Subinacl.exe

With this command-line tool, administrators can obtain security information on files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

For example, if a user has moved from one domain (DOMA) to another (DOMB), the administrator can replace DOMA\User with DOMB\User in the security information for the user's files. This gives the user access to the same files from the new domain. See Domain Migration With SubInAcl.

SubInAcl enables administrators to:

• Display security information associated with files, registry keys, or services, including owner, group, permissions access control list (ACL), discretionary access control list (DACL), and system access control list (SACL).
• Change the owner of an object.
• Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
  The /replace and /changedomain options change security information in the Owner, System ACL, and Discretionary ACL fields, but the Primary Group information is never replaced.
  For example, /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan replaces all access control entries (ACEs) and owners containing DOM_MARKETING\ChairMan with the NewChairMan SID retrieved from NEWDOM domain.
• Migrate security information on objects.
  This is useful if you have reorganized a network's domains and need to migrate the security information on files from one domain to another.
  For example, /changedomain=OldDomainName=NewDomainName replaces all ACEs with a SID from OldDomainName with the equivalent SID found in NewDomainName

This tool is designed for use by administrators. Some actions may fail or generate error messages if the user doesn't have the following privileges:

• SeBackupPrivilege (Back up files and directories.)
• SeChangeNotifyPrivilege (Bypass traverse checking.)
• SeRestorePrivilege (Restore files and directories.)
• SeSecurityPrivilege (Manage auditing and security log.)
• SeTakeOwnershipPrivilege (Take ownership of files or other objects.)
• SeTcbPrivilege (Act as part of the operating system.)

SubInAcl Topics

• SubInAcl Syntax
• SubInAcl Syntax: view_mode
• SubInAcl Syntax: object_type
• SubInAcl Syntax: action[=parameter]
• SIDs in SubInAcl
• SubInAcl Editing Features
• Domain Migration With SubInAcl

File Required

• Subinacl.exe