookies folder as if it ...
  • Re: Regini
    ... When I run the command it adds the key ... > with the permissions I specified instead of changing the ... SetACL is also an option, a nice freeware app that adds a lot to cacls, ... Local or remote directories ...
  • Re: Edit service permissions from Command-line
    ... The BEST command line permission setting tools (in terms of ... capabilities) are SubInAcl and the open source SetAcl.exe ... developers if they would add this capability. ... SetAcl is very powerful but it has what is ...
  • The SetACL problem
    ... I use the two command lines below to clear all permission of a registry key. ...