SubInAcl Syntax: action[=parameter]
- /display (default)
- Displays the security descriptor.
The /noverbose display can be used to reapply the security descriptor (see /playfile).
- /owner=owner or /setowner=owner
- Changes the owner of the object.
owner is a valid security identifier (SID), which can be expressed in several forms.
Retrieves the Administrators' SID on
the server where the object is located (see Win32 SDK LookupAccountName function).
- /replace=[DomainName\]OldAccount=[DomainName\]NewAccount
- Replaces all access control entries (ACEs) (Audit and Permissions) in the object.
replaces all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieved from NEWDOM domain.
- /changedomain=OldDomainName=NewDomainName
- Replaces all ACEs with a SID from OldDomainName with the equivalent SID found in NewSamServer.
Replaces all ACEs containing DOM_MARKETING\ChairMan SID with the ChairMan's SID retrieved on NEWDOMAIN computer The NEWDOMAIN must have a trusted relationship with the server containing the object.
- /migratetodomain=SourceDomain=DestDomain
- Same behavior as /changedomain, except that new ACEs are added to a new domain and ACEs for the old domain are preserved.
Each ACE with DOM1\User is duplicated with DOM2\User (If DOM2\User exists). If during the migration there was a serious oversight you can instruct the user to log back onto DOM1.

Owner and Primary Group are migrated to DOM2.
- /findsid=[DomainName\]Account[=stop]
- Displays the object name containing a reference to DomainName\Account in the security descriptor.
- /suppresssid=[DomainName\]Account
- Suppresses all ACEs containing the DomainName\Account SID. If the object's owner is DomainName\Account, the owner is set to Everyone's SID.
- /confirm
- /perm
- Suppresses all existing permissions aces (PACEs).
- /audit
- Suppresses all existing auditing ACEs (AACEs).
- /ifchangecontinue
- Continues to process the next actions only if some changes have been made in the previous actions.
- /cleandeletedsidsfrom=DomainName
- Deletes all ACEs containing deleted (not valid) SIDs from DomainName.
- /accesscheck=[DomainName\]UserName
- Displays the access granted to the Domain\UserName. The password is requested. This option requires the SeTcbName privilege (Act as Part of the Operating System), and cannot be used with remote objects.
Note: The access is checked with the NETWORK security identified granted to the Domain\UserName.
- /setprimarygroup=[DomainName\]Group
- Changes the primary group.
- /grant=[DomainName\]UserName[=Access]
- Adds a Permission ACE for UserName. If Access is not specified, Full Control access is granted.
- /deny=[DomainName\]UserName[=Access]
- Adds a denied Permission ACE for the specified UserName (or group). If Access is not specified, all accesses will be denied.
- /revoke=[DomainName\]UserName
- Suppresses all Permission ACEs for the specified User (or group).
Permission ACEs
Used with /grant and /deny:
F : Full Control
C : Change
R : Read
P : Change Permissions
O : Take Ownership
X : eXecute
E : Read eXecute
W : Write
D : Delete
F : Full Control
R : Read
C : Change
F : Full Control
M : Manage Documents
P : Print
F : Full Control
R : Read
A : ReAd Control
Q : Query Value
S : Set Value
C : Create SubKey
E : Enumerate Subkeys
Y : NotifY
L : Create Link
D : Delete
W : Write DAC
O : Write Owner
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
F : Full Control
R : Read
C : Change
F : Full Control
R : Read - MD_ACR_READ
W : Write - MD_ACR_WRITE
I : Restricted Write - MD_ACR_RESTRICTED_WRITE
U : Unsecure Props Read - MD_ACR_UNSECURE_PROPS_READ
E : Enum Keys - MD_ACR_ENUM_KEYS