SetACL.exe
ファイル・フォルダのアクセス権限を変更する
http://osdn.dl.sourceforge.net/project/setacl/SetACL%20Cmdline/SetACL%202.0.3.0/setacl-cmdline-2.0.3.0-binary-x86.zip
http://osdn.dl.sourceforge.net/project/setacl/SetACL%20Cmdline/SetACL%202.0.3.0/setacl-cmdline-2.0.3.0-binary-x64.zip
http://setacl.sourceforge.net/index.html
Administratorで指定したフォルダ以下のファイルを書き換え禁止にする
setacl -on "%~f1" -ot file -actn ace -ace "n:Administrator;p:write;m:deny"
SetACL.exe
2.0.2.0
相対パス ×
絶対パス ○
ファイルの書き換え禁止 caclsやsubinacl.exeでも試してみたが、思った挙動が得られなかった
ACL関連の頁
http://homepage3.nifty.com/sony/sd/contents/pc_regist.htm#「SubInACL」コマンドでアクセス権を編集する
http://kiyoeri.gotdns.org/~kiyoeri/pukiwiki/?Windows/ACL%20cacls
http://kiyoeri.gotdns.org/~kiyoeri/pukiwiki/?Windows%2F%A5%A2%A5%AF%A5%BB%A5%B9%B8%A2%A4%CE%C0%DF%C4%EATips
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.2.0
Copyright: Helge Klein
License: GPL
-OPTIONS--------------------------------------------------------
-on ObjectName
-ot ObjectType
-actn 挙動
-ace "n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where"
-trst "n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where"
-dom "n1:Domain;n2:Domain;da:DomainAction;w:Where"
-ownr "n:Trustee;s:IsSID"
-grp "n:Trustee;s:IsSID"
-rec Recursion
-op "dacl:Protection;sacl:Protection"
-rst Where
-lst "f:Format;w:What;i:ListInherited;s:DisplaySID"
-bckp ファイル名
-log ファイル名
-fltr Keyword
-clr Where
-silent
-ignoreerr
-P-A-R-A-M-E-T-E-R-S-------------------------------------------------
ObjectName: 処理するオブジェクトの名前 (例 'c:\mydir')
ObjectType: オブジェクトの種類:
file: ディレクトリ/ファイル
reg: レジストリ キー
srv: サービス
prn: 印刷機
shr: ネット共有
Action: 実行する:
ace: '-ace' で指定したACEを処理する
trustee: '-trst'で指定したtrustee(被信託人,受託者)を処理する
domain: '-dom' で指定したドメインを処理する
list: 権限を列挙する。
A backup file can be specified by parameter '-bckp'.
Controlled by parameter '-lst'.
restore: Restore entire security descriptors backed up using the list function.
A file containing the backup has to be specified using the parameter '-bckp'.
The listing has to be in SDDL format.
setowner: '-ownr'で指定したownerとtrusteeを設定する
setgroup: Set the primary group to trustee specified by
parameter '-grp'.
clear: Clear the ACL of any non-inherited ACEs.
The parameter '-clr' controls whether to do this for the DACL, the SACL, or both.
setprot: Set the flag 'allow inheritable permissions from the parent object to propagate to this object' to
the value specified by parameter '-op'.
rstchldrn: Reset permissions on all sub-objects and enable
propagation of inherited permissions. The
parameter '-rst' controls whether to do this for
the DACL, the SACL, or both.
TrusteeAction: Action to perform on trustee specified:
remtrst: Remove all ACEs belonging to trustee specified.
repltrst: Replace trustee 'n1' by 'n2' in all ACEs.
cpytrst: Copy the permissions for trustee 'n1' to 'n2'.
DomainAction: Action to perform on domain specified:
remdom: Remove all ACEs belonging to trustees of domain specified.
repldom: Replace trustees from domain 'n1' by trustees with same name from domain 'n2' in all ACEs.
cpydom: Copy permissions from trustees from domain 'n1' to
trustees with same name from domain 'n2' in all ACEs.
