Skip navigation

JSI Tip 3583. Set Windows NT-based permissions (DACLs) on virtually anything.

The SetACL page contains:

Documentation Examples Download Project page Forums News Bug reports Feature requests
Overview SetACL is a set of routines for managing Windows permissions (ACLs) from the command line, from scripts and from programs. These routines can be used from various container or interface programs. Currently there exists a command line version to be used in batch files or scripts. An ActiveX DLL is to follow soon.
History SetACL 2.x is loosely based on my first SetACL program 0.x which I started develping in march 2001 and improved continually. After some time I realised that the design and implementation of that old version were not up to the many new features and impromvements I had in mind. So, in late december 2002, I started from scratch, using a much more flexible design approach, which resulted in the completely rewritten SetACL V2.
Main features
  • Supported object types: files and directories, registry keys, printers, services, network shares.
  • Manage permissions on local or remote systems in trusted or untrusted domains or workgroups.
  • Set multiple permissions for multiple users/groups at once.
  • All standard and specific permissions of Windows 2000/XP are supported.
  • Control how permissions are inherited by sub-objects (permission applies to: sub-folders, files, ...)
  • Block permission inheritance ("protect" objects).
  • List permissions.
  • Backup and Restore permissions.
  • All operations work on a single object or recursively on a (directory/registry) tree.
  • Set the owner to any user/group.
  • Edit permission and/or auditing entries (DACL and/or SACL editing).
  • Use of privileges: as an administrator, you have access to any file or directory, even the ones you do not have permission to where you are not the owner (just like a backup program).
  • Unicode support: object names with Unicode characters are processed correctly.
  • Clear ACLs: remove any non-inherited entries (ACEs).
  • Reset permissions on all sub-objects and enable propagation of inherited permissions.
  • Remove a user/group from an ACL: completely removes any entry belonging to a certain user/group.
  • Replace a user/group: replace all entries of one user/group by another user/group.
  • Copy a user/group: copy all entries of one user/group to another user/group.
  • All functions can be used concurrently: this allows for very powerful commands that run fast, since time consuming steps (like recursing a large file system) are performed only once.
  • Exclude (filter) object names not to be processed by keyword(s).
Requirements SetACL works on all Windows NT based operating systems from Windows 2000 onwards. The newer, the better.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.