[go: up one dir, main page]
Menu

[r1]: / ModDacl / help.txt  Maximize  Restore  History

Download this file

50 lines (39 with data), 2.1 kB 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
ModDACL v1.0 by Adrian Wright

Adds new, or removes all permissions for a user account to a specified

securable objects' discretionary access control list (DACL)



Usage: moddacl type [name] action [account] [permission1] ... [permissionN]



Where type is one of:

file	reg	svc	prn	kernel



[name] is the path to or identifier of the object in question and

is required for all types except kernel. NOTE: The root registry keys

must be identified as "CLASSES_ROOT", "CURRENT_USER", "MACHINE", and "USERS"



action is one of:

   allow  - allow the specified account these permissions

   deny   - deny the account these permissions (NOTE: these override any

	    previously allowed permissions and any set in the future unless the

	    DACL is cleared first)

   clear  - Assigns a NULL DACL to the object giving all computer accounts full

	    permissions. With this option, an account and permissions are not

	    required



[account] is the user account or group to set the permissions for. It can be

	  a fully qualified account such as "DOMAIN\Administrators" or a locale

	  one such as "Everyone". An account is not required when action has

	  been set to clear



[permissions] is one or more arguments defining the access you are setting

	      There are 4 preset permission groupings READ, WRITE, EXECUTE, ALL

	      which define all necessary permissions for that action

	      (see perm.html)

	      You can also choose to use the finer grained control offered by

	      entering the numbers for the individual permissions as found in

	      perm.html



Examples: if you wanted to let Power Users execute and read

	  attributes from the moddacl.exe file you'd use ModDACL like this:

moddacl file moddacl.exe allow BUILTIN\\PowerUsers 20 80

	  or alternatively, this is also allowed:

moddacl file moddacl.exe allow BUILTIN\\PowerUsers READ EXECUTE



	  To give all accounts full control over the Windows Audio service

	  use this:

moddacl svc AudioSrv clear



	  Stopping members of the Users group from printing on a specific

	  printer is this east:

moddacl prn "HP LaserJet 2420d" deny Users 4