Trustee: Name or SID of trustee (user or group). Format:
a) [(computer | domain)\]name
Where:
computer: DNS or NetBIOS name of a computer -> 'name' must
be a local account on that computer.
domain: DNS or NetBIOS name of a domain -> 'name' must
be a domain user or group.
name: user or group name
If no computer or domain name is given, SetACL tries to find
a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
b) SID string
Domain: Name of a domain (NetBIOS or DNS name).
Permission: Permission to set. Validity of permissions depends on the
object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl'
IsSID: Is the trustee name a SID?
y: Yes
n: No
DisplaySID: Display trustee names as SIDs?
y: Yes
n: No
b: Both (names and SIDs)
Inheritance: Inheritance flags for the ACE. This may be a comma separated
list containing the following:
so: sub-objects
sc: sub-containers
np: no propagation
io: inherit only
Example: 'io,so'
Mode: Access mode of this ACE:
a) DACL:
set: Replace all permissions for given trustee by
those specified.
grant: Add permissions specified to existing permissions
for given trustee.
deny: Deny permissions specified.
revoke: Remove permissions specified from existing
permissions for given trustee.
b) SACL:
aud_succ: Add an audit success ACE.
aud_fail: Add an audit failure ACE.
revoke: Remove permissions specified from existing
permissions for given trustee.
Where: Apply settings to DACL, SACL, or both (comma separated list):
dacl
sacl
dacl,sacl
Recursion: Recursion settings, depends on object type:
a) file:
no: No recursion.
cont: Recurse, and process directories only.
obj: Recurse, and process files only.
cont_obj: Recurse, and process directories and files.
b) reg:
no: Do not recurse.
yes: Do Recurse.
Protection: Controls the flag 'allow inheritable permissions from the
parent object to propagate to this object':
nc: Do not change the current setting.
np: Object is not protected, i.e. inherits from
parent.
p_c: Object is protected, ACEs from parent are
copied.
p_nc: Object is protected, ACEs from parent are not
copied.
Format: Which list format to use:
sddl: Standardized SDDL format. Only listings in this
format can be restored.
csv: SetACL's csv format.
tab: SetACL's tabular format.
What: Which components of security descriptors to include in the
listing. (comma separated list):
d: DACL
s: SACL
o: Owner
g: Primary group
Example: 'd,s'
ListInherited: List inherited permissions?
y: Yes
n: No
Filename: Name of a (unicode) file used for list/backup/restore
operations or logging.
Keyword: Keyword to filter object names by. Names containing this
keyword are not processed.
-R-E-M-A-R-K-S--------------------------------------------------------
Required parameters (all others are optional):
-on (Object name)
-ot (Object type)
Parameters that may be specified more than once:
-actn (Action)
-ace (Access control entry)
-trst (Trustee)
-dom (Domain)
-fltr (Filter keyword)
Only actions specified by parameter(s) '-actn' are actually performed,
regardless of the other options set.
Order in which multiple actions are processed:
1. restore
2. clear
3. trustee
4. domain
5. ace, setowner, setgroup, setprot
6. rstchldrn
7. list
-V-A-L-I-D--P-E-R-M-I-S-S-I-O-N-S-------------------------------------
a) Standard permission sets (combinations of specific permissions)
Files / Directories:
read: Read
write: Write
list_folder: List folder
read_ex: Read, execute
change: Change
profile: = change + write_dacl
full: Full access
Printers:
print: Print
man_printer: Manage printer
man_docs: Manage documents
full: Full access
Registry:
read: Read
full: Full access
Service:
read: Read
start_stop: Start / Stop
full: Full access
Share:
read: Read
change: Change
full: Full access
b) Specific permissions
Files / Directories:
traverse: Traverse folder / execute file
list_dir: List folder / read data
read_attr: Read attributes
read_ea: Read extended attributes
add_file: Create files / write data
add_subdir: Create folders / append data
write_attr: Write attributes
write_ea: Write extended attributes
del_child: Delete subfolders and files
delete: Delete
read_dacl: Read permissions
write_dacl: Write permissions
write_owner: Take ownership
Registry:
query_val: Query value
set_val: Set value
create_subkey: Create subkeys
enum_subkeys: Enumerate subkeys
notify: Notify
create_link: Create link
delete: Delete
write_dacl: Write permissions
write_owner: Take ownership
read_access: Read control
最終更新:2011年02月12日 02:50
