I recently fielded a question on how to read/modify the ACL on a local group on a workstation. This made me think back because I haven’t done ACL mods on workstations in a while and then I realized I had never seen it done. I thought about it… does a local group in the SAM have an ACL… yes of course, because if say a Power User creates a group, that specific user can modify that group and later remove it if they want but other Power Users can’t. That screams Creator/Owner and ACLing…
So before I responded back the incorrect response of I don’t know of a tool that can do this I looked at my old friend SUBINACL… I look through the options and sure enough… there it is… /samobject.
G:\>subinacl /samobject administrator ========================= +SamObject administrator ========================= /control=0x0 /owner            =builtin\administrators /primary group    =builtin\administrators /audit ace count  =2 /aace =everyone        SYSTEM_AUDIT_ACE_TYPE-0x2        FAILED_ACCESS_ACE_FLAG-0x80   SUCCESSFUL_ACCESS_ACE_FLAG-0x40FAILED_ACCESS_ACE_FLAG-0x0x80          USER_WRITE_PREFERENCES-0x00004         USER_CHANGE_PASSWORD-0x00040 /aace =anonymous logon SYSTEM_AUDIT_ACE_TYPE-0x2        FAILED_ACCESS_ACE_FLAG-0x80   SUCCESSFUL_ACCESS_ACE_FLAG-0x40FAILED_ACCESS_ACE_FLAG-0x0x80        STANDARD_RIGHTS_REQUIRED-0xf0000            USER_READ_GENERAL-0x00001           USER_READ_PREFERENCES-0x00002       USER_WRITE_PREFERENCES-0x00004                 USER_READ_LOGON-0x00008            USER_READ_ACCOUNT-0x00010              USER_WRITE_ACCOUNT-0x00020         USER_CHANGE_PASSWORD-0x00040      USER_FORCE_PASSWORD_CHANGE-0x00080             USER_LIST_GROUPS-0x00100     USER_READ_GROUP_INFORMATION-0x00200 USER_WRITE_GROUP_INFORMATION-0x00400 /perm. ace count  =3 /pace =everyone        ACCESS_ALLOWED_ACE_TYPE-0x0               USER_READ_GENERAL-0x00001        USER_READ_PREFERENCES-0x00002                 USER_READ_LOGON-0x00008            USER_READ_ACCOUNT-0x00010            USER_CHANGE_PASSWORD-0x00040             USER_LIST_GROUPS-0x00100     USER_READ_GROUP_INFORMATION-0x00200 /pace =builtin\administrators  ACCESS_ALLOWED_ACE_TYPE-0x0        Full Control        STANDARD_RIGHTS_REQUIRED-0xf0000            USER_READ_GENERAL-0x00001           USER_READ_PREFERENCES-0x00002       USER_WRITE_PREFERENCES-0x00004                 USER_READ_LOGON-0x00008            USER_READ_ACCOUNT-0x00010              USER_WRITE_ACCOUNT-0x00020         USER_CHANGE_PASSWORD-0x00040      USER_FORCE_PASSWORD_CHANGE-0x00080             USER_LIST_GROUPS-0x00100     USER_READ_GROUP_INFORMATION-0x00200 USER_WRITE_GROUP_INFORMATION-0x00400 /pace =sfmxp32\administrator   ACCESS_ALLOWED_ACE_TYPE-0x0        Write          USER_WRITE_PREFERENCES-0x00004         USER_CHANGE_PASSWORD-0x00040 Elapsed Time: 00 00:00:00 Done:       1, Modified       0, Failed       0, Syntax errors       0 Last Done : administrator
I am feeling sort of de ja vu all over again. I was thinking of asking you about this, but I don’t think I did. I can’t quite figure out your answer though… By the way, thanks again for all your hard work.
Hi Steve,
You use the /samobject switch to specify the SAM Object that you want to modify. So if you wanted to modify the group MyUsers such that the user someuser has FC on it you would do something like
subinacl /samobject MyUsers /grant=someuser=f
This seems to work for local users and groups, but it doesn’t seem to work for builtin objects. For example, this works;
subinacl /samobject administrator
but these don’t;
subinacl /samobject administrators
subinacl /samobject builtin\administrators
subinacl /samobject S-1-5-32-544
They all report “No mapping between account names and security IDs was done”, just as if there was no object of that name.
Is there any way of changing the ACLs on the builtin objects? (e.g. to grant a domain group the permission to add users to the builtin administrators group on a workstation)