Microsoft has made available a downloadable tool called SubInAcl for Windows XP. Using this tool you can change the ownership and modify access rights for files, folders, services and registry portions. You can download it from http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B . After downloading, execute the MSI package subinacl.msi. When it asks for the install location, choose your Windows folder as shown in the image below. Your Windows folder may be different. You can use the environment string %windir% too.
After the installation is finished, you should have subinacl.exe in your Windows folder. Now you are ready to use this command line tool.
Setting ownership
To change the ownership of a file or folder give this command :
subinacl /file [filename] /setowner=[user]
Here filename is file or folder name. If it contains space then enclose it in inverted commas, e.g., “C:Program Files”. The [user] is the username who you are setting as the owner. It can also be a group name like Everyone, Administrators etc.
To change ownership of a folder and all its subfolders, give this command :
subinacl /subdirectories [foldername] /setowner=[user]
To change the ownership of a registry key, give this command :
subinacl /keyreg [registry_key] /setowner=[user]
where [registry_key] is the name of registry key like HKEY_LOCAL_MACHINESoftwareMicrosoft. If it contains space then enclose it in inverted commas.
To change the ownership of a registry key and all subkeys under it, give this command :
subinacl /subkeyreg [registry_key] /setowner=[user]
This will change the ownership of this key and all the subkeys under it.
Granting or changing permissions
If a user does not already have any permission, you need to grant him/her permission. To grant or change the permission of a folder or file give this command :
subinacl /file [filename] /grant=[user]:[Access]
where [filename] is the file or folder name for which you are granting permission. [user] is the username of a user, you are granting permission to. And [Access] is the type of access you want to grant. It can be F for full access, R for read only access etc. For complete list see the documentation.
Similarly, you can grant permissions for a folder and all its subfolders, a registry key, a registry key and all its subkeys using the switches /subdirectories, /keyreg, /subkeyreg respectively.
If you use /sgrant instead of /grant, then all existing permission of that user (or group) will be wiped before granting new permissions.
Revoking permissions
To revoke a user’s permission, give this command :
subinacl /file [filename] /revoke=[username]
This would revoke that user’s or group’s permissions for that file or folder. Similarly, you can grant permissions for a folder and all its subfolders, a registry key, a registry key and all its subkeys using the switches /subdirectories, /keyreg, /subkeyreg respectively.
The commands mentioned above are only a fraction of things that subinacl can do. To see the full set of commands, type subinacl /full /help in the command prompt window.