Edit Permissions with SubInAcl

SubInACL is a Microsoft utility which can be downloaded as part of Windows Resource Kits.

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and
services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

SubInACL’s help screen:

SubInAcl version 5.2.3790.1180

Each command line switch has its own help screen, which can be summoned using the command
SUBINACL /help /switch

For example, SUBINACL /help /grant will call the following help screen:

SubInAcl version

Some examples of granting access permissions: 

Allow the group “MYDOMAIN\Marketing” Read access to the folder
“D:\Departments\Marketing” and all of its subfolders, but not on the files:
SUBINACL /verbose=1 /subdirectories “D:\Departments\Marketing” /grant=Users=R 
Grant Read access to “Everyone” on a share:
SUBINACL /verbose=1 /share \\server\share /grant=Everyone=R
Allow the group “MYDOMAIN\Marketing” to Print and Manage documents on the printer “Color Laser”:

SUBINACL /verbose=1 /printer “Color Laser” /grant=MYDOMAIN\Marketing=MP
Allow “Authenticated Users” to start and stop the “Printer Spooler” service (use its short name: “Spooler”):

SUBINACL /verbose=1 /service Spooler /grant=”Authenticated Users”=LQSTOP
Grant “Authenticated Users” write access to “HKEY_LOCAL_MACHINE\SOFTWARE\MyProgram”, but not to subkeys:
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SOFTWARE\MyProgram” /grant=”Authenticated Users”=QEDS

To check permissions, remove the /grant switch: if no “action” is specified, the default /display is used.

Other References:

Dive Deep with SubInACL

Edit Permissions with Subinacl

Example Secnarios