UGTS Document #20 - Last Modified: 8/29/2015 3:23 PM
Using subinacl.exe

Subinacl.exe is a resource kit tool included with Windows Server 2000 and 2003 and which can be downloaded from Microsoft for free to be used on any Windows system.  It permits programmatically changing ACLs on files and folders.  However, the license agreement does not permit redistribution, and so you can only use it for system administration tasks, and not for redistibution as part of a software package.

The latest version of subinacl.exe is build 5.2.3790.1180 which can be downloaded from Microsoft.  This version fixes a large number of command line parsing bugs present in the RTM version, and should be used in place of it.  If you're finding that your command line parameters are properly constructed, but nothing is happening and you get no errors, make sure you're using build 1180.

The most common reason why you need to run subinacl is that you have a large number of directories where the file permissions have been set individually to deny you access to view, copy, or delete the contents, and changing them one by one would take too long.  However, note that you if you are running subinacl because you suspect filesystem corruption, you should first run chkdsk to clean up that corruption, and then use subinacl, or you'll be wasting your time with subinacl - it might skip certain files due to errors.

To gain full control over a folder and all of its contents, you must first take ownership of it recursively, and then grant yourself access to it recursively. For example, suppose you have an old user directory such as "C:\Documents and Settings\Old User" that you want to first take ownership of, and then grant yourself access to it, so that you can copy or delete it, and also suppose that your user account name is "UGTS\Admin User".  To do that, you would run the following four commands:

subinacl /subdirectories "C:\Documents and Settings\Old User" /setowner="UGTS\Admin User"
subinacl /subdirectories "C:\Documents and Settings\Old User\*.*" /setowner="UGTS\Admin User"
subinacl /subdirectories "C:\Documents and Settings\Old User" /grant="UGTS\Admin User"
subinacl /subdirectories "C:\Documents and Settings\Old User\*.*" /grant="UGTS\Admin User"

In each case, double quotes are used around the path and the account name because they contain spaces. Note that if you omit double quotes when they are necessary, or if the account or domain name is not a valid account, you will get error 1337 - The security ID structure is invalid. Also note that if the path is not exactly correct and does not exist, then the commands will silently finish without any errors. Another way the command might work, but not the way that you intend is if you specify an account which exists, but is disabled. For example, you might grant access to the Administrator account, forgetting that you had disabled that account. The subinacl command will complete without errors, but afterwards you will have access like you supposed that you would have. Make sure that you select the right account before running the command.

In this example, the first two commands take ownership of the parent folder, and then of all the items under it. Similarly, the next two commands grant access to the parent folder, and then to all of the items under it.

Note that if you already have access to the parent folder, then lines 1 and 3 can be skipped, you only need to run lines 2 and 4.

A final warning about subinacl: use it with extreme caution if you're using it to update ACLs on system directories or system registry keys such as CLSID, Classes, Interface, Typelib, etc... Changing ownership of these folders or keys can be disastrous if it ends up denying access to the local SYSTEM account. Windows may immediately freeze up because various system COM components can no longer be instantiated, and you may not be able to start the system again, almost like giving your computer a heart attack. If such a thing happens, you might have to boot into the last known good configuration or run system restore, or boot to an alternate OS or the recovery console, and manually replace the system registry files to the last backed up copy.