SetACLのマニュアルを和訳してみるテスト
SetACL by Helge Klein
OPTIONS
| -on |
ObjectName |
| -ot |
ObjectType |
| -actn |
Action |
| -ace |
"n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where" |
| -trst |
"n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where" |
| -dom |
"n1:Domain;n2:Domain;da:DomainAction;w:Where" |
| -ownr |
"n:Trustee;s:IsSID" |
| -grp |
"n:Trustee;s:IsSID" |
| -rec |
Recursion |
| -op |
"dacl:Protection;sacl:Protection" |
| -rst |
Where |
| -lst |
"f:Format;w:What;i:ListInherited;s:DisplaySID" |
| -bckp |
Filename |
| -log |
Filename |
| -fltr |
Keyword |
| -clr |
Where |
| -silent |
|
| -ignoreerr |
|
PARAMETERS
ObjectName:
Name of the object to process (e.g. 'c:\mydir')
ObjectType:
Type of object:
| file: |
Directory/file |
| reg: |
Registry key |
| srv: |
Service |
| prn: |
Printer |
| shr: |
Network share |
Action:
Action(s) to perform:
| ace: |
Process ACEs specified by parameter(s) '-ace' |
| trustee: |
Process trustee(s) specified by parameter(s) '-trst'. |
| domain: |
Process domain(s) specified by parameter(s) '-dom'. |
| list: |
List permissions. A backup file can be specified by parameter '-bckp'. Controlled by parameter '-lst'. |
| restore: |
Restore entire security descriptors backed up using the list function. A file containing the backup has to be specified using the parameter '-bckp'. The listing has to be in SDDL format. |
| setowner: |
Set the owner to trustee specified by parameter '-ownr'. |
| setgroup: |
Set the primary group to trustee specified by parameter '-grp'. |
| clear: |
Clear the ACL of any non-inherited ACEs. The parameter '-clr' controls whether to do this for the DACL, the SACL, or both. |
| setprot: |
Set the flag 'allow inheritable permissions from the parent object to propagate to this object' to the value specified by parameter '-op'. |
| rstchldrn: |
Reset permissions on all sub-objects and enable propagation of inherited permissions. The parameter '-rst' controls whether to do this for the DACL, the SACL, or both. |
TrusteeAction:
Action to perform on trustee specified:
| remtrst: |
Remove all ACEs belonging to trustee specified. |
| repltrst: |
Replace trustee 'n1' by 'n2' in all ACEs. |
| cpytrst: |
Copy the permissions for trustee 'n1' to 'n2'. |
DomainAction:
Action to perform on domain specified:
| remdom: |
Remove all ACEs belonging to trustees of domain specified. |
| repldom: |
Replace trustees from domain 'n1' by trustees with same name from domain 'n2' in all ACEs. |
| cpydom: |
Copy permissions from trustees from domain 'n1' to trustees with same name from domain 'n2' in all ACEs. |
Trustee:
Name or SID of trustee (user or group). Format:
a) [(computer | domain)\]name
| Where: |
|
| computer: |
DNS or NetBIOS name of a computer -> 'name' must be a local account on that computer. |
| domain: |
DNS or NetBIOS name of a domain -> 'name' must be a domain user or group. |
| name: |
user or group name |
If no computer or domain name is given, SetACL tries to find a SID for 'name' in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
b) SID string
Domain:
Name of a domain (NetBIOS or DNS name).
Permission:
Permission to set. Validity of permissions depends on the object type (see below). Comma separated list.
