subinacl 強大而不足
subinacl 強大在于,幾乎對所有對象設定通路權限。
最大的不足是不再更新了。
下面是幫助中的一部分:
FEATURES
describes SubInAcl main features
SubInAcl was designed to help administrators to manage security on various objects.
It provides :
- a unified way to manipulate security for different kinds of objects
(files, registry keys, services, printer,…)
- a console tool that allows to write scripts to automate
security tasks
- some features that help administrators to modify security if some
changes occur in their organization:
- user, group deletions (/suppresssid, /cleandeletedsidsfrom )
- user, group migrations (/replace , /accountmigration)
- domain, server migration (/changedomain, /migratetodomain)
…
- security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)
- access to remote objects
- save and restore permissions (/playfile , /outputlog , /display )
You need SeBackupPrivilege SeRestorePrivilege
SeSecurityPrivilege SeTakeOwnershipPrivilege
SeChangeNotifyPrivilege privileges (locally or remotely) to run this tool
subinacl /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /setowner=administrators /setprimarygroup=administrators /grant=administrators=f
本要對 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing 進行權限修改,卻變成了對 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing 的修改。
對下面的系統資料庫項極其子項進行授權
HKEY_LOCAL_MACHINE\system\ControlSet001\Services
subinacl /keyreg "HKEY_LOCAL_MACHINE\system\ControlSet001\Services" /grant=administrators=f
subinacl /keyreg "HKEY_LOCAL_MACHINE\system\ControlSet001\Services" /grant=system=f
對子項進行授權之前,要先取得所有權
subinacl /subkeyreg "HKEY_LOCAL_MACHINE\system\ControlSet001\Services" /setowner=system
接着,就可以授權了
subinacl /subkeyreg "HKEY_LOCAL_MACHINE\system\ControlSet001\Services" /grant=administrators=f
subinacl /subkeyreg "HKEY_LOCAL_MACHINE\system\ControlSet001\Services" /grant=system=f