joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Modifying ACLs on SAM objects (on local machines, not in AD…)

by @ 5:55 pm on 6/27/2006. Filed under tech

I recently fielded a question on how to read/modify the ACL on a local group on a workstation. This made me think back because I haven’t done ACL mods on workstations in a while and then I realized I had never seen it done. I thought about it… does a local group in the SAM have an ACL… yes of course, because if say a Power User creates a group, that specific user can modify that group and later remove it if they want but other Power Users can’t. That screams Creator/Owner and ACLing…

So before I responded back the incorrect response of I don’t know of a tool that can do this I looked at my old friend SUBINACL… I look through the options and sure enough… there it is… /samobject.


G:\>subinacl /samobject administrator

=========================
+SamObject administrator
=========================
/control=0x0
/owner             =builtin\administrators
/primary group     =builtin\administrators
/audit ace count   =2
/aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
        FAILED_ACCESS_ACE_FLAG-0x80    SUCCESSFUL_ACCESS_ACE_FLAG-0x40FAILED_ACCESS_ACE_FLAG-0x0x80

          USER_WRITE_PREFERENCES-0x00004          USER_CHANGE_PASSWORD-0x00040
/aace =anonymous logon  SYSTEM_AUDIT_ACE_TYPE-0x2
        FAILED_ACCESS_ACE_FLAG-0x80    SUCCESSFUL_ACCESS_ACE_FLAG-0x40FAILED_ACCESS_ACE_FLAG-0x0x80

        STANDARD_RIGHTS_REQUIRED-0xf0000             USER_READ_GENERAL-0x00001
           USER_READ_PREFERENCES-0x00002        USER_WRITE_PREFERENCES-0x00004
                 USER_READ_LOGON-0x00008             USER_READ_ACCOUNT-0x00010
              USER_WRITE_ACCOUNT-0x00020          USER_CHANGE_PASSWORD-0x00040
      USER_FORCE_PASSWORD_CHANGE-0x00080              USER_LIST_GROUPS-0x00100
     USER_READ_GROUP_INFORMATION-0x00200  USER_WRITE_GROUP_INFORMATION-0x00400
/perm. ace count   =3
/pace =everyone         ACCESS_ALLOWED_ACE_TYPE-0x0

               USER_READ_GENERAL-0x00001         USER_READ_PREFERENCES-0x00002
                 USER_READ_LOGON-0x00008             USER_READ_ACCOUNT-0x00010
            USER_CHANGE_PASSWORD-0x00040              USER_LIST_GROUPS-0x00100
     USER_READ_GROUP_INFORMATION-0x00200
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
        Full Control

        STANDARD_RIGHTS_REQUIRED-0xf0000             USER_READ_GENERAL-0x00001
           USER_READ_PREFERENCES-0x00002        USER_WRITE_PREFERENCES-0x00004
                 USER_READ_LOGON-0x00008             USER_READ_ACCOUNT-0x00010
              USER_WRITE_ACCOUNT-0x00020          USER_CHANGE_PASSWORD-0x00040
      USER_FORCE_PASSWORD_CHANGE-0x00080              USER_LIST_GROUPS-0x00100
     USER_READ_GROUP_INFORMATION-0x00200  USER_WRITE_GROUP_INFORMATION-0x00400
/pace =sfmxp32\administrator    ACCESS_ALLOWED_ACE_TYPE-0x0
        Write

          USER_WRITE_PREFERENCES-0x00004          USER_CHANGE_PASSWORD-0x00040
Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : administrator
Rating 3.00 out of 5

3 Responses to “Modifying ACLs on SAM objects (on local machines, not in AD…)”

  1. Steve Kelly says:

    I am feeling sort of de ja vu all over again. I was thinking of asking you about this, but I don’t think I did. I can’t quite figure out your answer though… By the way, thanks again for all your hard work.

  2. joe says:

    Hi Steve,

    You use the /samobject switch to specify the SAM Object that you want to modify. So if you wanted to modify the group MyUsers such that the user someuser has FC on it you would do something like

    subinacl /samobject MyUsers /grant=someuser=f

  3. Mike Sandells says:

    This seems to work for local users and groups, but it doesn’t seem to work for builtin objects. For example, this works;

    subinacl /samobject administrator

    but these don’t;

    subinacl /samobject administrators
    subinacl /samobject builtin\administrators
    subinacl /samobject S-1-5-32-544

    They all report “No mapping between account names and security IDs was done”, just as if there was no object of that name.

    Is there any way of changing the ACLs on the builtin objects? (e.g. to grant a domain group the permission to add users to the builtin administrators group on a workstation)

[joeware – never stop exploring… :) is proudly powered by WordPress.]