Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


SubInACL.exe Tool Overview, Use Cases and Permissions

IT Pros

SubInACL image of file folders

SubInACL is a powerful command-line tool that is available in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. SubInACL allows you to directly edit the security information of any object. This includes managing the permissions, ownership, or audit information on a huge variety of objects.

SubInACL is a tool for working with Access Control Lists (ACLs), which are a fundamental part of the way that user permissions and access are controlled in Windows. If you are new to the concept of ACLs, read the Microsoft documentation on ACLs before working through this guide.

Get the Free PowerShell and Active Directory Essentials Video Course

I'd recommend this for both new and advanced PowerShell users. Building an AD tool is a great learning experience.

The primary value of SubInACL, for network administrators, is that it allows them a much greater level of control over access permissions to network objects. You can use SubInACL to modify information on files, directories, file shares, and printer shares, but also to control permissions on registry keys, system services, and the Microsoft IIS Metabase.

In this article, we’ll look at what SubInACL is, and how to use it. We’ll cover:

Quick Review: What is SubInACL?

SubInACL image of the

SubInACL is a command-line tool that enables network and system administrators to obtain security information about files, registry keys, and services. You can then use the tools to transfer this information from user to user, from local or global group to group, and from domain to domain.

The most common use that most admins will have for SubInACL is for migrating users from one domain to another. For example, if a user has moved from one domain (DomainA) to another (DomainB), the administrator can replace DomainA\User with DomainB\User in the security information in this user’s files. This gives the user access to the same files from the new domain.

SubInACL also enables administrators to do many other related tasks. The most useful, and most commonly used, of these are:

  • Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
  • Change the owner of an object.
  • Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
  • Migrate security information about objects. This is useful if you have reorganized a network’s domains and need to migrate the security information for files from one domain to another.

System Requirements

You can install SubInACL from the Microsoft support page here. The tool is supported on a wide range of platforms and Windows Operating Systems. You can download and install SubInACL.exe on any of the following operating systems:

  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows 2000 Advanced Server
  • Windows 2000 Datacenter Server
  • Windows XP Professional
  • Windows Server 2003, Web Edition
  • Windows Server 2003, Standard Edition
  • Windows Server 2003, Enterprise Edition
  • Windows Server 2003, Datacenter Edition

How To Install SubInACL

To Install SubInACL on a standard Windows system:

  1. First, navigate to the Microsoft download page here. Click the Download button to start the download.
  2. In the File Download dialog box, select Save this program to disk.
  3. Select a location on your computer to save the file, and then click Save.
  4. In Windows Explorer, go to the location where you saved the downloaded file, double-click the file to start the installation process, and then follow the instructions.
  5. The downloaded file is a Microsoft Software Installer (.msi) file. By running the file, you install the tool and documentation on your computer.

As you are installing the tool, you will be prompted to choose an install directory. If the Windows Server 2003 Resource Kit is installed, install the tool in the Resource Kit directory to avoid an overly large system path and to ensure more reliable upgrades. When you install the Resource Kit, the recommended directory is C:\Program Files\Windows Resource Kits\Tools.

SubInACL.exe Use Cases

SubInACL use cases and an image of the top of a web browser

SubInACL can be used to perform many of the common tasks required of the system and network administrators. However, it’s primary strength is in the access it gives you to permissions on your systems, and on object security in general. The tool is an important part of preventing permission propagation, as well as keeping an eye on your authentication structure more generally.

In this section, we’ll run through some use cases of SubInACL, and show you how to complete these common tasks.

1. Viewing ACLs

ACLs are entities that govern permissions; each entry on an ACL is called an access control entry (ACE). Imagine that the permissions on a file in a domain give Full Control to administrators, full control to Alice, and give No Access to Bob. In this case, the file’s ACL will contain three ACEs, which describe access for administrators, Alice, and Jack. To show a file’s ACL in SubInACL, use the command:

SubInACL /verbose=1 /file c:\testfile.txt /display

Where testfile.txt is the filename.

