SubInACL: Setting Permissions

In a previous article, “SubInACL: Download and Deployment,” I introduced you to a legacy command line tools from Microsoft called subInAcl.exe. While this tool doesn’t appear to be supported on anything after Windows Server 2003, I’ve rarely run into problems with it, and sometimes it is exactly what I need to handle a tricky permission automation task. Sometimes the old ways are still the best ways.

SubInACL Permission Types

You can use subinacl.exe to manage permissions on a variety of object types. The permission setting varies depending on the object. You can find the permission values with this command.

C:\> subinacl /help /grant

In the screen shot, I am running subinacl.exe from a network share. All I had to do was copy just the exe file.


Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.


In order for this to work, I am running the CMD session with elevated privileges. Use the correct permission abbreviation for the object you wish to manage.

SubInACL File Share Example

From my Windows 8 system, I can see the current share permission for \\CHI-FP01\Sales.

C:\Windows\system32>\\chi-fp01\it\subinacl /share \\chi-fp01\sales



I want to remove the Everyone group and grant the Chicago Sales Users group change permission. I can do this with a single command:

C:\Windows\system32>\\chi-fp01\it\subinacl /share \\chi-fp01\sales /revoke=Everyone /grant="globomantics\chicago sales users"=C


From PowerShell I can quickly verify this change.

PS C:\> invoke-command {net share Sales} -ComputerName chi-fp01

Share name        Sales

Path              c:\shares\Sales


Maximum users     No limit


Caching           Manual caching of documents

Permission        BUILTIN\Administrators, FULL

GLOBOMANTICS\chicago sales users, CHANGE

SubInACL Printer Share Example

This will also work with shared printers. First, here’s the current set of permissions for the printer share \\CHI-FP01\HP1600.

C:\Users\administrator.GLOBOMANTICS>c:\shares\it\subinacl.exe /noverbose /nostatistic /printer \\chi-fp01\hp1600



In this particular case I am running SubInACL on the print server. Sometimes you’ll get an RPC error even though everything is working correctly, so it is just as easy to run the command locally. I need to remove the Everyone group, grant Chicago Sales Users the option to print, and Chicago Sales Managers permission to manage documents.

​C:\Users\administrator.GLOBOMANTICS>c:\shares\it\subinacl.exe /noverbose /nostatistic /printer \\chi-fp01\hp1600 /revoke=everyone /grant="globomantics\chicago sales users"=P /grant="globomantics\chicago sales managers"=M

I found the permission types from looking at help.


F : Full Control

M : Manage Documents

P : Print

Now when I look at permissions again, they are as I need them to be.



Clearing Permissions

There is one more setting I’ll discuss because it is very easy to make things worse with subinacl.exe. When you look through help you’ll see a /perm action. You might think this will display current permissions. This is not the case and where you have to be careful. When you use /perm, subinacl will wipe out all existing permissions. This has the effect of resetting to a blank state, with the assumption that you will be immediately setting new permissions. The action can certainly be helpful if that is what you intend to do.

Subinacl.exe is worth exploring in a non-production environment. I would also make sure any existing permissions are documented before applying any changes. Over the last decade Microsoft has given us new tools to handle many of the tasks that we used handle with subinacl.exe. But for those exceptions, this is a tool still worth keeping in your admin toolbelt. And if subinacl has ever solved a problem for you, leave a comment below and let me know how it worked out.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (4)

4 responses to “SubInACL: Setting Permissions”

  1. Good article, Jeff – unfortunately, I only read it after doing -exactly- what you warned against doing at the very end – assuming /perm would display the permissions on a service I was wanting to look at.

    Any idea on -how- I put the permissions back? I can’t seem to take ownership (or read it, or anything) from either the administrator or System accounts…

  2. Oh heavens. I guess you missed my note about testing in a non-production environment as well. ;-)

    The first thing that comes to mind is to attempt to restore a system state backup. It sounds like you can’t even use subinacl any more to set new permissions even if you wanted. If that is the case, then I don’t think you have many options. If the service is part of a third party product, I’d try re-installing the product. If it is a Windows service, you could try re-installing a service pack or doing a repair installation.

  3. Thanks Jeff – no, didn’t even go looking for documentation till after I did it – still I wasn’t testing it on a production system at least – not quite that dumb! I’ve decided to just wipe the system and reinstall windows – I nuked the permissions on the BITS service, so I could kiss goodbye to any more Windows Updates.. Well – you learn by doing (and not doing again)

Leave a Reply