「SetACL」の編集履歴(バックアップ)一覧はこちら
「SetACL」(2008/01/25 (金) 13:13:31) の最新版変更点
追加された行は緑色になります。
削除された行は赤色になります。
*SetACLのマニュアルを和訳してみるテスト
C:\>SetACL.exe -on "C:\バックアップ" -ot file -rec cont_obj
-actn setowner -ownr "n:mai"
-actn clear -clr dacl,sacl
-actn ace -ace "n:Administrators;p:full" -ace "n:SYSTEM;p:full" -ace "n:mai;p:full"
1行目: 変更対象(フォルダ)、変更対象がファイルやフォルダであることを指定
2行目: ファイルの所有者を mai へ変更
3行目: acl をすべてクリア (変な SID のアクセス権限を消す)
4行目: Administrators, SYSTEM, mai へフルアクセスを許可
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.2.0
Copyright: Helge Klein
License: GPL
**OPTIONS
|-on|ObjectName|
|-ot|ObjectType|
|-actn|Action|
|-ace|"n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"|
|-trst|"n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"|
|-dom|"n1:Domain;n2:Domain;da:DomainAction;w:Where"|
|-ownr|"n:Trustee;s:IsSID"|
|-grp|"n:Trustee;s:IsSID"|
|-rec|Recursion|
|-op|"dacl:Protection;sacl:Protection"|
|-rst|Where|
|-lst|"f:Format;w:What;i:ListInherited;s:DisplaySID"|
|-bckp|Filename|
|-log|Filename|
|-fltr|Keyword|
|-clr|Where|
|-silent||
|-ignoreerr||
**PARAMETERS
***ObjectName:
Name of the object to process (e.g. 'c:\mydir')
***ObjectType:
Type of object:
|file:|Directory/file|
|reg:|Registry key|
|srv:|Service|
|prn:|Printer|
|shr:|Network share|
***Action:
Action(s) to perform:
|ace:|Process ACEs specified by parameter(s) '-ace'|
|trustee:|Process trustee(s) specified by parameter(s) '-trst'.|
|domain:|Process domain(s) specified by parameter(s) '-dom'.|
|list:|List permissions. A backup file can be specified by parameter '-bckp'. Controlled by parameter '-lst'.|
|restore:|Restore entire security descriptors backed up using the list function. A file containing the backup has to be specified using the parameter '-bckp'. The listing has to be in SDDL format.|
|setowner:|Set the owner to trustee specified by parameter '-ownr'.|
|setgroup:|Set the primary group to trustee specified by parameter '-grp'.|
|clear:|Clear the ACL of any non-inherited ACEs. The parameter '-clr' controls whether to do this for the DACL, the SACL, or both.|
|setprot:|Set the flag 'allow inheritable permissions from the parent object to propagate to this object' to the value specified by parameter '-op'.|
|rstchldrn:|Reset permissions on all sub-objects and enable propagation of inherited permissions. The parameter '-rst' controls whether to do this for the DACL, the SACL, or both.|
***TrusteeAction:
Action to perform on trustee specified:
|remtrst:|Remove all ACEs belonging to trustee specified.|
|repltrst:|Replace trustee 'n1' by 'n2' in all ACEs.|
|cpytrst:|Copy the permissions for trustee 'n1' to 'n2'.|
***DomainAction:
Action to perform on domain specified:
|remdom:|Remove all ACEs belonging to trustees of domain specified.|
|repldom:|Replace trustees from domain 'n1' by trustees with same name from domain 'n2' in all ACEs.|
|cpydom:|Copy permissions from trustees from domain 'n1' to trustees with same name from domain 'n2' in all ACEs.|
***Trustee:
Name or SID of trustee (user or group). Format:
****a) [(computer | domain)\]name
|Where:||
|computer:|DNS or NetBIOS name of a computer -> 'name' must be a local account on that computer.|
|domain:|DNS or NetBIOS name of a domain -> 'name' must be a domain user or group.|
|name:|user or group name|
If no computer or domain name is given, SetACL tries to find a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
****b) SID string
***Domain:
Name of a domain (NetBIOS or DNS name).