The output from this command will show the filename, then the file owner’s name. Next, the output will show the number of audit ACEs (i.e., aaces) and permission ACEs (i.e., perm. aces, or paces), then provides information about those ACEs.

In Windows 2000 and NT, you will be able to specify what to audit: for instance, whenever Alice fails to write to the file or whenever Bob fails to read the file. SubInACL expresses those terms as audit ACEs. Permission ACEs are the permissions that let users examine or modify a file or directory.

This example contains three permission ACEs because the ACL contains one ACE for administrators, one for Alice, and one for Bob. Each of the next three lines applies to a permission ACE. The Type value specifies whether the ACE is a Deny ACE or an Allow ACE: 0x1 represents a Deny ACE and 0x0 represents an Allow ACE.

The AccessMask value defines the ACE’s permissions. To decode the AccessMask value into specific permissions, you can examine the bits in the value or run the SubInACL command with the /verbose=2 option, which displays the permission as text, instead of the /verbose=1 option.

2. Adding ACEs

You can also use SubInACL to modify file and directory permissions. The following command adds an ACE allowing the Read permission for a new user, Larry, in a company named Example.

SubInACL /file c:\testfile.txt /grant=example\larry=R

In this command, the /file option tells SubInACL that the command will work on a file ACE. Other options are:

  • A system service (/service),
  • A registry key (/keyreg or /subkeyreg),
  • A set of folders and any subfolders within them (/subdirectories),
  • A shared folder (/share),
  • A cluster file share (/clustershare),
  • A kernel object (/kernelobject),
  • Or the IIS Metabase (/Metabase).

The c:\testfile.txt parameter specifies the file the command will work on; you can use wildcards in the filename.

The /grant option tells SubInACL to create a new Allow ACE rather than create a new Deny ACE (/deny) or edit an existing ACE (/replace). The next parameter specifies the account name, and the final character specifies the permission to grant.

SubInACL recognizes R (Read), F (full control), C (change, which is the same as modify), P (change permissions), O (take ownership), X (execute), E (read and execute), W (write), and D (delete).

Notice that although SubInACL lets you view only low-level permissions, you can grant only high-level permissions. The sample parameter /grant=example\larry=R instructs SubInACL to create an ACE that gives Read (R) permission to the account example\larry.

To deny permissions, use the /deny command. For example, the following command prevents Larry from writing to the file.

subinacl /file c:\testfile.txt


You can specify multiple Allow ACEs or Deny ACEs. For example, to grant Read and Write access to Larry, simply tack the permission parameters together, as in example\larry=RW. However, SubInACL can’t handle both types of ACE for the same person—for example, you might want Larry to have Read access but not Write access, but you can’t use a combination of Allow and Deny ACEs.

You can use wildcards to change permissions on multiple files in a directory, but if you want to make changes to an entire disk or a directory tree within a disk, you can use SubInACL’s /subdirectories option. For instance, suppose you want to grant Alice Full Control of all subfolders and files in C:\testfolder. Type

subinacl /subdirectories c:\testfolder\*


Notice that you must include the slash and wildcard after c:\testfolder, otherwise SubInACL will set the permission on the specified folder rather than on all files and subfolders in that folder.

3. Replacing, Deleting, and Cleaning Up SIDs

Imagine that you have a bunch of files that only one employee—Laurie—can access. Laurie then leaves the company, and Janet takes her place. Janet needs access to all those files. Solving this problem is sometimes called re-ACLing because normally (that is, without SubInACL) you will have to edit the files’ ACLs one by one from the GUI. This will take forever.

Instead, you can use SubInACL to accomplish the task in just one line:

subinacl /file * /replace=examplelaurie=example\janet

This command works in the following way. It examines every ACE on every file in the current directory and then replaces Laurie’s SID with Janet’s SID in every ACE that refers to Laurie. You can even use a replacement SID from another domain, as long as your domains trust one another.

Suppose that instead of substituting Janet’s SID for Laurie’s SID, you want to delete all the ACEs that refer to Laurie, because she left the company. You can use SubInACL’s /revoke option. For example, to remove all traces of Laurie from a server’s C:\ drive, type

subinacl /subdirectories c:\*


SubInACL also supports a nearly identical option, /suppressed, which has an extra feature. With this switch, when the user account being revoked owns the file, SubInACL changes the file’s owner to the Everyone group.

Have you ever looked at a file’s permission list and seen not the usual user icon but an outline of a head with the name Account Unknown? That icon means that the account that held the permission has been deleted. Over time, your organization’s ACLs can become fraught with these leftovers. SubInACL can clean them up with the /cleandeletedsidsfrom option (which must specify the domain):

subinacl /subdirectories c:\*


SubInACL vs iCACLs

SubInACL is only one of the tools available for Windows administrators to see and modify ACLS. The iCACLS command, despite its name, allows you to display or change Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).

To show current NTFS permissions on a specific folder (for example, C:\Users), open a Command prompt and run the command:

icacls c:\Users

This command will return a list of all users and groups who are assigned permissions to this directory.

Though iCACLS is a useful tool for quickly checking and modifying permissions, it does not offer the full range of features that SubInACL provides. For this reason, most system administrators will use SubInACL almost exclusively when it comes to working with ACLs.

How To Use SubInACL for Permissions

SubInACL permissions image of modify, backup, restore, copy

One of the primary uses of SubInACL is to work with user permissions. The use examples we’ve given above show you some fairly basic ways to work with permissions, but in this section, we’ll go into more detail.

Working With Permissions With SubInACL: The Basics

The basic syntax of SubInACL is analogous to that of the find tool in UNIX. For each object, SubInACL:

  • Retrieves the security descriptor of the ObjectName object.
  • Applies one or more actions, which are executed in the order in which they appear on the command line.

If the security descriptor has been modified and the /testmode switch has not been specified, the changes are applied to the object. You can specify as many actions as you like, but you must specify at least three characters for each action. The syntax is not case-sensitive.

SubInACL allows you to modify each part of a security descriptor:

  • Owner
  • Primary group
  • System access control list (ACL) and access control entries (ACEs) (referred to by SubInACL as audit ACL and AACE, respectively)
  • Discretionary ACL and ACEs (referred to by SubInACL as permission ACL and PACE, respectively)

The security descriptor references a user group by using a security identifier (SID). A SID can be expressed in one of the following forms:

  • DomainName\Account (for example, DOM\Administrators)
  • StandaloneServer\Group
  • Account
  • s-1-x-x-x-x-x-x
    Where x is expressed in decimal (for example, S-1-5-21-56248481-1302087933-1644394174-1001).

SubInACL maintains a local cache of SIDs to minimize “SID-to-human name” translation costs for the network.

The following permission ACEs (PACEs) are used with the /grant and /deny parameters:

File PACEs

The following PACEs are valid for file objects:

PACE Description
F Full Control
C Change
R Read
P Change Permissions
O Take Ownership
X eXecute
E Read eXecute
W Write
D Delete

Cluster Share PACEs

The following PACEs are valid for cluster share objects:

PACE Description
F Full Control
R Read
C Change

Printer PACEs

The following PACEs are valid for printer objects:

PACE Description
F Full Control
M Manage Documents
P Print

Registry PACEs

The following PACEs are valid for registry key and registry subkey objects:

PACE Description
F Full Control
R Read
A ReAd Control
Q Query Value
S Set Value
C Create SubKey
E Enumerate Subkeys
Y NotifY
L Create Link
D Delete
W Write DAC
O Write Owner

Services PACEs

The following PACEs are valid for services:

PACE Description
F Full Control
R Generic Read
W Generic Write
X Generic eXecute
L Read controL
Q Query Service Configuration
S Query Service Status
E Enumerate Dependent Services
C Service Change Configuration
T Start Service
O Stop Service
P Pause/Continue Service
I Interrogate Service
U Service User-Defined Control Commands

