Control ACEs and ACLs with Subinacl

In "Edit Permissions with Subinacl," October 2002, InstantDoc ID 26362, I introduced you to Subinacl, a great security and migration tool that's in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. Although I usually cover resource kit tools in This Old Resource Kit, Subinacl does so much that I'd have to devote half a year's columns to the program if I covered it in that column. But this tool is so useful that not talking about it somewhere would be criminal, so I'm using the longer Inside Out columns to explain it.

In "Edit Permissions with Subinacl," you saw that Subinacl lets you create and delete permissions in an Xcacls-like fashion and swap SIDs to make migrations much easier. Subinacl also lets you change owners, change access control entries (ACEs), test access, and back up and restore ACLs.

Changing Owners
For years, many Windows NT security sources (including me) taught people that the trick to NTFS ownership is to take ownership but not to give ownership. This trick lets users protect their home directory from prying eyes. Users just need to take ownership of their home directory, then give themselves full control of the directory and lock out everyone else. When users take that approach, the only way an errant administrator can look at users' files is to take ownership of the file, then give himself or herself permission to peek. But that administrator would leave telltale fingerprints behind, because he or she would now own the file and couldn't change that ownership because the administrator can only take ownership, not give it.

I guess the sources said that you can take but not give ownership because the GUI supports only taking ownership. But under the hood, NT clearly supports both giving and taking ownership because Subinacl can do both. By using the Subinacl command with the /setowner parameter (i.e., option), you can change a file's owner. For example, to change the ownership of the testfile.txt file to Mary in a domain named ACME, you use the command

subinacl /file c:\testfile.txt /setowner=acme\mary

The /setowner parameter works with wildcards and the Subinacl command's /subdirectories option, so the /setowner parameter is quite useful for creating a home directory. You just create the directory, copy the user's files to it, then use Subinacl to give the user ownership of the directory.

Subinacl's ability to give as well as take ownership doesn't mean that you can't protect your home directory from the errant administrator. To protect your directory, you can enable auditing for the directory. I'd like to tell you that you can use Subinacl to set auditing ACEs, but oddly enough, you can't. Subinacl will clear all auditing ACEs if you use the /audit parameter in a command such as

subinacl /file testit.txt /audit

Subinacl doesn't include a command that sets auditing ACEs.

Changing ACEs
I gather from Subinacl's brief documentation that its main goal is to simplify migration (i.e., to move users from one domain to another). Although you can find far more complex and complete migration tools on the market, Subinacl doesn't do badly for a basically free tool.

Suppose that you find yourself the unfortunate newly appointed administrator of a multidomain mess—a company with 5000 employees and 40 NT 4.0 domains. Some domains are account domains; others are resource domains.

You convince your boss to let you reorganize the enterprise into a master domain and a few resource domains. You want to carry out this reorganization gradually so that you always have a fallback position. You start by creating a new Win2K master domain called ALLOFUS. Now you have to get all the user accounts in the enterprise on that server and build trust relationships to the old NT 4.0 domains that contain resources. Take, for example, the old ENGINEERING domain that contained both servers and user accounts. You need to duplicate the ENGINEERING domain's user accounts in the ALLOFUS domain, then build a trust relationship so that the ENGINEERING domain's servers trust the user accounts in the ALLOFUS domain.

The ENGINEERING domain's servers all have ACLs on their shares. For example, one ACL gives only Gordon permission to write to his folder. However, this ACL refers to Gordon's user account in the ENGINEERING domain, not his new account in ALLOFUS. So, to give Gordon access to his folder, you must visit every NTFS permission on all the servers in the ENGINEERING domain and replace the ACL that refers to Gordon's ENGINEERING account with one that refers to Gordon's ALLOFUS account. Hundreds of people had accounts in the ENGINEERING domain, so the task of changing the ACLs is going to be long and tedious—unless you use Subinacl's /changedomain and /migratetodomain options.