***Permission:
Permission to set. Validity of permissions depends on the object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl'
***IsSID:
Is the trustee name a SID?
y:Yes
n:No
***DisplaySID:
Display trustee names as SIDs?
|y:|Yes|
|n:|No|
|b:|Both (names and SIDs)|
***Inheritance:
Inheritance flags for the ACE. This may be a comma separated list containing the following:
|so:|sub-objects|
|sc:|sub-containers|
|np:|no propagation|
|io:|inherit only|
Example:'io,so'
***Mode:
Access mode of this ACE:
****a) DACL:
|set:|Replace all permissions for given trustee by those specified.|
|grant:|Add permissions specified to existing permissions for given trustee.|
|deny:|Deny permissions specified.|
|revoke:|Remove permissions specified from existing permissions for given trustee.|
****b) SACL:
|aud_succ:|Add an audit success ACE.|
|aud_fail:|Add an audit failure ACE.|
|revoke:|Remove permissions specified from existing permissions for given trustee.|
***Where:
Apply settings to DACL, SACL, or both (comma separated list):
dacl
sacl
dacl,sacl
***Recursion:
Recursion settings, depends on object type:
****a) file:
|no:|No recursion.|
|cont:|Recurse, and process directories only.|
|obj:|Recurse, and process files only.|
|cont_obj:|Recurse, and process directories and files.|
****b) reg:
|no:|Do not recurse.|
|yes:|Do Recurse.|
***Protection:
Controls the flag 'allow inheritable permissions from the parent object to propagate to this object':
|nc:|Do not change the current setting.|
|np:|Object is not protected, i.e. inherits from parent.|
|p_c:|Object is protected, ACEs from parent are copied.|
|p_nc:|Object is protected, ACEs from parent are not copied.|
***Format:
Which list format to use:
|sddl:|Standardized SDDL format. Only listings in this format can be restored.|
|csv:|SetACL's csv format.|
|tab:|SetACL's tabular format.|
***What:
Which components of security descriptors to include in the listing. (comma separated list):
|d:|DACL|
|s:|SACL|
|o:|Owner|
|g:|Primary group|
Example: 'd,s'
***ListInherited:
List inherited permissions?
|y:|Yes|
|n:|No|
***Filename:
Name of a (unicode) file used for list/backup/restore operations or logging.
***Keyword:
Keyword to filter object names by. Names containing this keyword are not processed.
**REMARKS
Required parameters (all others are optional):
|-on|(Object name)|
|-ot|(Object type)|
Parameters that may be specified more than once:
|-actn|(Action)|
|-ace|(Access control entry)|
|-trst|(Trustee)|
|-dom|(Domain)|
|-fltr|(Filter keyword)|
Only actions specified by parameter(s) '-actn' are actually performed,regardless of the other options set.
Order in which multiple actions are processed:
1.restore
2.clear
3.trustee
4.domain
5.ace, setowner, setgroup, setprot
6.rstchldrn
7.list
**VALID PERMISSIONS
***a) Standard permission sets (combinations of specific permissions)
****Files / Directories:
|read:|Read|
|write:|Write|
|list_folder:|List folder|
|read_ex:|Read, execute|
|change:|Change|
|profile:|= change + write_dacl|
|full:|Full access|
****Printers:
|print:|Print|
|man_printer:|Manage printer|
|man_docs:|Manage documents|
|full:|Full access|
****Registry:
|read:|Read|
|full:|Full access|
****Service:
|read:|Read|
|start_stop:|Start / Stop|
|full:|Full access|
****Share:
|read:|Read|
|change:|Change|
|full:|Full access|
***b) Specific permissions
****Files / Directories:
|traverse:|Traverse folder / execute file|
|list_dir:|List folder / read data|
|read_attr:|Read attributes|
|read_ea:|Read extended attributes|
|add_file:|Create files / write data|
