Tuesday, August 25, 2009

SubInACL - Security Information Tool

I had to give some users access to specific service on one of my servers but didn’t want them to have full domain admin permissions. Changing a service is not something Microsoft built a solution for so I had to be creative. As always, I checked for available 3rd party tools but ended up using this magical hidden native tool: SubInACL.exe

SubInACL is one of those shy command-line tool that not too many guys know about. It is part of the Windows Resource Kit Tools and it’s about time you too will get familiar with it.

SubInACL enables you to obtain security information about different types of files, services and registry keys.
The info you obtain with SubInACL can be transferred in few ways: from user to user, from local or global group to group, and from domain to domain. The average OneManITShop will find the first and second options handy though the domain to domain transfer option can also be useful.

Microsoft describes 4 uses for this tool:
• Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
• Change the owner of an object.
• Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
• Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.

back to my problem, let's say my user is "Dave" and I need Dave to be able to stop and start the Print Spooler service. This is the command to make it work (TO=start+stop -> see full list below):
subinacl /service Spooler /GRANT=MyDomain\Dave=TO

The full list (Look under method 3):
• F : Full Control
• R : Generic Read
• W : Generic Write
• X : Generic eXecute
• L : Read controL
• Q : Query Service Configuration
• S : Query Service Status
• E : Enumerate Dependent Services
• C : Service Change Configuration
• T : Start Service
• O : Stop Service
• P : Pause/Continue Service
• I : Interrogate Service
• U : Service User-Defined Control Commands

So this is one in many options for this great tool. You should also download and play with the options. You never know when it will become handy!

No comments:

Post a Comment