Example: 'read,write_ea,write_dacl'
IsSID:
Is the trustee name a SID?
y:Yes
n:No
DisplaySID:
Display trustee names as SIDs?
| y: |
Yes |
| n: |
No |
| b: |
Both (names and SIDs) |
Inheritance:
Inheritance flags for the ACE. This may be a comma separated list containing the following:
| so: |
sub-objects |
| sc: |
sub-containers |
| np: |
no propagation |
| io: |
inherit only |
Example:'io,so'
Mode:
a) DACL:
| set: |
Replace all permissions for given trustee by those specified. |
| grant: |
Add permissions specified to existing permissions for given trustee. |
| deny: |
Deny permissions specified. |
| revoke: |
Remove permissions specified from existing permissions for given trustee. |
b) SACL:
| aud_succ: |
Add an audit success ACE. |
| aud_fail: |
Add an audit failure ACE. |
| revoke: |
Remove permissions specified from existing permissions for given trustee. |
Where:
Apply settings to DACL, SACL, or both (comma separated list):
dacl
sacl
dacl,sacl
Recursion:
Recursion settings, depends on object type:
a) file:
| no: |
No recursion. |
| cont: |
Recurse, and process directories only. |
| obj: |
Recurse, and process files only. |
| cont_obj: |
Recurse, and process directories and files. |
b) reg:
| no: |
Do not recurse. |
| yes: |
Do Recurse. |
Protection:
Controls the flag 'allow inheritable permissions from the parent object to propagate to this object':
| nc: |
Do not change the current setting. |
| np: |
Object is not protected, i.e. inherits from parent. |
| p_c: |
Object is protected, ACEs from parent are copied. |
| p_nc: |
Object is protected, ACEs from parent are not copied. |
Format:
Which list format to use:
| sddl: |
Standardized SDDL format. Only listings in this format can be restored. |
| csv: |
SetACL's csv format. |
| tab: |
SetACL's tabular format. |
What:
Which components of security descriptors to include in the listing. (comma separated list):
| d: |
DACL |
| s: |
SACL |
| o: |
Owner |
| g: |
Primary group |
Example: 'd,s'
ListInherited:
List inherited permissions?
Filename:
Name of a (unicode) file used for list/backup/restore operations or logging.
Keyword:
Keyword to filter object names by. Names containing this keyword are not processed.
REMARKS
Required parameters (all others are optional):
| -on |
(Object name) |
| -ot |
(Object type) |
Parameters that may be specified more than once:
| -actn |
(Action) |
| -ace |
(Access control entry) |
| -trst |
(Trustee) |
| -dom |
(Domain) |
| -fltr |
(Filter keyword) |
Only actions specified by parameter(s) '-actn' are actually performed,regardless of the other options set.
Order in which multiple actions are processed:
1.restore
2.clear
3.trustee
4.domain
5.ace, setowner, setgroup, setprot
6.rstchldrn
7.list
VALID PERMISSIONS
a) Standard permission sets (combinations of specific permissions)
Files / Directories:
| read: |
Read |
| write: |
Write |
| list_folder: |
List folder |
| read_ex: |
Read, execute |
| change: |
Change |
| profile: |
= change + write_dacl |
| full: |
Full access |
Printers:
| print: |
Print |
| man_printer: |
Manage printer |
| man_docs: |
Manage documents |
| full: |
Full access |
Registry:
| read: |
Read |
| full: |
Full access |
Service:
| read: |
Read |
| start_stop: |
Start / Stop |
| full: |
Full access |
Share:
| read: |
Read |
| change: |
Change |
| full: |
Full access |
b) Specific permissions
Files / Directories:
| traverse: |
Traverse folder / execute file |
| list_dir: |
List folder / read data |
| read_attr: |
Read attributes |
| read_ea: |
Read extended attributes |
| add_file: |
Create files / write data |
| add_subdir: |
Create folders / append data |
| write_attr: |
Write attributes |
| write_ea: |
Write extended attributes |
| del_child: |
Delete subfolders and files |
| delete: |
Delete |
| read_dacl: |
Read permissions |
| write_dacl: |
Write permissions |
| write_owner: |
Take ownership |
Registry:
| query_val: |
Query value |
| set_val: |
Set value |
| create_subkey: |
Create subkeys |
| enum_subkeys: |
Enumerate subkeys |
| notify: |
Notify |
| create_link: |
Create link |
| delete: |
Delete |
| write_dacl: |
Write permissions |
| write_owner: |
Take ownership |
| read_access: |
Read control |
最終更新:2008年01月25日 13:13