|add_subdir:|Create folders / append data|
|write_attr:|Write attributes|
|write_ea:|Write extended attributes|
|del_child:|Delete subfolders and files|
|delete:|Delete|
|read_dacl:|Read permissions|
|write_dacl:|Write permissions|
|write_owner:|Take ownership|
****Registry:
|query_val:|Query value|
|set_val:|Set value|
|create_subkey:|Create subkeys|
|enum_subkeys:|Enumerate subkeys|
|notify:|Notify|
|create_link:|Create link|
|delete:|Delete|
|write_dacl:|Write permissions|
|write_owner:|Take ownership|
|read_access:|Read control|
*SetACLのマニュアルを和訳してみるテスト
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.2.0
Copyright: Helge Klein
License: GPL
**OPTIONS
|-on|ObjectName|
|-ot|ObjectType|
|-actn|Action|
|-ace|"n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"|
|-trst|"n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"|
|-dom|"n1:Domain;n2:Domain;da:DomainAction;w:Where"|
|-ownr|"n:Trustee;s:IsSID"|
|-grp|"n:Trustee;s:IsSID"|
|-rec|Recursion|
|-op|"dacl:Protection;sacl:Protection"|
|-rst|Where|
|-lst|"f:Format;w:What;i:ListInherited;s:DisplaySID"|
|-bckp|Filename|
|-log|Filename|
|-fltr|Keyword|
|-clr|Where|
|-silent||
|-ignoreerr||
**PARAMETERS
***ObjectName:
Name of the object to process (e.g. 'c:\mydir')
***ObjectType:
Type of object:
|file:|Directory/file|
|reg:|Registry key|
|srv:|Service|
|prn:|Printer|
|shr:|Network share|
***Action:
Action(s) to perform:
|ace:|Process ACEs specified by parameter(s) '-ace'|
|trustee:|Process trustee(s) specified by parameter(s) '-trst'.|
|domain:|Process domain(s) specified by parameter(s) '-dom'.|
|list:|List permissions. A backup file can be specified by parameter '-bckp'. Controlled by parameter '-lst'.|
|restore:|Restore entire security descriptors backed up using the list function. A file containing the backup has to be specified using the parameter '-bckp'. The listing has to be in SDDL format.|
|setowner:|Set the owner to trustee specified by parameter '-ownr'.|
|setgroup:|Set the primary group to trustee specified by parameter '-grp'.|
|clear:|Clear the ACL of any non-inherited ACEs. The parameter '-clr' controls whether to do this for the DACL, the SACL, or both.|
|setprot:|Set the flag 'allow inheritable permissions from the parent object to propagate to this object' to the value specified by parameter '-op'.|
|rstchldrn:|Reset permissions on all sub-objects and enable propagation of inherited permissions. The parameter '-rst' controls whether to do this for the DACL, the SACL, or both.|
***TrusteeAction:
Action to perform on trustee specified:
|remtrst:|Remove all ACEs belonging to trustee specified.|
|repltrst:|Replace trustee 'n1' by 'n2' in all ACEs.|
|cpytrst:|Copy the permissions for trustee 'n1' to 'n2'.|
***DomainAction:
Action to perform on domain specified:
|remdom:|Remove all ACEs belonging to trustees of domain specified.|
|repldom:|Replace trustees from domain 'n1' by trustees with same name from domain 'n2' in all ACEs.|
|cpydom:|Copy permissions from trustees from domain 'n1' to trustees with same name from domain 'n2' in all ACEs.|
***Trustee:
Name or SID of trustee (user or group). Format:
****a) [(computer | domain)\]name
|Where:||
|computer:|DNS or NetBIOS name of a computer -> 'name' must be a local account on that computer.|
|domain:|DNS or NetBIOS name of a domain -> 'name' must be a domain user or group.|
|name:|user or group name|
If no computer or domain name is given, SetACL tries to find a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
****b) SID string
***Domain:
Name of a domain (NetBIOS or DNS name).