The idea is to run either of these options against a directory tree. Subinacl then examines every NTFS ACE, changing all the old domain SIDs to their corresponding SIDs in the new domain. For example, suppose that Mary has full-control access, William has read access, and Amy has modify permissions on the same folder. Although the ENGINEERING domain identifies Mary, William, and Amy by their SIDs, the domain also knows their usernames of Mary, William, and Amy, respectively. When the ENGINEERING domain finds the ACE that says, "The person with SID such-and-such has full control," Subinacl looks at the SID and sees that it's from the ENGINEERING domain. Subinacl then contacts the domain controller (DC) in the ENGINEERING domain and asks, "What's the username for SID such-and-such?" to which the DC responds, "Mary." Subinacl then contacts a DC in the ALLOFUS domain and asks, "Do you have any accounts with the username Mary?" Presuming that the new DC does, Subinacl then removes the old full-control ACE that refers to Mary's SID in the ENGINEERING domain and creates a new one that gives full control to the SID that corresponds to Mary's new account in the ALLOFUS domain. Subinacl performs this routine for every ACE that it can find on an entire directory structure, as long as a username on the new domain matches the username on the old domain.

Previous [1] 2 Next

Although the article covers the details of subinacl it doesn't recognize it's one failing, the fact that it doesn't operate correctly on NTFS 5 volumes, so that you end up receiving "permissions incorrectly ordered" message after using the tool. I'd be interesting in knowing why Microsoft has never updated subinacl or xcacls to resolve this issue.

Mark Peterson December 10, 2002

Is there a similar tool to modify the permissions for the user profiles? I'd to update the permissions so that users from both domains of a migration can login to the same profile without having to recreate the profile from scratch. This would be a great timesaver to use along with the subinacl tool during a migration.

Geoff Faulkner May 28, 2003

Hi,
This is a very usefull tool, but I have a question I made some test to backup the ACL´s but if I have a big file structure (3 or 4 folders levels) only the root level is backep up. Do you have any tip for this?????
From Venezuela
Thanks,

Federico Parra January 26, 2004

I have successfully used this tool to replace ACL's. I am in deparate need for a tool that will add an ACL based on an existing ACL. Such as the replace command but ADD.

Is there such a tool for this?

Jennifer May 17, 2004

look for the newest version of subinacl - fixes the ordering issue.. Anyone know what syntax would record just the ACL's of all Subfolders (not files)

davidponak July 29, 2004 (Article Rating:

)

How to you use this tool to clean away orphan SID from the NTFS file.

Anonymous User January 05, 2005

Hi All,

Im trying to backup/restore ACL prmissions for the windows NTFS files/folders. i decided to use subinacl tool.

i successfully backed up the ACL permissions using the command : subinacl.exe /outputlog="test.log" /file test.txt.

When i try to restore the ACL permisions using the command :subinacl.exe /playfile test.log.

But no luck. when i check the test.txt file's security information, notthing is availabale. there is no users/groups and permissions. its just cleaned all the informations and also i couldnt open the file. im wondering is ther any thing i have to do ?

here is some output of /playfile command:

C:\Program Files\Windows Resource Kits\Tools>subinacl.exe /playfile test.log

WARNING : /pace =builtin\administrators access_allowed_ace_type-0x0 : Invalid option : test.txt
WARNING : /pace =system access_allowed_ace_type-0x0 : Invalid option : test.txt
WARNING : /pace =<username>\administrator access_allowed_ace_type-0x0 : Invalid option : test.txt
WARNING : /pace =builtin\users access_allowed_ace_type-0x0 : Invalid option : test.txt
test.txt : <username>\administrator is the new owner
test.txt : <username>\none is the new Primary Group
test.txt : 3 change(s)

Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 4
Last Done : test.txt
Last Syntax Error:WARNING : /pace =builtin\users access_allowed_ace_type-0x0 : Invalid option :test.txt

i dont know why its failed with invalid option. i loggin in as administrator only. i need your help urgently.

any help would be appriciated . thanks in advance.

-prince

ilavaa May 10, 2007 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.