CHANGES
-------

Version 4.02
------------
Fixed sharegrant and sharerevoke to correctly handle newly created shares
which have not yet been assigned a security descriptor.

Corrected a GPF problem when displaying ACE's when the account is
"unknown".

Version 4.01
------------
Fixed problems installing shareware version under non-admin account.

Version 4.0
-----------
New features to control auditing. The following apps have been added:
	auditadd
	auditdel
	regauditadd
	regauditdel

In addition, the listacl and reglistacl will display any auditing
information on files/directories/registry keys which exists.

You must have "Manage Auditing and Security Log" privilege to view
or manipulate audit ACLs.

There is no longer a separate installation program.


Version 3.4
-----------

Fixes to igrant and irevoke.


Version 3.3
-----------
This release is a *MAJOR* performance release.

Recursion fixed (again). An unlimited number of files and directories
is now supported.

swapacl and saveacl now have a -usepriv option.

saveacl now stores filenames correctly in absolute and relative formats
depending on the way it was specified on the command line.

sharelistacl now sorts its output.

sharelistacl now accepts wildcards as share names. sharelistacl server\*
will list the permissions on all the shares at \\server.

restacl has a new option -pathprefix which will append any prefix to
absolute or relative pathnames. this can be used to define a target
directory or share.

other minor problems fixed.

a note was added to reglistacl on how to manipulate the root of a registry
key.


Version 3.2
-----------
Execution speed has been increased with this release. Less file i/o is
done with the NTFS utilities and registry security utilities have been
optimized, especially remote registry operation.

Recursion in all the utils now uses a depth fist search instead of the
previous breadth first search, and you'll notice this in the output as
the filesystem is traversed.

revoke and irevoke no longer accept wildcards for a username. Instead
they accept up to 30 valid users with one execution. e.g. irevoke -r
user1:rx,rx user2:rwx,rwx user3:all,all dir1

grant and igrant have an extra permission type of "none" which sets an
access denied ace on files and directories. If a user has been denied
access, and then you grant them access, the access denied ace will be
removed. The reverse is also true, if you add an access denied ace and
a user has an existing (allowed) ace, the allowed ace will be removed
and the access denied ace added. So, to get rid of a user who has an
access denied ace entry, you must first grant the user some right, and
then revoke the right, or you can use [i]grant -clear and [i]grant
-replace.

listacl now sorts it's output and consolidates file permissions
(previously it only consolidated directory permissions).

swapacl no longer returns "ERROR: 998: Unknown error" with NT 4.0 SP3
installed.

Locating domain controller names for accounts specified as
DOMAIN\Account is now performed automatically. A call to NetGetDCName
is done to find the domain controller for the domain, and then SID
information is requested from that domain controller. Previously, the
only way to handle a non-local account was to explicitly ask for
SERVER\Account. If the call to NetGetDCName fails, the portion to the
left of the \ is assumed to be a server from which to get account
information, otherwise the local machine is used. The call to
NetGetDCName can take several seconds to respond if it can't find the
domain you specified, so if you have previously been using the
SERVER\Account syntax, you should switch to using DOMAIN\Account
syntax to avoid getting timed out. For this version I am leaving the
debugging output on to avoid confusion about why the program is
possibly hanging, and for general info and feedback for problem
resolution at sites which may have different domain setups than
mine. This output is directed to STDERR.

Anyone who has registered a previous version of NTSEC is entitled to
receive this version at no charge, just send me email.


Version 3.1
-----------
Fixed some major problems with remote registry operation (ability to correctly
recurse remote subkeys) and with remote share operation.


Version 3.0
-----------
Added utilities to modify local and remote network SHARE security:
   sharelistacl - list share security
   sharegrant   - grant permissions on shares
   sharerevoke  - remove permissions from shares

Added regswapacl - swap permissions without modifying the existing ones.


Version 2.2
-----------
Fixed several GPF/Dr. Watson problems.

Version 2.1
-----------
The evaluation period for this software has been extended to 30 days from 10
days. However, the program will now disable itself after 30 days. If you
have previously registered, you are entitled to this version at no cost.
Please send e-mail containing your company name and I will mail you a non-
expiring version.