Share PACEs

The following PACEs are valid for share objects:

PACE Description
F Full Control
R Read
C Change

Metabase PACEs

The following PACEs are valid for metabase objects:

PACE Description
F Full Control

Process PACEs

The following PACEs are valid for process objects:

PACE Description
F Full Control
R Read
W Write
E Execute

SAM Object PACEs

The following PACEs are valid for Security Accounts Manager (SAM) objects:

PACE Description
F Full Control
R Read
W Write
E Execute

How To Access Permissions Using SubInACL

In order to work with permissions in SubInACL, you’ll first have to ensure that you have the authorization to change the permissions that you need. If you are unable to access the permissions for a particular object:

  • Open the command prompt or PowerShell as admin
  • Navigate to the directory where SubInACL is located by typing “cd C:\Program Files (x86)\Windows Resource Kits\Tools”. The location might be different on your particular system.
  • Type “SubInACL.exe /subdirectories “\LOCATION THAT YOU\WANT OWNERSHIP OF\*” /setowner=admin”
  • After it finishes, the system admin (or whoever you set the owner to) should be the owner of all files in that directory and you can change the permissions as you like.

How to Backup Permissions

To back-up just the directory permissions type the line below, changing the locations and output file name:

  • Open a command prompt or PowerShell as admin
  • Type:
"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /noverbose /outputlog="C:\LOCATION\YOU\WANT\THE\BACKUP\TO\GO\subinaclsave.log" /subdirectories=directoriesonly "D:\LOCATION\YOU\WANT\TO\BACKUP\PERMISSIONS\OF\*.*" /display

To backup permissions of each individual file, folder, and subfolder in a location (not common and really slow) type the line below, changing the locations and output file name.

  • Open a command prompt or PowerShell as admin
  • Type:
"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /noverbose /outputlog="C:\LOCATION\YOU\WANT\THE\BACKUP\TO\GO\subinaclsave.log" /subdirectories "D:\LOCATION\YOU\WANT\TO\BACKUP\PERMISSIONS\OF\*.*" /display

How to Restore Permissions

To restore permissions from a previous backup file type the line below, changing the location and file name. This restores permissions to the item it was backed up from.

  • Open a command prompt or PowerShell as admin
  • Type:
"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /playfile "C:\LOCATION\THE\BACKUP\IS\AT\BackupIDidEarlier.log"

To Clone Permissions

To clone permissions from one object or location to a different one:

  • First, backup the permissions of the item or location you want to copy permissions from.
  • Then edit the log file, by changing the path\folder\file to the item or location you want to copy to.
  • Open a command prompt or PowerShell as admin.
  • Type:
"C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /playfile "C:\LOCATION\THE\BACKUP\IS\AT\BackupIJustEdited.log"

SubInACL Syntax Glossary

If you are an experienced network or system administrator, the syntax of SubInACL will be fairly familiar from other commands. However, below you’ll find a table with the most common commands and options for the tool.

The syntax descriptions below are grouped by how you use SubInACL: getting Help about its features, using it interactively in a console window, or using it within its own scripting environment.

Syntax for Getting Help

The standard syntax for finding commands is as follows:

SubInACL /help [/full | Keyword]

The keywords that SubInACL will accept as part of this command are:

[ /noverbose | /verbose | /verbose=1 | /verbose=2 | /testmode | /notestmode | /file | /subdirectories | /onlyfile | /share | /clustershare | /keyreg | /subkeyreg | /service | /printer | /kernelobject | /metabase | /display | /setowner | /replace | /changedomain | /migratetodomain | /findsid | /suppresssid | /confirm | /perm | /audit | /ifchangecontinue | /cleandeletedsidsfrom | /accesscheck | /setprimarygroup | /grant | /deny | /revoke ]

There are then a number of options that can be used with this command:

Option Description
Displays information about all SubInACL options.
Displays information about all SubInACL actions.
Displays information about all SubInACL object_types.
Displays information about the feature set.
Displays a summary of SubInACL syntax.
Displays a conceptual overview of the SubInACL syntax.
Displays information about how SIDs are expressed, and how SubInACL attempts to translate SIDs.
Displays information about using SubInACL to view security information.
Displays information about using a testing mode to ensure that a SubInACL command is correct.
Displays information about the types of object that SubInACL can work with.
Displays information about moving a user from one domain to another.
Displays information about moving the file system of a server from one domain to another.
Displays information about features of SubInACL that edit security descriptors.

