Security Descriptors and Access Control Lists Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

  • Security Descriptors and Access Control Lists Tools

  • Related Information

This section contains information about the tools that are associated with security descriptors and access control lists (ACLs).

Security Descriptors and Access Control Lists Tools

The following tools are associated with security descriptors and ACLs.

Cacls.exe: Cacls

Category

This tool ships with the Windows Server 2003.

Version compatibility

This tool is compatible with computers running Windows Server 2003.

Cacls is a command-line tool that displays or modifies discretionary access control lists (DACLs) on specified files.For more information about Cacls, see “Cacls” in Help and Support Center in Windows Server 2003.

RoboCopy.exe: Robust File Copy Utility

Category

This tool is included in the Windows Server 2003 Resource Kit Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional or Windows Server 2003 operating systems.

An administrator can use the Robust File Copy Utility (RoboCopy) to copy files with a fine level of control over which file attributes are copied. For example, you can specify whether to copy files with or without their NTFS file system ACLs, file ownership information, or file auditing information.

This command-line tool simplifies the task of maintaining an identical copy of a folder tree in multiple locations, either on the same computer or in separate network locations. RoboCopy can provide time-efficient maintenance of mirror images of large folder trees on network servers that are separated by slow or unreliable wide area network (WAN) links.By default, RoboCopy ignores source file attributes when selecting files to copy. It copies any file matching specified conditions, regardless of the attribute settings of the file.

For more information about RoboCopy, see “Robocopy.exe” in Resource Kit Tools Help in Tools and Settings Collection.

Showacls.exe: Show ACLs

Category

This tool is included in the Windows Server 2003 Resource Kit Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional or Windows Server 2003 operating systems.

Show ACLs (ShowACLs) is a command-line tool that enumerates access rights for files, folders, and trees. It allows masking so that you can enumerate only specific ACLs. ShowACLs works on NTFS partitions only.

You can also use ShowACLs to view permissions for a particular user. ShowACLs does this by enumerating the local and global groups to which the particular user belongs and matching the user’s security identifier (SID) — and the SIDs of the groups to which the user belongs — to the SIDs in each access control entry (ACE).

For more information about Showacls, see “Showacls.exe” in Resource Kit Tools Help in Tools and Settings Collection.

Subinacl.exe: SubInACL

Category

This tool is included in the Windows Server 2003 Resource Kit Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional or Windows Server 2003 operating systems.

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services and transfer this information from user to user, from local or global group to group, and from domain to domain.

For example, if a user moves from one domain (DomainA) to another domain (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information for the user’s files. This gives the user access to the same files from the new domain.

SubInACL enables administrators to do the following:

  • Display security information that is associated with files, registry keys, or services. This information includes owner, group, permission ACL, discretionary access control list (DACL), and system access control list (SACL).

  • Change the owner of an object.

  • Replace the security information for one identifier (account, group, well-known SID) with that of another identifier.

Migrate security information about objects. This is useful if you reorganize a network’s domains and need to migrate the security information for files from one domain to another. For more information about Subinacl, see “Subinacl.exe” in Resource Kit Tools Help in Tools and Settings Collection.

The following resources contain additional information that is relevant to this section: