View Windows Permissions / ACLs

There are many GUI and command line tools kicking around that can be used to list, export, change permissions on Windows file systems.  Here are my three favourites with some useful command line examples used to view windows permissions.

 

DumpACL Export Directory Security using a simple but flexible GUI in a concise format suitable for Wxcel (only non-inherited permissions listed in readable (group names, not SID) format.

 

SetACL Probably the most flexible and well documented tool for listing and changing ACLs.  Useful in migrating data from one domain to another.  Lots of options.  Easy to use once oriented.

setacl -on C:\MyFolder -ot file -actn list -lst “f:tab;w:d;i:n;s:n”  -display permissions (non-inherited, human friendly group names)

setacl -on C:\MyFolder -ot file -actn list -lst “f:tab;w:d;i:n;s:y”  -display permissions (non-inherited actual SIDs)

The setacl command is made up of three parts or four if you require recursion.

-on (Object Name) – can be the path to a folder

-ot (Object Type)  -can be file, reg, printer or other objects

-actn (Action)   -can be one or more actions to apply such as list, clear, setowner, setgroup, domain and many others such as delorphanedsids to delete orphaned sids.

-rec (Recursive) is a fourth option used to carry on for specific container object children.  As such it can take values of cont, obj or cont_obj to specify folder, files or both respectively.

Some actions come with their own additional options.  E.g. the -lst part after the list action -actn list is optional, but it provides the greatest control over the output format of the list actions functionality.

f: (Format) – can be sddl, csv or tab

w: (What) – can be d s o or g (dacl, sacl, owner or group)

i: (Inherited) – can be y or n (yes or no to display inherited perms or not)

s: (SID)  -can be y or n (yes for SIDs, no for Group Names, or b for both)

Full documentation here

A recoverable backup of security dacls can be performed using the -bckp function (not -log), but the format must be sddl (sids only).

icacls Windows Command Line Built-in.  simple and easy to use.

icacls C:\MyFolder      -displays permissions of folder.  Doesn’t require command line to be run as administrator unlike its deprecated predecessor cacls and is quicker and easier than equivalent SetAcl command (above) to provide a quick list of permissions from the command line.

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.