The syntax for Using SubInACL from a Command-Line or Powershell

The basic syntax for using SubInACL from a console or from PowerShell is a command as follows:

SubInACL [/Option] /object_type object_name [[/Action[=Parameter]..]

Within this basic structure, you have many parameters you can specify.

/ Option Parameters

/Option can be any of the following:

Option Description
Redirects the output of the command to the specified file. The output will include errors unless the /errorlog option is used, in which case errors are sent to the error log file and all other output is sent to the output log file.
Redirects all errors to the specified file.
Specifies the server that SubInACL will use to look up SIDs, if its first attempt fails. This is useful during some server and domain migrations.
Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is inaccessible or no longer exists.
Causes SubInACL to replace all occurrences of String1 in its output with String2.
Allows SubInACL to use environment variables, such as %username%. This is the default value and the opposite of:

Prevents SubInACL from using environment variables. This is useful when SubInACL operates on command files.
Displays statistics when processing is finished. This is the default value.
Suppresses the display of statistics when processing is finished.
After you run SubInACL, you can dump the contents of the local cache SIDs to a file. This file can be used for future SubInACL execution (see /offlinesam) to speed up the SIDs resolution process.
Specifies a character for SubInACL to use in place of the equal sign (=) when it interprets a command. This allows you to specify a string that contains an equal sign within a SubInACL command.
Causes SubInACL to produce shortened output that is easier for people to read. The output of a SubInACL command in /noverbose mode can be saved in a command file and replayed later.
Causes SubInACL to produce detailed output. This is the default level of detail.
This display mode is identical to /verbose mode.
This display mode is identical to /verbose mode.
Runs SubInACL in testing mode so that changes will not be applied to the specified object’s security descriptor.
Runs SubInACL in update mode, so that any changes defined by a SubInACL command will be applied. This is the default value.

/ Object_Type Parameters

/object_type can be any of the following:

Object Type Description
/file [=directoriesonly | =filesonly]
Specifies that object_name is a file object. When the /file parameter is specified, object_name can identify files by using the Universal Naming Convention (UNC) format or by using a local drive letter and path. object_name can contain the * character
/subdirectories | /subdirec [=directoriesonly | =filesonly]
Specifies that object_name is a folder (directory) and that SubInACL will use all the files in it and in all its subfolders. When either the /subdirectories or /subdirec parameter is specified, object_name can identify files by using the UNC format or by using a local drive letter and path. object_name can include the * wildcard character.
Opens a file without using the FindFilexxx mechanism. Valid values for object_name when the /onlyfile parameter is specified are named pipes or mailslots.
Specifies that object_name is a Security Accounts Manager (SAM) object, such as a user, local group, or global group.
Specifies that object_name is a network file share.
Specifies that object_name is a cluster file share.
Specifies that object_name is a registry key.
Specifies that object_name is a registry subkey.
Specifies that object_name is a service.
Specifies that object_name is a process.
Specifies that object_name is a printer.
Specifies that object_name is a kernel object. Valid values for object_name can include mutexes, sections, or event objects.
Specifies that object_name is an AdminACL Metabase property of the Microsoft Internet Information Services (IIS) Metabase.