***Permission:
Permission to set. Validity of permissions depends on the object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl'
***IsSID:
Is the trustee name a SID?
y:Yes
n:No
***DisplaySID:
Display trustee names as SIDs?
|y:|Yes|
|n:|No|
|b:|Both (names and SIDs)|
***Inheritance:
Inheritance flags for the ACE. This may be a comma separated list containing the following:
|so:|sub-objects|
|sc:|sub-containers|
|np:|no propagation|
|io:|inherit only|
Example:'io,so'
***Mode:
Access mode of this ACE:
****a) DACL:
|set:|Replace all permissions for given trustee by those specified.|
|grant:|Add permissions specified to existing permissions for given trustee.|
|deny:|Deny permissions specified.|
|revoke:|Remove permissions specified from existing permissions for given trustee.|
****b) SACL:
|aud_succ:|Add an audit success ACE.|
|aud_fail:|Add an audit failure ACE.|
|revoke:|Remove permissions specified from existing permissions for given trustee.|
***Where:
Apply settings to DACL, SACL, or both (comma separated list):
dacl
sacl
dacl,sacl
***Recursion:
Recursion settings, depends on object type:
****a) file:
|no:|No recursion.|
|cont:|Recurse, and process directories only.|
|obj:|Recurse, and process files only.|
|cont_obj:|Recurse, and process directories and files.|
****b) reg:
|no:|Do not recurse.|
|yes:|Do Recurse.|
***Protection:
Controls the flag 'allow inheritable permissions from the parent object to propagate to this object':
|nc:|Do not change the current setting.|
|np:|Object is not protected, i.e. inherits from parent.|
|p_c:|Object is protected, ACEs from parent are copied.|
|p_nc:|Object is protected, ACEs from parent are not copied.|
***Format:
Which list format to use:
|sddl:|Standardized SDDL format. Only listings in this format can be restored.|
|csv:|SetACL's csv format.|
|tab:|SetACL's tabular format.|
***What:
Which components of security descriptors to include in the listing. (comma separated list):
|d:|DACL|
|s:|SACL|
|o:|Owner|
|g:|Primary group|
Example: 'd,s'
***ListInherited:
List inherited permissions?
|y:|Yes|
|n:|No|
***Filename:
Name of a (unicode) file used for list/backup/restore operations or logging.
***Keyword:
Keyword to filter object names by. Names containing this keyword are not processed.
**REMARKS
Required parameters (all others are optional):
|-on|(Object name)|
|-ot|(Object type)|
Parameters that may be specified more than once:
|-actn|(Action)|
|-ace|(Access control entry)|
|-trst|(Trustee)|
|-dom|(Domain)|
|-fltr|(Filter keyword)|
Only actions specified by parameter(s) '-actn' are actually performed,regardless of the other options set.
Order in which multiple actions are processed:
1.restore
2.clear
3.trustee
4.domain
5.ace, setowner, setgroup, setprot
6.rstchldrn
7.list
**VALID PERMISSIONS
***a) Standard permission sets (combinations of specific permissions)
****Files / Directories:
|read:|Read|
|write:|Write|
|list_folder:|List folder|
|read_ex:|Read, execute|
|change:|Change|
|profile:|= change + write_dacl|
|full:|Full access|
****Printers:
|print:|Print|
|man_printer:|Manage printer|
|man_docs:|Manage documents|
|full:|Full access|
****Registry:
|read:|Read|
|full:|Full access|
****Service:
|read:|Read|
|start_stop:|Start / Stop|
|full:|Full access|
****Share:
|read:|Read|
|change:|Change|
|full:|Full access|
***b) Specific permissions
****Files / Directories:
|traverse:|Traverse folder / execute file|
|list_dir:|List folder / read data|
|read_attr:|Read attributes|
|read_ea:|Read extended attributes|
|add_file:|Create files / write data|
|add_subdir:|Create folders / append data|
|write_attr:|Write attributes|
|write_ea:|Write extended attributes|
|del_child:|Delete subfolders and files|
|delete:|Delete|
|read_dacl:|Read permissions|
|write_dacl:|Write permissions|
|write_owner:|Take ownership|
****Registry:
|query_val:|Query value|
|set_val:|Set value|
|create_subkey:|Create subkeys|
|enum_subkeys:|Enumerate subkeys|
|notify:|Notify|
|create_link:|Create link|
|delete:|Delete|
|write_dacl:|Write permissions|
|write_owner:|Take ownership|
|read_access:|Read control|