SUBINACL - CMD
Overview
SUBINACL
is a command-line tool in Windows that enables administrators to obtain security information about files, registry keys, services, and other system objects. It can set permissions, audit information, and ownership. This tool is particularly useful for automating security management tasks in large systems and can be crucial during system migrations or backups.
Syntax
The general syntax for SUBINACL
is as follows:
subinacl /object_type object_name /action[=parameters]
object_type
specifies the type of object (e.g., file, service, or registry key).object_name
defines the name or path of the object.action
specifies the action to take, with optional parameters.
Detailed Syntax
subinacl /file filename [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /subdirectories directory [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /keyreg RegistryKey [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /service servicename [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
Options/Flags
/file
: Specifies a file for which to set information./subdirectories
: Targets subdirectories of the specified directory./keyreg
: Targets a registry key./service
: Specifies a service./grant[=access]
: Grants access rights to a user. The format is user[=rights]./deny[=access]
: Denies access rights to a user. Follows the format user[=rights]./setowner=owner
: Sets the owner of an object./replace
: Replaces the security information for the specified object./revoke=user
: Revokes all access rights from a user.
Examples
1. Granting Full Access to a User on a File:
subinacl /file c:\example.txt /grant=administrator=F
2. Revoking All Permissions for a User on a Registry Key:
subinacl /keyreg HKEY_LOCAL_MACHINE\Software\Example /revoke=guest
3. Setting Ownership of a Directory and Subdirectories:
subinacl /subdirectories c:\example\*.* /setowner=administrator
Common Issues
- Permission Errors: Ensure that
SUBINACL
is run with administrative privileges to avoid access denied errors. - Incorrect Syntax: Double-check the command syntax, especially spaces and equal signs in commands like
/grant
and/deny
. - Unsupported Actions on Objects: Some actions may not be supported on certain types of objects, such as services or registry keys.
Integration
SUBINACL
can be integrated with batch scripts to automate the deployment of permissions across multiple system objects. Here is a basic script example:
@echo off
subinacl /file c:\example\*.* /setowner=administrator
subinacl /file c:\example\*.* /grant=administrator=F
echo Permissions have been updated.
Combine SUBINACL
with other commands like icacls
for comprehensive permission and security management.
Related Commands
- cacls: Older command similar to
SUBINACL
, but with less functionality. - icacls: Replacement for
cacls
, allows for more granular permission setting.
For further reading and more detailed information, refer to the official Microsoft documentation on SUBINACL.