  • This object_type can be used only with the following metabase paths:
    • \LM\MSFTPSVC/n
    • \LM\W3SVC
  • This object_type does not support enumeration

 / Action Parameters

/Action can be any of the following:

Action Description
/display [=dacl | =sacl | =owner | =primarygroup | =sdsize | =sddl]
Displays the security descriptor for the specified object. This is the default action. The optional parameters allow you to specify which parts of the security descriptor SubInACL should search. When used in conjunction with /noverbose, /display reapplies the security descriptor to the specified object.
Changes the owner of the object. Using /owner=SID or /setowner=SID owner = DomainName\Administrators will retrieve the Administrators SID on the server where the object is located.
Changes the owner of the specified object. Owner is a valid SID that can be expressed in four different formats.
Replaces all access control entries (ACEs) (audit ACEs and permissions ACEs) in the specified object.
Replaces the owner or primary group if one of them is DomainName\OldAccount. For example:


will duplicate all ACEs containing DOM_MARKETING\ChairMan with NewChairMan SID retrieves from NEWDOM domain. For more information, see the /replace action.

Replaces all ACEs with an SID from OldDomainName with the equivalent SID found in NewDomainName.
Adds ACEs found in SourceDomain for the specified object to DestinationDomain, while preserving the ACEs in SourceDomain.
/findsid=DomainName\Account[=stop | =continue]
Displays the object_name containing a reference to DomainName\Account in the security descriptor. If =stop is specified and the Account is found, the next parameters will be skipped and changes will not be applied. If =stop is specified and the Account is not found, the next parameters will be executed. If =continue is specified and the Account is found, the next parameters will be executed. If =continue is specified and the Account is not found, the next parameters will be skipped and changes will not be applied.
Suppresses (deletes) all ACEs containing the [DomainName\]Account. If the object’s owner is [DomainName\]Account, the owner is set to Everyone’s SID.
If placed inside a set of actions, prompts the user before processing the next action.
Suppresses all existing PACEs.
Suppresses all existing AACEs.
Continues to process the next actions only if changes have been made by the previous actions.
/cleandeletedsidsfrom=DomainName [=dacl | =sacl | =owner | =primarygroup | =sdsize]
Deletes all ACEs containing deleted (not valid) SIDs from DomainName. The optional parameters allow you to specify certain parts of the security descriptor in which to search for invalid SIDs.
Prevents changes from being applied to the object. This allows you to test the modifications that SubInACL will make.
Displays the access granted to the [DomainName\]UserName. This option requires the SeTcbName privilege (Act As Part of the Operating System), and cannot be used with remote objects.
Changes the primary group.
Adds a PACE for UserName. Valid values for Access depend on the type of object specified in object_name. If Access is not specified, Full Control access is granted.
Adds a denied PACE for the specified user or group. Valid values for Access depend on the type of object specified in object_name. If Access is not specified, all accesses are denied.
Adds a successful AACE for the specified user. If Access is not specified, Full Control access is granted.
Adds a failed AACE for the specified user. If Access is not specified, all accesses are denied.
Denies all PACEs for the specified user or group.
Compresses security descriptors by removing unused entries.
Excludes all containers matching the description of Pattern, and all the objects within those paths. The * wildcard character can be used within Pattern to represent any number of any characters.

Syntax for Using SubInACL Within Its Own Scripting Environment

The syntax for using SubInACL from within its own scripting environment is similar to the standard syntax, but there are some differences. Here is the generic command:

SubInACL [/Option ..] /playfile FileName



Any of the SubInACL options defined above.


The name of the SubInACL command file (script file). You can create the file manually, or by issuing a SubInACL command that uses the /noverbose and /display options.

The syntax of the /playfile command file is the same as the syntax of SubInACL when used in a console window, except that:

  • /Option is not used.
  • Each /object_type is preceded by a plus symbol (+) rather than a slash (/).
  • Each /object_type and object_name pair appear together, on the same line.
  • Each action appears on its own line, followed by any applicable parameters.

A Final Word

SubInACL is a powerful tool for working with permissions for system administrators, and in this guide, we’ve shown you how to use the tool. The examples above are just the beginning of what SubInACL can do, though, so use the /help command to explore all the options available to you.

Alternatively, you can check out our guides on advanced uses of PowerShell, and use your new SubInACL skills to explore pentesting or remoting in PowerShell.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.