you're reading...

Use Subinacl instead of Cacls/XCacls

In recent scripts that I have wrote I have noticed a signifcant bug in CACLs, the Windows tool for Access Control Lists or permissions. When using the command line below on a Windows XP Professional SP2 machine things appear to be fine.

From a command line:
cacls <target> /t /e /c /g BUILTIN\Users:F
example: cacls C:\Program Files\Internet Explorer /t /e /c /g BUILTIN\Users:F

The issues start appearing when a new directory or file is created. The error message you receive is the following:

“The permissions on <subfolder> are incorrectly ordered,
which may cause some entries to be ineffective. Press OK to continue and sort the permissions correctly, or Cancel to reset the permissions.”

In some research online I have found people stating to use xcacls.vbs which is a free VBScript written by Microsoft. This tool does work great in most cases. For more information on How to use Xcacls.vbs to modify NTFS refer to this KB article written by Microsoft. http://support.microsoft.com/default.aspx?scid=kb;EN-US;825751

In large organizations companies use Microsoft Systems Management Server or SMS to deploy software applications. In this case xcacls.vbs does not work. This is because the local SYSTEM account is being used by SMS to set the permissions and is denied access to do so. There is detailed information out there on this very thing that I won’t get into now, but feel free to do the research.

The tool that I like to use is called Subinacl, which is a free Microsoft tool. The cool thing about this tool is you can assign security permissions to both the NTFS file systems as well as the registry. If you package software for deployments in a lockdown enviornment than this tool is a must. Here are some of my more common command lines that I use in either a vbscript or WiseScript.

Folder Level (Use both of these lines in one script to properly populate the folder structure)

subinacl.exe /file “C:\Program Files\Internet Explorer ” /grant=BUILTIN\Users=F
subinacl.exe /subdirectories “C:\Program Files\Internet Explorer\*.*” /grant=BUILTIN\Users=F


subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SOFTWARE\Example /grant=BUILTIN\Users=F

Hope this helps some of you.



No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: