1.1. Учетные записи пользователей и групп. Доменные и локальные учетные записи, встроенные локальные учетные записи пользователей и групп. Имена учетных записей (logon name, UPN). SID (security identifier). Специальные группы и их SID.

1.2. Способы управления учетными записями пользователей и групп. Управление правами учетных записей и параметрами безопасности.

1.3. Разрешения доступа. Списки управления доступом (ACL). Стандартные и специальные разрешения для файлов и папок. Управление наследованием.

1.4. Управление доступом к файлам и папкам, сетевым папкам (shared folders), ключам реестра с помощью утилит: cacls, subinacl.

Учетная запись пользователя представляет собой набор данных, сообщающих Windows к каким папкам и файлам пользователь имеет доступ, какие он может делать изменения в работе компьютера, а также персональные настройки пользователя, такие как фон рабочего стола и цветовое оформление. Учетные записи пользователей позволяют осуществлять работу нескольких пользователей на компьютере, каждый из которых будет иметь свои собственные файлы и настройки. Каждый пользователь получает доступ к своей учетной записи с помощью имени пользователя и пароля.

Local User Accounts

Local user accounts allow users to log on only to the computer on which the local user account has been created and to access resources on only that computer. When you create a local user account, Windows XP Professional creates the account only in that computer's security database, called the local security database, shown in Figure 3.1. Windows XP Professional uses the local security database to authenticate the local user account, which allows the user to log on to that computer. Windows XP Professional does not replicate local user account information to any other computer.

Microsoft recommends that you use local user accounts only on computers in workgroups. If you create a local user account in a workgroup of five computers running Windows XP Professional-for example, User1 on Computer1-you can only log on to Computer1 with the User1 account. If you need to be able to log on as User1 to all five computers in the workgroup, you must create a local user account, User1, on each of the five computers. Furthermore, if you decide to change the password for User1, you must change the password for User1 on each of the five computers because each computer maintains its own local security database.

A domain does not recognize local user accounts, so do not create local user accounts on computers running Windows XP Professional that are part of a domain. Doing so restricts users from accessing resources in the domain and prevents the domain administrator from administering the local user account properties or assigning access permissions for domain resources.

Domain User Accounts

Domain user accounts allow you to log on to the domain and access resources anywhere on the network. When you log on, you provide your logon information-your user name and password. Microsoft Windows 2000 Server uses this logon information to authenticate your identity and build an access token that contains your user information and security settings. The access token identifies you to the computers in the domain on which you try to access resources. The access token is valid throughout the logon session.

You can have domain user accounts only if you have a domain.You can have a domain only if you have at least one computer running one of the Windows 2000 Server products that is configured as a domain controller, which has the Active Directory directory service installed.

You create a domain user account in the copy of the Active Directory database (the directory) on a domain controller, as shown in Figure 3.2. The domain controller replicates the new user account information to all domain controllers in the domain. After Windows 2000 Server replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user during the logon process.

Built-In User Accounts

Windows XP Professional automatically creates built-in accounts. Two commonly used built-in accounts are Administrator and Guest.

Administrator

Use the built-in Administrator account to manage the overall computer. You can perform tasks to create and modify user accounts and groups, manage security policies, create printer resources, and assign the permissions and rights that allow user accounts to access resources.

If you want to log on as Administrator and are using the Welcome screen, you can press Ctrl+Alt+Delete twice. Windows XP Professional displays a logon prompt and you can log on as Administrator. The Administrator account will not appear on the Welcome screen if you are running in a workgroup environment, the Welcome screen is enabled, and you created a user account during Setup. See Chapter 2, "Installing Windows XP Professional," for information about creating a user account during Setup. Lesson 3 in this chapter explains how to configure the computer to use the logon prompt instead of the Welcome screen.

As the administrator, you should create a user account for performing nonadministrative tasks and use your Administrator account only for administrative tasks.

You cannot delete the Administrator account. As a best practice, you should always rename the built-in Administrator account to provide greater security. Use a name that does not identify it as the Administrator account, making it more difficult for unauthorized users to use it to break into your computer.

The Administrator account is enabled by default, but you can configure the Account: Administrator Account Status Security Option to disable it. For more information, see Chapter 13, "Configuring Security Settings and Internet Options."

Guest

Use the built-in Guest account to allow occasional users to log on and access resources. For example, an employee who needs access to resources for a short time can use the Guest account.

Allow Guest access only in low-security networks, and always assign a password to the Guest account. You can rename the Guest account, but you cannot delete it.

Understanding Groups

A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually.

Permissions control what users can do with a resource such as a folder, file, or printer. When you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.

Understanding Local Groups

A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows XP Professional creates local groups in the local security database.

Preparing to Use Local Groups

Guidelines for using local groups include the following:

Use local groups on computers that do not belong to a domain.
You can use local groups only on the computer on which you create them. Although local groups are available on member servers and domain computers running Windows 2000 Server, do not use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups do not appear in the Active Directory service, and you must administer them separately for each computer.
You can assign permissions to local groups to access only the resources on the computer on which you create the local groups.

You cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory.

Membership rules for local groups include the following:

Local groups can contain local user accounts from the computer on which you create the local groups.
Local groups cannot belong to any other group.

Understanding Built-In Local Groups

All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups. These groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows XP Professional places the built-in local groups in the Groups folder in Computer Management.

Table 3.5 lists the most commonly used built-in local groups and describes their capabilities. Except where noted, these groups do not include initial members.

Table 3.5 Built-In Local Group Capabilities


Local group	Description
Administrators	Members can perform all administrative tasks on the computer. By default, the built-in Administrator account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Admins group to the local Administrators group.
Backup Operators	Members can use Windows Backup to back up and restore the computer.
Guests	Members can do the following: Perform only the tasks for which they have been specifically granted rights Access only those resources for which they have assigned permissions Members cannot make permanent changes to their desktop environment. By default, the built-in Guest account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Guests group to the local Guests group.
Power Users	Members can create and modify local user accounts on the computer and share resources.
Replicator	Supports file replication in a domain.
Users	Members can do the following: Perform only the tasks for which they have been specifically granted rights Access only those resources for which they have assigned permissions By default, Windows XP Professional adds to the Users group all local user accounts that an administrator creates on the computer. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Users group to the local Users group.

Understanding Built-In System Groups

Built-in system groups exist on all computers running Windows XP Professional. System groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource. You do not see system groups when you administer groups, but they are available when you assign rights and permissions to resources. Windows XP Professional bases system group membership on how the computer is accessed, not on who uses the computer. Table 3.6 lists the most commonly used built-in system groups and describes their capabilities.

Table 3.6 Built-In System Group Capabilities


System group	Description
Everyone	All users who access the computer. By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. This presented a problem in earlier versions of Windows, including Microsoft Windows 2000. In Windows XP Professional, the Anonymous Logon is no longer included in the Everyone group. When a Windows 2000 Professional system is upgraded to a Windows XP Professional system, resources with permission entries for the Everyone group and not explicitly for the Anonymous Logon group are no longer available to the Anonymous Logon group.
Authenticated Users	All users with valid user accounts on the computer. (If your computer is part of a domain, it includes all users in Active Directory.) Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.
Creator Owner	The user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group owns the resource.
Network	Any user with a current connection from another computer on the network to a shared resource on the computer.
Interactive	The user account for the user who is logged on at the computer. Members of the Interactive group can access resources on the computer at which they are physically located. They log on and access resources by "interacting" with the computer.
Anonymous Logon	Any user account that Windows XP Professional cannot authenticate.
Dialup	Any user who currently has a dial-up connection.

NTFS Folder Permissions

You assign folder permissions to control the access that users have to folders and to the files and subfolders that are contained within the folders.

Table 8.1 lists the standard NTFS folder permissions that you can assign and the type of access that each provides.

Table 8.1 NTFS Folder Permissions


NTFS folder permission	Allows the user to
Read	See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive, and System)
Write	Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions
List Folder Contents	See the names of files and subfolders in the folder
Read & Execute	Move through folders to reach other files and folders, even if the users don't have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission
Modify	Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission
Full Control	Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions

You can deny permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.

NTFS File Permissions

You assign file permissions to control the access that users have to files. Table 8.2 lists the standard NTFS file permissions that you can assign and the type of access that each provides.

Table 8.2 NTFS File Permissions


NTFS file permission	Allows the user to
Read	Read the file, and view file attributes, ownership, and permissions
Write	Overwrite the file, change file attributes, and view file ownership and permissions
Read & Execute	Run applications, plus perform the actions permitted by the Read permission
Modify	Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permission
Full Control	Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions

Access Control List

NTFS stores an access control list (ACL) with every file and folder on an NTFS volume. The ACL contains a list of all user accounts and groups that have been assigned permissions for the file or folder, as well as the permissions that they have been assigned. When a user attempts to gain access to a resource, the ACL must contain an entry, called an access control entry (ACE), for the user account or a group to which the user belongs. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't access the resource.

Multiple NTFS Permissions

You can assign multiple permissions to a user account and to each group of which the user is a member. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and NTFS permissions inheritance.

Effective Permissions

A user's effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder.

Overriding Folder Permissions with File Permissions

NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you will be able to access the file if you have the Bypass Traverse Checking security permission, even if you don't have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) or local path to open the file from its respective application, even though the folder in which it resides is invisible if you have no corresponding folder permission. In other words, if you don't have permission to access the folder containing the file you want to access, you must have the Bypass Traverse Checking security permission and you have to know the full path to the file to access it. Without permission to access the folder, you can't see the folder, so you can't browse for the file.

The Bypass Traverse Checking security permission is detailed further in Lesson 2 of this chapter.

Overriding Other Permissions with Deny

You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have (see Figure 8.1).

NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder. However, you can prevent permissions inheritance, as shown in Figure 8.2.

Understanding Permissions Inheritance

Whatever permissions you assign to the parent folder also apply to subfolders and files contained within the parent folder. When you assign NTFS permissions to give access to a folder, you assign permissions for the folder and for any existing files and subfolders, as well as for any new files and subfolders that are created in the folder.

Preventing Permissions Inheritance

You can prevent permissions that are assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. That is, the subfolders and files will not inherit permissions that have been assigned to the parent folder containing them.

Copying Files and Folders

When you copy a file within a single NTFS volume or between NTFS volumes, note the following:

Windows XP Professional treats it as a new file. As a new file, it takes on the permissions of the destination folder.
You must have Write permission for the destination folder to copy files and folders.
You become the creator and owner.

When you copy files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

Moving Files and Folders

When you move a file or folder, permissions might or might not change, depending on where you move the file or folder

Moving Within a Single NTFS Volume

When you move a file or folder within a single NTFS volume, note the following:

The file or folder retains the original permissions.
You must have the Write permission for the destination folder to move files and folders into it.
You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows 2000 deletes the file or folder from the source folder after it is copied to the destination folder.
You become the creator and owner.

Moving Between NTFS Volumes

When you move a file or folder between NTFS volumes, note the following:

The file or folder inherits the permissions of the destination folder.
You must have the Write permission for the destination folder to move files and folders into it.
You must have the Modify permission for the source file or folder. The Modify permission is required to move a file or folder because Windows XP Professional deletes the file or folder from the source folder after it is copied to the destination folder.
You become the creator and owner.

When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes don't support NTFS permissions.

User Rights

You can assign specific rights to groups or individual user accounts. To simplify administration of user rights, Microsoft recommends that you assign user rights only to groups and not individual user accounts. Each user right allows the members of the group or the individual users assigned the right to perform a specific action, such as backing up files or changing the system time. If a user is a member of more than one group, the user rights applied to that user are cumulative, so the user has all the user rights assigned to all the groups of which he or she is a member.

Privileges

A privilege is a user right that allows the members of the group to which it is assigned to perform a specific task, usually one that affects an entire computer system rather than one object. Table 13.3 explains the privileges you can assign in Windows XP Professional.

Table 13.3 Privileges Available in Windows XP Professional


Privilege	Description
Act As Part Of The Operating System	Allows a process to authenticate like a user and thus gain access to the same resources as a user. Do not grant this privilege unless you are certain it is needed. Only low-level authentication services should require this privilege. Processes that require this privilege should use the LocalSystem account because it already has this privilege assigned. A separate user account with this privilege allows a user or process to build an access token, granting them more rights than they should have, and does not provide a primary identity for tracking events in the audit log.
Add Workstations To Domain	Allows a user to add a computer to a domain. The user specifies the domain being added on the computer, and an object is created in the Computer container of Active Directory in that domain. For this privilege to be effective, it must be assigned as part of the default domain controller policy for the domain.
Back Up Files And Directories	Allows a user to back up the system without being assigned permissions to access all files and folders on the system. By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group have this privilege.
Bypass Traverse Checking	Allows a user to move through folders that he or she has no permission to access. This privilege does not allow the user to view the contents of a folder, just to move through the folder. By default, members of the Administrators, Backup Operators, Power Users, Users, and Everyone groups have this privilege on workstations and member servers.
Change The System Time	Allows a user to set the time for the internal clock of the computer. By default, members of the Administrators and Power Users groups, as well as the LocalSystem and NetworkService accounts, have this privilege on workstations and member servers. By default, members of the Administrators and Server Operators groups, as well as the LocalSystem and NetworkService accounts, have this privilege on domain controllers.
Create A Token Object	Allows a process to create a token that it can then use to access any local resource when the process uses a token-creating application programming interface (API). Microsoft recommends that processes requiring this privilege use the LocalSystem account because it already has this privilege.
Create Permanent Shared Objects	Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that plan to extend the Windows object namespace. Components that run in kernel mode already have this privilege, so it is not necessary for you to assign it to them.
Create A Pagefile	Allows a user to create a pagefile and modify the size of existing pagefiles. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Debug Programs	Allows a user to attach a debugger on any process. This privilege provides powerful access to sensitive and critical system operating components. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Enable Computer And User Accounts To Be Trusted For	Allows the user to set the Trusted For Delegation setting on a user or computer object. A server process running on a computer that is trusted for delegation or run by a user who is trusted fordelegation can access resources on another computer. Do not assign this privilege unless you understand that this privilege and the Trusted For Delegation setting can open your network to attacks from Trojan horse programs that impersonate incoming clients and use their credentials to access network resources. This privilege is not assigned to anyone on workstations or member servers. On domain controllers it is assigned by default to the members of the Administrators group.
Force Shutdown From A Remote System	Allows a user to shut down a computer from a remote computer on the network. By default, members of the Administrators group have this privilege on workstations and member servers. By default, members of the Administrators and Server Operators groups have this privilege on domain controllers.
Generate Security Audits	Allows a process to make entries in the security log for object access auditing.
Adjust Memory Quotas For A Process	Allows a process to increase the processor quota assigned to another process. The process must have write access to the process for which it increases the processor quota.
Increase Scheduling Priority	Allows a process to increase the execution priority of another process. The process must have write access to the process for which it increases the execution priority. Allows users to change the scheduling priority of a process through Task Manager. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Load And Unload Device Drivers	Allows a user to install and uninstall Plug and Play device drivers. Non-Plug and Play device drivers are not affected by this privilege. By default, only Administrators have this privilege. Exercise caution in granting this privilege. Device drivers run as trusted programs and only device drivers with correct digital signatures should be installed. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Lock Pages In Memory	Allows a process to lock data in physical memory and prevent Windows XP Professional from paging the data to virtual memory (a pagefile) on disk. This privilege is not assigned to anyone by default. Some system processes have this privilege.
Manage Auditing And Security Log	Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log from the Event Viewer. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Modify Firmware Environment Values	Allows a user to use the System Properties program to modify system environment variables. Allows a process to use an API to modify the system environment variables.
Perform Volume Maintenance Tasks	Allows users to run disk tools, such as Disk Cleanup or Disk Defragmenter. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Profile A Single Process	Allows a user to use performance-monitoring tools to monitor the performance of nonsystem processes. By default, on workstations and member servers, Administrators and Power Users have this privilege. On domain controllers, only Administrators have this privilege.
Profile System Performance	Allows a user to use performance-monitoring tools to monitor the performance of system processes. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.
Remove Computer From Docking Station	Allows a user to undock a portable computer. By default, members of the Administrators, Power Users, and Users groups have this privilege on workstations and member servers.
Replace A Process- Level Token	Allows a parent process to replace the access token associated with a child process.
Restore Files And Directories	Allows a user to restore backed up files and directories without being assigned the appropriate file and folder permissions, and allows a user to set any valid security principal as the owner of the object. By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group also have this privilege.
Shut Down The System	Allows a user to shut down the local computer. By default, members of the Administrators, Backup Operators, Power Users, and Users groups have this privilege on workstations. By default, members of the Administrators, Backup Operators, and Power Users groups have this privilege on member servers. By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups have this privilege on domain controllers.
Synchronize Directory Service Data	Allows a process to provide directory service synchronization services. This privilege is relevant only on domain controllers.
Take Ownership Of Files Or Other Objects	Allows a user to take ownership of objects in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers.

Logon Rights

A logon right is a user right assigned to a group or an individual user account. Logon rights control the way users can log on to a system. Table 13.4 explains the logon rights you can assign in Windows XP Professional.

Table 13.4 Logon Rights Available in Windows XP Professional


Logon right	Description
Access This Computer From The Network	Allows a user to connect to the computer over the network. By default, members of the Administrators, Power Users, and Everyone groups are granted this logon right on workstations, member servers, and domain controllers.
Deny Access To This Computer From The Network	Prevents a user from connecting to the computer over the network. By default, this right is not granted to anyone.
Log On As A Batch Job	Allows a user to log on using a batch-queue facility. By default, members of the Administrators group are granted this logon right on workstations, member servers, and domain controllers. If Internet Information Services (IIS) is installed, the right is automatically assigned to the built-in account for anonymous access to IIS.
Deny Logon As A Batch Job	Prevents a user from logging on using a batch-queue facility. By default, this right is not granted to anyone.
Log On As A Service	Allows a security principal (an account holder such as a user, computer, or service) to log on as a service. Services can be configured to run under the LocalSystem, LocalService, or NetworkService accounts, which have the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.
Deny Logon As A Service	Prevents a security principal from logging on as a service. By default, this right is not granted to anyone.
Log On Locally	Allows a user to log on at the computer's keyboard. By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups are granted this logon right.
Deny Logon Locally	Prevents a user from logging on at the computer's keyboard. By default, this right is not granted to anyone.
Allow Logon Through Terminal Services	Allows a user to log on using Terminal Services. By default, members of the Administrators and Remote Desktop Users groups are granted this logon right on workstations and member servers. On domain controllers, only Administrators are granted this logon right.
Deny Logon Through Terminal Services	Prevents a user from logging on using Terminal Services. By default, this right is not granted to anyone.

Security Identifiers (SIDs)

Instead of using names (which might or might not be unique) to identify entities that perform actions in a system, Windows uses security identifiers (SIDs). Users have SIDs, and so do local and domain groups, local computers, domains, and domain members. A SID is a variable- length numeric value that consists of a SID structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values. The authority value identifies the agent that issued the SID, and this agent is typically a Windows local system or a domain. Subauthority values identify trustees relative to the issuing authority, and RIDs are simply a way for Windows to create unique SIDs based on a common- base SID. Because SIDs are long and Windows takes care to generate truly random values within each SID, it is virtually impossible for Windows to issue the same SID twice on machines or domains anywhere in the world.

When displayed textually, each SID carries an S prefix, and its various components are separated with hyphens:

S-1-5-21-1463437245-1224812800-863842198-1128

In this SID, the revision number is 1, the identifier authority value is 5 (the Windows security authority), and four subauthority values plus one RID (1128) make up the remainder of the SID. This SID is a domain SID, but a local computer on the domain would have a SID with the same revision number, identifier authority value, and number of subauthority values.

When you install Windows, the Windows Setup program issues the computer a SID. Windows assigns SIDs to local accounts on the computer. Each local-account SID is based on the source computer's SID and has a RID at the end. RIDs for user accounts and groups start at 1000 and increase in increments of 1 for each new user or group. Similarly, Dcpromo.exe, the utility used to create a new Windows domain, issues a SID to domains it creates. Windows issues to new domain accounts SIDS that are based on the domain SID and have an appended RID (again starting at 1000 and increasing in increments of 1 for each new user or group). A RID of 1028 indicates that the SID is the 29th SID the domain issued.

Windows issues SIDS that consist of a computer or domain SID with a predefined RID to many predefined accounts and groups. For example, the RID for the administrator account is 500, and the RID for the guest account is 501. A computer's local administrator account, for example, has the computer SID as its base with the RID of 500 appended to it:

S-1-5-21-13124455-12541255-61235125-500

Windows also defines a number of built-in local and domain SIDs to represent groups. For example, a SID that identifies any and every account is the Everyone, or World, SID: S-1–1–0. Another example of a group that a SID can represent is the network group, which is the group that represents users who have logged on to a machine from the network. The network-group SID is S-1-5-2. Table 8-2, reproduced here from the Platform SDK documentation, shows some basic well-known SIDs, their numeric values, and their use.

Table 8-2. Well-Known SIDs
SID	Group	Use
S-1–1–0	Everyone	A group that includes all users.
S-1-2-0	Local	Users who log on to terminals locally (physically) connected to the system.
S-1–3–0	Creator Owner ID	A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs.
S-1–3–1	Creator Group ID	Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs.

Finally, Winlogon creates a unique logon SID for each interactive logon session. A typical use of a logon SID is in an access-control entry (ACE) that allows access for the duration of a client's logon session. For example, a Windows service can use the LogonUser function to start a new logon session. The LogonUser function returns an access token from which the service can extract the logon SID. The service can then use the SID in an ACE that allows the client's logon session to access the interactive window station and desktop. The SID for a logon session is S-1-5-5-0, and the RID is randomly generated.

Хорошо известные идентификаторы SID:

SID: S-1-0
Название: Пустой администратор
Описание: Защитный код.
SID: S-1-0-0
Название: Никто
Описание: Нет участника безопасности.
SID: S-1-1
Название: Международный администратор
Описание: Администратор идентификатора.
SID: S-1-1-0
Название: Все
Описание: Группа, в которую входят все пользователи, даже анонимные пользователи и гости. Принадлежность контролируется операционной системой.

Примечание. По умолчанию в группу «Все» более не входят анонимные пользователи на компьютере, работающем под управлением Windows XP с пакетом обновления 2 (SP2).
SID: S-1-2
Название: Местный администратор
Описание: Администратор идентификатора.
SID: S-1-2-0
Название: Локальное хранилище
Описание: Группа, включающая всех пользователей, вошедших в систему локально.
SID: S-1-2-1
Название: Консольный вход
Описание: Группа, включающая пользователей, вошедших в физическую консоль.

Примечание. Этот идентификатор безопасности добавлен в системах Windows 7 и Windows Server 2008 R2.
SID: S-1-3
Название: Администратор-создатель
Описание: Администратор идентификатора.
SID: S-1-3-0
Название: Создатель-владелец
Описание: Замещающий элемент в наследуемой записи управления доступом (ACE). При наследовании ACE система замещает этот SID идентификатором SID создателя объекта.
SID: S-1-3-1
Название: Группа-создатель
Описание: Замещающий элемент в наследуемой записи управления доступом (ACE). При наследовании ACE система замещает этот SID идентификатором SID основной группы создателя объекта. Основная группа используется только подсистемой POSIX.
SID: S-1-3-2
Название: Создатель-владелец сервер
Описание: Этот SID не используется в операционной системе Windows 2000.
SID: S-1-3-3
Название: Группа-создатель сервер
Описание: Этот SID не используется в операционной системе Windows 2000.
SID: S-1-3-4 Название: Права владельца
Описание: Группа, представляющая текущего владельца объекта. Когда элемент управления доступом, несущий данный SID, применяется к объекту, система игнорирует подразумеваемые разрешения READ_CONTROL и WRITE_DAC для владельца объекта.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-4
Название: Неуникальный администратор
Описание: Администратор идентификатора.
SID: S-1-5
Название: Администратор NT
Описание: Администратор идентификатора.
SID: S-1-5-1
Название: Удаленный доступ
Описание: Группа, в которую входят все пользователи, вошедшие в систему с использованием удаленного доступа. Принадлежность контролируется операционной системой.
SID: S-1-5-2
Название: Сеть
Описание: Группа, в которую входят все пользователи, вошедшие в систему с использованием сетевого подключения. Принадлежность контролируется операционной системой.
SID: S-1-5-3
Название: Партия
Описание: Группа, в которую входят все пользователи, вошедшие в систему с использованием средства пакетной очереди. Принадлежность контролируется операционной системой.
SID: S-1-5-4
Название: Интерактивные
Описание: Группа, в которую входят все пользователи, вошедшие в систему с использованием интерактивного входа. Принадлежность контролируется операционной системой.
SID: S-1-5-5-X-Y
Название: Сеанс входа в систему
Описание: Сеанс входа в систему. Значения X и Y для этих идентификаторов SID меняются в каждом сеансе.
SID: S-1-5-6
Название: Служба
Описание: Группа, в которую входят все участники безопасности, вошедшие в систему в качестве службы. Принадлежность контролируется операционной системой.
SID: S-1-5-7
Название: Анонимный
Описание: Группа, в которую входят все пользователи, вошедшие в систему анонимно. Принадлежность контролируется операционной системой.
SID: S-1-5-8
Название: Прокси
Описание: Этот SID не используется в операционной системе Windows 2000.
SID: S-1-5-9
Название: Контроллеры домена предприятия
Описание: В эту группу входят все контроллеры доменов в лесу, в котором используется служба каталога Active Directory. Принадлежность контролируется операционной системой.
SID: S-1-5-10
Название: Self участника
Описание: Замещающий элемент в наследуемом элементе управления доступом (ACE) на объекте учетной записи или объекте группы в Active Directory. При наследовании ACE система замещает этот SID идентификатором SID участника безопасности, владеющего данной учетной записью.
SID: S-1-5-11
Название: Прошедшие проверку
Описание: Группа, в которую входят все пользователи, идентификаторы которых были проверены при входе в систему. Принадлежность контролируется операционной системой.
SID: S-1-5-12
Название: Запрещенный код
Описание: Данный SID зарезервирован для использования в будущем.
SID: S-1-5-13
Название: Пользователи сервера терминалов
Описание: В эту группу входят все пользователи, вошедшие в систему сервера служб терминалов. Принадлежность контролируется операционной системой.
SID: S-1-5-14
Название: Удаленный интерактивный вход
Описание: Группа, которая включает всех пользователей, вошедших в систему с помощью служб терминалов.
SID: S-1-5-15
Название: Эта организация
Описание: Группа, включающая всех пользователей одной организации. Содержит только учетные записи AD и добавляется только контроллером домена с системой Windows Server 2003 или более поздней версии.
SID: S-1-5-17
Название: Эта организация
Описание: Учетная запись, используемая пользователем служб IIS по умолчанию.
SID: S-1-5-18
Название: Локальная система
Описание: Учетная запись службы, используемая операционной системой.
SID: S-1-5-19
Название: Администратор NT
Описание: Локальная служба
SID: S-1-5-20
Название: Администратор NT
Описание: Сетевая служба
SID: S-1-5-21домен-500
Название: Администратор
Описание: Учетная запись администратора системы. По умолчанию только эта запись обеспечивает полный контроль системы.
SID: S-1-5-21домен-501
Название: Гость
Описание: Учетная запись для лиц, не имеющих индивидуальной учетной записи. Для данной учетной записи пароль не требуется. По умолчанию учетная запись «Гость» отключена.
SID: S-1-5-21домен-502
Название: KRBTGT
Описание: Учетная запись, используемая службой «Центр распространения ключей» (KDC).
SID: S-1-5-21домен-512
Название: Администраторы домена
Описание: Глобальная группа, членам которой разрешено управлять доменом. По умолчанию группа «Администраторы домена» является членом группы «Администраторы» на всех компьютерах, входящих в домен, включая контроллеры доменов. Группа «Администраторы домена» по умолчанию является владельцем любого объекта, созданного любым членом группы.
SID: S-1-5-21домен-513
Название: Пользователи домена
Описание: Глобальная группа, в которую по умолчанию входят все учетные записи домена. При создании учетной записи в домене она по умолчанию добавляется в эту группу.
SID: S-1-5-21домен-514
Название: Гости домена
Описание: Глобальная группа, в которую по умолчанию входит только один член — встроенная учетная запись гостя, соответствующая данному домену.
SID: S-1-5-21домен-515
Название: Компьютеры домена
Описание: Глобальная группа, в которую входят все клиенты и серверы, входящие в домен.
SID: S-1-5-21домен-516
Название: Контроллеры домена
Описание: Глобальная группа, в которую входят все контроллеры данного домена. По умолчанию новые контроллеры домена добавляются в эту группу.
SID: S-1-5-21домен-517
Название: Издатели сертификатов
Описание: Глобальная группа, в которую входят все компьютеры, на которых работает центр сертификации предприятия. Издателям сертификатов разрешено публиковать сертификаты для объектов пользователей в Active Directory.
SID: S-1-5-21корневой домен-518
Название: Администраторы схемы
Описание: Универсальная группа в домене с основным режимом; глобальная группа в домене со смешанным режимом. Данной группе разрешено вносить изменения в схему в Active Directory. По умолчанию единственным членом группы является учетная запись «Администратор» для корневого домена леса.
SID: S-1-5-21корневой домен-519
Название: Администраторы предприятия
Описание: Универсальная группа в домене с основным режимом; глобальная группа в домене со смешанным режимом. Данной группе разрешено вносить изменения на уровне леса в Active Directory, например добавлять дочерний домен. По умолчанию единственным членом группы является учетная запись «Администратор» для корневого домена леса.
SID: S-1-5-21домен-520
Название: Владельцы-создатели групповой политики
Описание: Глобальная группа, которой разрешено создавать новые объекты групповой политики в Active Directory. По умолчанию единственным членом группы является «Администратор».
SID: S-1-5-21домен-553
Название: Серверы RAS и IAS
Описание: Локальная группа домена. По умолчанию в этой группе нет членов. Серверы этой группы имеют ограничения на чтение учетных записей и доступ к чтению информации о входе в систему для объектов «Пользователь» в локальной группе домена Active Directory.
SID: S-1-5-32-544
Название: Администраторы
Описание: Встроенная группа. После первоначальной установки операционной системы единственным членом этой группы является учетная запись «Администратор». Когда компьютер присоединяется к домену, группа «Администраторы домена» добавляется к группе «Администраторы». Когда сервер становится контроллером домена, группа «Администраторы предприятия» также добавляется к группе «Администраторы».
SID: S-1-5-32-545
Название: Пользователи
Описание: Встроенная группа. После первоначальной установки операционной системы единственным членом этой группы является группа «Прошедшие проверку». Когда компьютер присоединяется к домену, группа «Пользователи домена» добавляется к группе «Пользователи» на этом компьютере.
SID: S-1-5-32-546
Название: Гости
Описание: Встроенная группа. По умолчанию единственным членом группы является учетная запись «Гость». Группа «Гости» предоставляет возможность периодическим или однократным пользователям входить в систему с ограниченными правами встроенной в компьютер учетной записи «Гость».
SID: S-1-5-32-547
Название: Опытные пользователи
Описание: Встроенная группа. По умолчанию в этой группе нет членов. Членам группы «Опытные пользователи» разрешено создавать локальных пользователей и группы; изменять и удалять созданные ими учетные записи; удалять пользователей из групп «Опытные пользователи», «Пользователи» и «Гости». Также членам группы «Опытные пользователи» разрешается устанавливать программы; создавать, удалять локальные принтеры и управлять ими; создавать и удалять общие файловые ресурсы.
SID: S-1-5-32-548
Название: Операторы учета
Описание: Встроенная группа, существующая только на контроллерах доменов. По умолчанию в этой группе нет членов. По умолчанию членам группы «Операторы учетных записей» разрешено создавать, изменять и удалять учетные записи пользователей, групп и компьютеров во всех контейнерах и подразделениях Active Directory, за исключением контейнера Builtin и подразделения «Контроллеры домена». Членам группы «Операторы учета» не разрешено ни вносить изменения в группы «Администраторы» и «Администраторы домена», ни изменять учетные записи членов этих групп.
SID: S-1-5-32-549
Название: Операторы сервера
Описание: Встроенная группа, существующая только на контроллерах доменов. По умолчанию в этой группе нет членов. Членам группы «Операторы сервера» разрешается входить на сервер в интерактивном режиме; создавать и удалять общие сетевые ресурсы; запускать и останавливать службы; делать резервные копии файлов и восстанавливать их; форматировать жесткий диск компьютера; завершать работу компьютера.
SID: S-1-5-32-550
Название: Операторы печати
Описание: Встроенная группа, существующая только на контроллерах доменов. По умолчанию единственным членом является группа «Пользователи домена». Членам группы «Операторы печати» разрешено управлять принтерами и очередями документов.
SID: S-1-5-32-551
Название: Операторы архива
Описание: Встроенная группа. По умолчанию в этой группе нет членов. Членам группы «Операторы архива» разрешено делать резервные копии всех файлов на компьютере и восстанавливать их независимо от разрешений, защищающих эти файлы. Также членам группы «Операторы архива» разрешается входить в систему и завершать работу компьютера.
SID: S-1-5-32-552
Название: Репликаторы
Описание: Встроенная группа, использующаяся службой репликации файлов на контроллерах доменов. По умолчанию в этой группе нет членов. Запрещается добавлять пользователей в эту группу.
SID: S-1-5-64-10
Название: Проверка подлинности NTLM
Описание: Идентификатор SID, используемый при проверке подлинности клиента пакетом NTLM.
SID: S-1-5-64-14
Название: Проверка подлинности SChannel
Описание: Идентификатор SID, используемый при проверке подлинности клиента пакетом SChannel.
SID: S-1-5-64-21
Название: Дайджест-проверка подлинности
Описание: Идентификатор SID, используемый при проверке подлинности клиента пакетом дайджест-проверки подлинности.
SID: S-1-5-80
Название: Служба NT
Описание: Префикс учетной записи службы NT.
SID: S-1-16-0
Название: Ненадежный обязательный уровень
Описание: Ненадежный уровень целостности. Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-4096
Название: Низкий обязательный уровень
Описание: Низкий уровень целостности.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-8192
Название: Средний обязательный уровень
Описание: Средний уровень целостности.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-8448
Название: Обязательный уровень выше среднего
Описание: Уровень целостности выше среднего.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-12288
Название: Высокий обязательный уровень
Описание: Высокий уровень целостности.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-16384
Название: Системный обязательный уровень
Описание: Системный уровень целостности.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-20480
Название: Обязательный уровень защищенного процесса
Описание: Уровень целостности защищенного процесса.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.
SID: S-1-16-28672
Название: Обязательный уровень безопасного процесса
Описание: Уровень целостности безопасного процесса.

Примечание. Этот идентификатор безопасности добавлен в системах Windows Vista и Windows Server 2008.

Следующие группы отображаются в качестве идентификаторов SID до тех пор, пока контроллер домена Windows Server 2003 не будет сделан владельцем роли хозяина операций основного контроллера домена (PDC). (Роль «Хозяин операций» называют также ролью FSMO (Flexible Single Master Operations)). К дополнительным новым встроенные группам, созданным при добавлении к домену контроллера домена Windows Server, относятся следующие:

SID: S-1-5-32-554
Название: BUILTIN\Пред-Windows 2000 доступ
Описание: Псевдоним, добавленный операционной системой Windows 2000. Группа обратной совместимости, предоставляющая право чтения информации обо всех пользователях и группах домена.
SID: S-1-5-32-555
Название: BUILTIN\Пользователи удаленного рабочего стола
Описание: Псевдоним. Членам этой группы обеспечивается право входа в систему в удаленном режиме.
SID: S-1-5-32-556
Название: BUILTIN\Операторы настройки сети
Описание: Псевдоним. Члены этой группы могут иметь некоторые привилегии администратора для управления настройкой возможностей работы в сети.
SID: S-1-5-32-557
Название: BUILTIN\Построители доверия входящих лесов
Описание: Псевдоним. Членам этой группы разрешается создавать входящие доверительные отношения в этом лесу.
SID: S-1-5-32-558
Название: BUILTIN\Пользователи системного монитора
Описание: Псевдоним. У членов этой группы имеется удаленный доступ к монитору данного компьютера.
SID: S-1-5-32-559
Название: BUILTIN\Пользователи журналов производительности
Описание: Псевдоним. У членов этой группы имеется удаленный доступ к планированию регистрации в журналах данных счетчиков производительности на этом компьютере.
SID: S-1-5-32-560
Название: BUILTIN\Группа авторизации доступа Windows
Описание: Псевдоним. У членов этой группы имеется доступ к вычисленному атрибуту tokenGroupsGlobalAndUniversal на объектах «Пользователь».
SID: S-1-5-32-561
Название: BUILTIN\Серверы лицензирования серверов терминалов
Описание: Псевдоним. Группа для серверов лицензирования серверов терминалов. При установке пакета обновления 1 для Windows Server 2003 создается новая локальная группа.
SID: S-1-5-32-562
Название: BUILTIN\Пользователи DCOM
Описание: Псевдоним. Группа COM для предоставления элементов управления доступом в пределах компьютера, которая обслуживает все запросы вызова, активации или запуска на компьютере.

Указанные ниже группы отображаются в качестве идентификаторов SID до тех пор, пока контроллер домена Windows Server 2008 или Windows Server 2008 R2 не будет сделан владельцем роли хозяина операций основного контроллера домена (PDC). (Роль «Хозяин операций» называют также ролью FSMO (Flexible Single Master Operations)). К дополнительным новым встроенным группам, создаваемым при добавлении контроллера домена Windows Server 2008 или Windows Server 2008 R2 в домен, относятся указанные ниже группы.

SID: S-1-5- 21домен -498
Название: Контроллеры домена предприятия — только чтение
Описание: Универсальная группа. Участники этой группы являются контроллерами домена с доступом только для чтения в предприятии.
SID: S-1-5- 21домен -521
Название: Контроллеры домена — только чтение
Описание: Глобальная группа. Участники этой группы являются контроллерами домена с доступом только для чтения в домене.
SID: S-1-5-32-569
Название: BUILTIN\Криптографические операторы
Описание: Встроенная локальная группа. Участники этой группы могут выполнять криптографические операции.
SID: S-1-5-21домен-571
Название: Группа с разрешением репликации паролей RODC
Описание: Локальная группа домена. Участники этой группы могут реплицировать свои пароли на все контроллеры домена с доступом только для чтения в домене.
SID: S-1-5- 21домен -572
Название: Группа с запрещением репликации паролей RODC
Описание: Локальная группа домена. Участники этой группы не могут реплицировать свои пароли на контроллеры домена с доступом только для чтения в домене.
SID: S-1-5-32-573
Название: BUILTIN\Читатели журнала событий
Описание: Встроенная локальная группа. Участники этой группы могут читать журналы событий с локального компьютера.
SID: S-1-5-32-574
Название: BUILTIN\Доступ DCOM службы сертификации
Описание: Встроенная локальная группа. Участникам этой группы разрешено подключаться к центрам сертификации предприятия.

Утилита CACLS

Команда cacls позволяет отобразить или модифицировать дискретный список управления доступом для файла или файлов. Если есть подозрение, что пользователь не может получить доступ к файлу из-за проблем с правами доступа, можно воспользоваться утилитой cacls для анализа ситуации.

Когда после запуска утилиты cacls в правах доступа для файла или каталога обнаруживаются проблемы, то можно воспользоваться этой же командой для исправления списков управления доступом.

Вот синтаксис команды cacls:

cacls <имя_файла> [/t] [/e] [/c] [/g <пользователь|группа:разрешение> ]
[/r <пользователь|группа>] [/p <пользователь|группа:разрешение>] [/d <пользователь|группа>]

Параметры команды рассматриваются в следующей таблице.

Параметры команды cacls

Параметры	Использование
<имя_файла>	Указывает файл или папку, права доступа к которым необходимо изменить. Символы * и ? можно использовать для указания нескольких файлов
/t	Заставляет команду работать со всеми файлами и папками в текущем каталоге и всех его подкаталогах
/e	Редактирует права доступа
/g <пользователь\|группа:разрешение>	Предоставляет разрашение указанному пользователю или группе. Рабочие разрешения показаны в таблице ниже
/c	Заставляет команду продолжить изменение прав доступа при возникновении ошибки
/r <пользователь\|группа>	Отнимает права доступа указанного пользователя.
/p <пользователь\|группа:разрешение>	Заменяет права доступа указанного пользователя. Рабочие права доступа показаны в таблице ниже
/d <пользователь\|группа>	Отказывает в праве доступа указанному пользователю или группе

Рабочие значения разрешений для команды cacls

Значение разрешения	Описание
F	Полный доступ
C	Изменение (запись)
W	Запись
R	Чтение
N	Нет

Когда DACL отображаются в выводе команды, кроме разрешений для определенного

пользователя и группы, отображается информация о применимости каждой записи

управления доступом разрешений к текущей папке, подпапкам и/или файлам. Коды

для части "где" в результате работы команды рассматриваются далее.

Коды вывода команды cacls

Код вывода	Разрешения применяются к
Нет кода	Только к целевой папке
CI	К целевой папке и подпапкам
IO	Не применяется к текущему файлу или папке
OI	Целевой папке и файлам
(CI)(IO)	Только к подпапкам целевой папки
(OI)(CI)	Целевой папке, подпапкам и файлам
(OI)(IO)	Только к целевым файлам
(OI)(CI)(IO)	Только к подпапкам и файлам целевой папки

Предположим, что члены группы “Show” должны изменять документы в

папке “Advert”. Для предоставления пользователям из группы “Show”

прав на изменение файлов можно воспользоваться командой cacls.

Для этого необходимо ввести следующую команду:

cacls "e:\advert" /p DimaIvanov\show:c /e

При использовании команды cacls для изменения существующих DACL

не забудьте воспользоваться параметром /e вместе с командой. В

противном случае, DACL будут заменены правами доступа, указанными

в команде, вместо простого редактирования существующих прав доступа.

Если в DACL были перечислены еще десять групп пользователей, а в

команде указана только одна группа, отсутствие параметра /e заставить

команду создать DACL только с одной группой.

Overview

SubInACL is a command-line tool that enables administrators to obtain security information about files,

registry keys, and services, and transfer this information from user to user, from local or global group to

group, and from domain to domain.

For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can
replace DomainA\User with DomainB\User in the security information for the user's files. This gives the user
access to the same files from the new domain.

SubInACL enables administrators to do the following:

Display security information associated with files, registry keys, or services. This information includes
owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
Change the owner of an object.
Replace the security information for one identifier (account, group, well-known security identifier (SID))
with that of another identifier.
Migrate security information about objects. This is useful if you have reorganized a network's domains
and need to migrate the security information for files from one domain to another.

Corresponding Operating System Features

The operating system provides no GUI functionality that corresponds to this tool.

Concepts

For an introduction to security descriptors and the role they play in access control,
see Understanding access control in Help and Support Center for Windows Server 2003.

System Requirements

The following are the system requirements for SubInACL:

Windows XP Professional or Windows Server 2003 operating system

This tool is designed for use by administrators. Some actions may fail or generate

error messages if the user does not have the following privileges:

SeBackupPrivilege (Back Up Files and Directories)
SeChangeNotifyPrivilege (Bypass Traverse Checking)
SeRestorePrivilege (Restore Files and Directories)
SeSecurityPrivilege (Manage Auditing and Security Log)
SeTakeOwnershipPrivilege (Take Ownership of Files or Other Objects)
SeTcbPrivilege (Act As Part of the Operating System)

File Required

Subinacl.exe

Remarks

Editing in SubInACL

SubInACL allows you to modify each part of a security descriptor:

Owner
Primary group
System access control list (ACL) and access control entries (ACEs)
(referred to by SubInACL as audit ACL and AACE, respectively)
Discretionary ACL and ACEs (referred to by SubInACL as permission
ACL and PACE, respectively)

Using SIDs in SubInACL

The security descriptor references a user group by using a security identifier (SID).
An SID can be expressed in one of the following forms:

DomainName\Account (for example, DOM\Administrators)
StandaloneServer\Group
Account
s-1-x-x-x-x-x-x
Where x is expressed in decimal (for example, S-1-5-21-56248481-1302087933-1644394174-1001).
Caution
- No check is done to verify the existence of a given SID

SubInACL maintains a local cache of SIDs to minimize "SID-to-human name" translation costs for the network.

Using PACEs in SubInACL

The following permission ACEs (PACEs) are used with the /grant and /deny parameters.

File PACEs

The following PACEs are valid for file objects:

PACE	Description
F	Full Control
C	Change
R	Read
P	Change Permissions
O	Take Ownership
X	eXecute
E	Read eXecute
W	Write
D	Delete

Cluster Share PACEs

The following PACEs are valid for cluster share objects:

PACE	Description
F	Full Control
R	Read
C	Change

Printer PACEs

The following PACEs are valid for printer objects:

PACE	Description
F	Full Control
M	Manage Documents
P	Print

Registry PACEs

The following PACEs are valid for registry key and registry subkey objects:

PACE	Description
F	Full Control
R	Read
A	ReAd Control
Q	Query Value
S	Set Value
C	Create SubKey
E	Enumerate Subkeys
Y	NotifY
L	Create Link
D	Delete
W	Write DAC
O	Write Owner

Services PACEs

The following PACEs are valid for services:

PACE	Description
F	Full Control
R	Generic Read
W	Generic Write
X	Generic eXecute
L	Read controL
Q	Query Service Configuration
S	Query Service Status
E	Enumerate Dependent Services
C	Service Change Configuration
T	Start Service
O	Stop Service
P	Pause/Continue Service
I	Interrogate Service
U	Service User-Defined Control Commands

Share PACEs

The following PACEs are valid for share objects:

PACE	Description
F	Full Control
R	Read
C	Change

Metabase PACEs

The following PACEs are valid for metabase objects:

PACE	Description
F	Full Control
R	Read - MD_ACR_READ
W	Write - MD_ACR_WRITE
I	Restricted Write - MD_ACR_RESTRICTED_WRITE
U	Unsecure Props Read - MD_ACR_UNSECURE_PROPS_READ
E	Enum Keys - MD_ACR_ENUM_KEYS
D	Write DAC - MD_ACR_WRITE_DAC

Process PACEs

The following PACEs are valid for process objects:

PACE	Description
F	Full Control
R	Read
W	Write
E	Execute

SAM Object PACEs

The following PACEs are valid for Security Accounts Manager (SAM) objects:

PACE	Description
F	Full Control
R	Read
W	Write
E	Execute

Minimizing Bandwidth Usage

To minimize network bandwidth used when SubInACL resolves SIDs,
place multiple commands that involve the same SIDs in the same command file.
When SubInACL resolves a SID, it caches the result to improve its performance and to
minimize network traffic. When a SubInACL command finishes, the cache is cleared.
Therefore, if you issue four commands and each one requires SubInACL to resolve the
same set of SIDs, SubInACL will resolve each of those SIDs four times. However, if
you place those four commands in the same command file, SubInACL resolves each SID only once.

Syntax

The syntax descriptions below are grouped by how you use SubInACL:

getting Help about its features, using it interactively in a console window,

or using it within its own scripting environment.

Syntax for Getting Help

4subinacl /help [/full | Keyword]

Parameters

/full: Displays all of the information about SubInACL.

Keyword

For more information, see /help under Option Syntax Examples on the Examples page.

Syntax for Using SubInACL in a Console Window

4subinacl [/Option] /object_type object_name [[/Action[=Parameter]..]

Parameters

/Option can be any of the following:

/object_type can be any of the following:

object_name: Specifies the name of the object. For examples, see specific object_type descriptions.

/Action can be any of the following:

Parameter: The parameter of /Action, if required.

Syntax for Using SubInACL Within Its Own Scripting Environment

4subinacl [/Option ..] /playfile FileName

Parameters

/Option

Any of the SubInACL options defined above.

FileName

The name of the SubInACL command file (script file).

You can create the file manually, or by issuing a SubInACL command

that uses the /noverbose and /display options.

The syntax of the /playfile command file is the same as the syntax

of SubInACL when used in a console window, except that:

/Option is not used.
Each /object_type is preceded by a plus symbol (+) rather than a slash (/).
Each /object_type and object_name pair appear together, on the same line.
Each action appears on its own line, followed by any applicable parameters.

For more information, see /playfile under Action Syntax Examples on the Examples page.

Examples

Scenario Examples

Scenario Example 1

The task in this example is to adjust the files on \\Server\Share after you move User1 from

OldDomain to NewDomain. Type the following at the command line:

subinacl /subdirec \\server\share\*.* /replace=OLDDOMAIN\USER1=NEWDOMAIN\User1

Press ENTER.

Note

The two domains must have a trust relationship.

Scenario Example 2

The task in this example is to migrate a backup domain controller (BDC) named MigrControl with

all its files to NewDomain, and migrate users from OldDomain to NewDomain.

Reinstall MigrControl as a primary domain controller (PDC) of NewDomain, and do not erase the files.

Create the users on NewDomain.

Create a trust relationship with OldDomain.

To migrate the files, type the following at the command line:
subinacl /noverbose /subdirectories x:\*.* /changedomain=OLDDOMAIN=NEWDOMAIN

Press ENTER.

To verify the changes, type the following at the command line:
subinacl /noverbose /subdirectories x:\*.*

Press ENTER.

Scenario Example 3

The task in this example is to move a stand-alone server and its users to NewDomain.

Move the server to NewDomain.

Create the users in NewDomain.

Type the following at the command line:
subinacl /noverbose /subdirectories \\SERVER\SHARE /changedomain=SERVER=NEWDOMAIN

Press ENTER.

Scenario Example 4

The task in this example is to replace "Jim" with "Kim" in each .txt file in the C:\Temp folder,

display the security descriptor for each such file, and apply any changes. Type the following at the command line:

subinacl /file c:\temp\*.txt /replace=Jim=Kim/display

Press ENTER.

Option Syntax Examples

/help

The task in this example is to display Help about the topic of domain migration. Type the following at the command line:
subinacl /help domain_migration

Press ENTER.

The task in this example is to display Help about the /setowner action. Type the following at the command line:
subinacl /help /setowner

Press ENTER.

/outputlog

The task in this example is to obtain security information about
the file C:\Test.txt and record all output of the command (including errors)
in the file C:\Alloutput.txt. Type the following at the command line:
subinacl /outputlog=C:\ALLOUTPUT.TXT /file C:\TEST.TXT /display

Press ENTER.

/errorlog

The task in this example is to obtain security information about
the file C:\Test.txt, record all errors generated by the command in the
file C:\Errorlog.txt, and record all other output in the file C:\Nonerrors.txt.
Type the following at the command line:
subinacl /outputlog=c:\NONERRORS.TXT /errorlog=C:\ERRORLOG.TXT /file C:\TEST.TXT /display

Press ENTER.

/alternatesamserver

The task in this example is to display the security settings of the file
C:\Test.txt and use the server \\Server1 to resolve SIDs if SubInACL
is unable to resolve them on the server where the file is located.
Type the following at the command line:
subinacl /alternatesamserver=\\server1 /file C:\TEST.TXT /display

Press ENTER.

/offlinesam

The task in this example is to migrate the security settings of the files on a server from one domain to another.
This example assumes that you have access to the source domain and know you will not have access to it during the migration.

/stringreplaceonoutput

The task in this example is to move the files from the E: drive of \\Server1 to the E: drive of \\Server2.

/noexpandenvironmentsymbols

The task in this example is to prevent SubInACL from interpreting any strings
as environment variables. Type the following at the command line:
subinacl /noexpandenvironmentsymbols /object_type object_name /action

Press ENTER.

/separator

The task in this example is to temporarily define the tilde (~) as the separator character so
that options such as /stringreplaceonoutput can manipulate strings that contain the default
separator character (=). Type the following at the command line:
subinacl /separator=~ /stringreplaceonoutput~=europe\~=southerneurope /file *.* /noverbose /display

Press ENTER.

/noverbose

The task in this example is to display a summary of the security settings
of the file C:\Test.txt. Type the following at the command line:
subinacl /noverbose /file c:\test.txt

Press ENTER.

The task in this example is to save the security settings of all files
on the C: drive to the file D:\Filesettings.txt, so that they can be reapplied
if necessary by using the /playfile and /displayactions.
Type the following at the command line:
subinacl /noverbose /outputlog=D:\FILESETTINGS.TXT /subdirectories C:\*.* /display

Press ENTER.

/verbose

The task in this example is to display the full details of the security
settings of the file C:\Test.txt.
Type the following at the command line:
subinacl /verbose /file C:\TEST.TXT

Press ENTER.

/testmode

The task in this example is to test a command and verify that you have
used the correct syntax, without applying changes.
You want to change the name of the domain in all security descriptors
of all files in the subdirectories of Share1 on \\Server1 from
DomA to DomB; however, you want to test the command first.
Type the following at the command line:
subInacl /subdirec \\SERVER1\SHARE1\*.*
/changedomain=DOMA=DOMB /ifchangecontinue /noverbose /display /testmode
Press ENTER.

Object Syntax Examples

/file

The task in this example is to display the security settings of all .obj files in
the current folder. Type the following at the command line:
subinacl /file *.obj /display

Press ENTER.

The task in this example is to display the security settings of all .obj files in
the C:\Temp folder. Type the following at the command line:
subinacl /file C:\TEMP\*.obj /display

Press ENTER.

The task in this example is to display the security settings of all .exe files in
the folder that is shared as \\Server1\Share1.
Type the following at the command line:
subinacl /file \\server1\share1\*.exe /display

Press ENTER.

The task in this example is to display the security settings of the folder that
is shared as \\Server1\Share1 (rather than acting on the files within that folder).
Type the following at the command line:
subinacl /file=directoriesonly \\server1\share1 /display

Press ENTER.

The task in this example is to display the security settings of all files in
the folder that is shared as \\Server1\Share1, and not on folders or subfolders.
Type the following at the command line:
subinacl /file=filesonly \\server1\share1 /display

Press ENTER.

/subdirectory

The task in this example is to display the security settings of all .obj files
in the C:\Temp folder and all its subfolders.
Type the following at the command line:
subinacl /subdirectory C:\TEMP\*.obj /display

Press ENTER.

The task in this example is to display the security settings of all .obj files
in the C:\Temp\Test folder and all its subfolders.
Type the following at the command line:
subinacl /subdirectory C:\TEMP\TEST\*.OBJ /display

Press ENTER.

The task in this example is to display the security settings of folders only,
and not files. Type the following at the command line:
subinacl /subdirectory=directoriesonly C:\*.* /display

Press ENTER.

/onlyfile

The task in this example is to display the security settings of the named
pipe PipeName. Type the following at the command line:
subinacl /onlyfile \\.\pipe\PipeName /display

Press ENTER.

/samobject

The task in this example is to display the security settings of the local group
Group1 on the Server1 server. Type the following at the command line:
subinacl /samobject \\SERVER1\GROUP1 /display

Press ENTER.

The task in this example is to display the security settings of local users
defined on the Server1 server. Type the following at the command line:
subinacl /samobject \\SERVER1\*users* /display

Press ENTER.

The task in this example is to display the security settings of local groups
defined on the Server1 server. Type the following at the command line:
subinacl /samobject \\SERVER1\*groups* /display

Press ENTER.

The task in this example is to grant the power user named Poweruser1 full
control over the TestGroup local group, which was created by another power user.
Type the following at the command line:
subinacl /samobject \\SERVER1\TESTGROUP /grant=poweruser1=f

Press ENTER.

/share

The task in this example is to display the security settings of the network file
share named \\Server1\Share1. Type the following at the command line:
subinacl /share \\SERVER1\SHARE1 /share

Press ENTER.

/clustershare

The task in this example is to specify that SubInACL act on the cluster share
named \\Cluster1\Share1. Type the following at the command line:
subinacl /clustershare \\CLUSTER1\SHARE1 /display

Press ENTER.

/keyreg

The task in this example is to display the security settings of the registry keys
located on the server \\Server1, at the location HKEY_LOCAL_MACHINE\SOFTWARE.
Type the following at the command line:
subinacl /keyreg \\SERVER1\HKEY_LOCAL_MACHINE\SOFTWARE /display

Press ENTER.

/subkeyreg

The task in this example is to display the security settings of the registry
keys and subkeys
located on the server \\Server1, at the location HKEY_LOCAL_MACHINE\SOFTWARE.
Type the following at the command line:
subinacl /subkeyreg \\SERVER1\HKEY_LOCAL_MACHINE\SOFTWARE /display

Press ENTER.

/service

The task in this example is to display the security settings of the
Messenger service on the local computer.
Type the following at the command line:
subinacl /service Messenger /display

Press ENTER.

The task in this example is to display the security settings of the Messenger
service on \\Server1. Type the following at the command line:
subinacl /service \\SERVER1\MESSENGER /display

Press ENTER.

/printer

The task in this example is to display the security settings of the printer shared
as \\Server1\Printer1. Type the following at the command line:
subinacl /printer \\SERVER1\PRINTER1 /display

Press ENTER.

/kernelobject

The task in this example is to display the security settings
of the mutex named _outlook_mutex_.
Type the following at the command line:
subinacl /kernelobject _outlook_mutex_ /display

Press ENTER.

/process

The task in this example is to display the security settings of Notepad.
Type the following at the command line:
subinacl /process notepad.* /display

Press ENTER.

The task in this example is to display the security settings of the
process that has process identifier (PID) 1234.
Type the following at the command line:
subinacl /process 1234 /display

Press ENTER.

/metabase

The task in this example is to grant administrators full control over
the properties at \LM\W3SVC on the server \\Server1.
Type the following at the command line:
subinacl /metabase \\SERVER1\LM\W3SVC /grant=administrators=f

Press ENTER.

Action Syntax Examples

/display

The task in this example is to display the security settings of the files
on the C: drive. Type the following at the command line:
subinacl /file C:\*.* /display

Press ENTER.

The task in this example is to save the security settings of the files
on the C: drive to the file D:\Securitysettings.txt.
Type the following at the command line:
subinacl /file /outputlog=D:\SECURITYSETTINGS.TXT C:\*.* /display /noverbose

Press ENTER.

/owner

The task in this example is to set Domain1\User1 to be
the owner of the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /owner=DOMAIN1\USER1

Press ENTER.

/replace

The task in this example is to replace Domain1\User1 with Domain2\User2
throughout the ACEs of all files on the C: drive. Type the following at the command line:
subinacl /file C:\*.* /replace=DOMAIN1\USER1=DOMAIN2\USER2

Press ENTER.

/changedomain

The task in this example is to replace all ACEs that have an SID from Domain1
with the SID of the same user from Domain2, for all files on the C: drive.
Type the following at the command line:
subinacl /subdirectory C:\*.* /changedomain=domain1=domain2

Press ENTER.

The task in this example is to replace all ACEs that have the SID
of User1 from Domain1 with the SID
of User2 from Domain2, for all files on the C: drive. Use a mapping file.

/migratetodomain

The task in this example is to leave intact each ACE on every file on the
C: drive that has an SID from Domain1, and create a new ACE with the
same user from Domain2.
Type the following at the command line:
subinacl /subdirectory C:\*.* /changedomain=domain1=domain2

Press ENTER.

The task in this example is to create a new ACE with the SID of
Domain2\User2 for each ACE on every file on the C: drive that has
an SID from Domain1\User1. Use a mapping file:

/findsid

The task in this example is to display the names of files on the
C: drive that have security descriptors that reference the SID of Domain1\User1.
Type the following at the command line:
subinacl /subdirectory C:\*.* /findsid=DOMAIN1\USER1

Press ENTER.
The task in this example is to display the names of files on the
C: drive that have security descriptors that reference the SID of Domain1\User1,
and—if any are found—not to execute any other parameters and not to apply changes.
Type the following at the command line:
subinacl /subdirectory C:\*.* /findsid=DOMAIN1\USER1=stop

Press ENTER.

/suppresssid

The task in this example is to remove all ACEs that reference Domain1\User1
from the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /suppresssid=DOMAIN1\USER1

Press ENTER.

/confirm

The task in this example is to begin cleaning up deleted SIDs from Domain1,
searching only the DACL and SACL parts of the security descriptors of each file,
and prompting the user to continue after deleting the first ACE that contains an
invalid SID. Type the following at the command line:
subinacl /file *.* /cleandeletedsidsfrom=domain1=dacl /cleandeletedsidsfrom=
domain1=sacl /ifchangcontinue /confirm

Press ENTER.

/perm

The task in this example is to suppress all existing permission ACEs (PACEs)
on the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /perm

Press ENTER.

/audit

The task in this example is to suppress all existing auditing ACEs (AACEs) on
the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /audit

Press ENTER.

/accesscheck

The task in this example is to display the access granted to Domain1\User1
on the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /accesscheck=domain1\user1

Press ENTER.

/setprimarygroup

The task in this example is to set the primary group of C:\Test.txt to be
Domain1\Group1. Type the following at the command line:
subinacl /file C:\TEST.TXT /setprimarygroup=domain1\group1

Press ENTER.

/grant

The task in this example is to grant Domain1\User1 the PACE
of Take Ownership on the file C:\Test.txt. Type the following at the
command line:
subinacl /file C:\TEST.TXT /grant=domain1\user1=o

Press ENTER.

The task in this example is to grant Domain1\User1 the PACEs of
Execute and Take Ownership on the file C:\Test.txt. Type the following
at the command line:
subinacl /file C:\TEST.TXT /grant=domain1\user1=xo

Press ENTER.

/deny

The task in this example is to deny Domain1\User1 the PACE of
Take Ownership on the file C:\Test.txt. Type the following at the command line:
subinacl /file C:\TEST.TXT /deny=domain1\user1=o

Press ENTER.

The task in this example is to deny Domain1\User1 the PACEs
of Execute and Take Ownership on the file C:\Test.txt.
Type the following at the command line:
subinacl /file C:\TEST.TXT /deny=domain1\user1=xo

Press ENTER.

/revoke

The task in this example is to revoke all PACEs for Domain1\User1
on the file C:\Test.txt.
Type the following at the command line:
subinacl /file C:\TEST.TXT /revoke=domain1\user1

Press ENTER.

/compactsecuritydescriptor

The task in this example is to compact the size of security
descriptors created by a disk utility.
You used the /display=sdsize action to examine the sizes of these
security descriptors, and
determined that the utility created large security descriptors that included
very little data.
You want to compact these security descriptors on disk. Type the following
at the command line:
subinacl /subdirectories C:\*.* /compactsecuritydescriptor

Press ENTER.

/pathexclude

The task in this example is to prevent a SubInACL command from
displaying information about
any folder that has a name that begins with "TESTING".
Type the following at the command line:
subinacl /file C:\*.* /display /pathexclude=TESTING*

Press ENTER.

/objectexclude

The task in this example is to prevent a SubInACL command from
displaying information about any
file with an .asp extension. Type the following at the command line:
subinacl /file *.* /display /objectexclude=*.asp

Press ENTER.

/playfile

The task in this example is to grant everyone Read permission
on the file C:\Test1.txt, and both
Read and Write permission on the file C:\Test2.txt. You could type the
following SubInACL
commands at the command line:
subinacl /file C:\TEST1.TXT /grant=everyone=r /noverbose /display
subinacl /file C:\TEST2.TXT /grant=everyone=rw /noverbose /display

To perform the same action with a command file (a playfile), do the following:
The task in this example is to save the security settings of all files on
the C: drive to the file
D:\Subinaclsave.txt by using a format that the /playfile command can replay.
Type the following at the command line:
subinacl /noverbose /outputlog=D:\subinaclsave.txt /subdirectories c:\*.* /display

Press ENTER.

To reapply the saved settings, type the following at the command line:

subinacl /playfile D:\subinaclsave.txt

Press ENTER.

Бесплатный хостинг uCoz

1.2. Способы управления учетными записями пользователей и групп. Управление правами учетных записей и параметрами безопасности.

1.3. Разрешения доступа. Списки управления доступом (ACL). Стандартные и специальные разрешения для файлов и папок. Управление наследованием.

1.4. Управление доступом к файлам и папкам, сетевым папкам (shared folders), ключам реестра с помощью утилит: cacls, subinacl.

Security Identifiers (SIDs)

Table 8-2. Well-Known SIDs

Subinacl.exe

Editing in SubInACL

Minimizing Bandwidth Usage

Syntax for Getting Help

Parameters

Syntax for Using SubInACL in a Console Window

Parameters

Syntax for Using SubInACL Within Its Own Scripting Environment

Parameters

Scenario Examples

Option Syntax Examples

Object Syntax Examples

Action Syntax Examples