Some permissions would appear garbled with listacl. Account names which
the local computer could not "resolve" (from the sid) are now obtained
correctly from the remote computer. This would occur, for instance, on
local account groups on NT servers when the local machine was logged into
the domain of the server, but the server was not a BDC or a PDC.

All registry utilities now support remote registry operation. All utils
have an extra optional [-s server] argument in which you tell the util
on which server you want to change permissions.


Version 2.0
-----------
Recursion added to registry utils regrevoke, reggrant, reglistacl and
regsetowner.

A new util regsetowner.exe sets ownership on registry subkeys.

A new util regrevoke.exe revokes permissions on registry subkeys.

A new util reggrant.exe grants permissions on registry subkeys.

A new util reglistacl.exe lists registry entry security.

Added an extra option -usepriv to irevoke, revoke, grant and igrant. These
work the same as in listacl added previously. When specified, you allow
NTSEC to temporarily take ownership of files in order to apply
necessary permissions. The previous owner is then reapplied transparently.
One immediate need for this option is to give Administrators rights on
a directory subtree without affecting existing ownership. This can now
be done easily with "igrant -usepriv -r Administrators:all,all dir".
It'll probably also be useful for general use. This function requires
that you have the "Backup files and directories" privilige because
it uses BackupRead() to obtain the file owner.  It also helps to have the
"Bypass traverse checking" privilege. This is a default privilege for all
users anyway. Of course you need "Take ownership" privilege also.


Version 1.9a
------------
Fixed a problem where revoke and irevoke did not match account names
correctly with the one specified on the command line resulted in a
"no change" message. For example irevoke users:w dir1 would result
in "no change", but irevoke users*:w dir1 would work. This is fixed.


Version 1.9
-----------
Listacl has a new option -usepriv which will automatically take
ownership of files which it can't read the permissions of. This occurs
when you are not owner and don't have at least read permissons. The
previous owner is restored to the original state. You need take
ownership and se_restore_name (restore files and directories)
priviliges. -usepriv will be added to future versions of grant, igrant,
revoke, and irevoke.

When setting "list" permissions on a directory, igrant would set the
appropriate permissions, but explorer would complain that the permissions
are missing or corrupt. This is now fixed.

Added an option "-addpriv" to setowner which will assist in taking
ownership of files and directories when recursing. When
specifying this option you allow setowner to automatically give the
currently logged in user account rights on necessary files
and directories it can't read (because they are too deep in a tree
in which you have no rights along the way). Existing rights are not
overwritten. You must have appropriate access rights when using this
option (take ownership and possibly se_restore_name). This option is
most helpful when you need to take over a directory subtree you no
longer have rights to.


Version 1.8
-----------
A new option "-dirsonly" was added to listacl (at the request of
RichardA@Health.State.OK.US).

Recursion is more Microsoft/DOS like. Directories are treated differently
during recursion. Instead of matching the directory name to a file mask,
all directories are recursed into using the specified mask to match
against files.

Setowner now correctly set ownership on files which it doesn't own
and doesn't have the take-ownership file permission assigned to it.

revoke and irevoke now have the user:perms syntax for specifying
file and directoy permissions. however, they are still limited to
a single user account.




Version 1.7
-----------
Up to 30 users may now be specified on the command line to igrant and
grant. This fixes the problem with making permission changes to many
files and multiple users which can take a really long time. The reason
it was taking so long is the way MS designed NTFS. Permission reads
(even for a single file) can sometimes take several seconds. Writes are
much faster. This change will allow you to make permission changes
in batches of users which can reduce the number of permission reads from
the filesystem.

Version 1.6
-----------
Added -clear and -replace options to GRANT and IGRANT. These let you
set and replace user permissions. -clear will wipe out all permissions
first, then add the specified rights. -replace will replace any
existing permissions a specified user may already have on the files.

Bugs were fixed in IREVOKE and IGRANT. Thanks to Mario Eduardo
(Mario.Eduardo@vu-wien.ac.at) for reporting the bug. Certain ACEs on
directories would be ignored and "unknow ACE type" would be printed. This
is now fixed.

Added wildcard matching to user and group names in IREVOKE and REVOKE.
This allows you to revoke permissions to several accounts and groups
at once. Be careful, you can also do destructive things like 'REVOKE
-r all * *' to remove all permissions on all files from every account
and group across the filesystem! Wildcards for matching users may contain
a '*' to match any number of characters, a '?' to match a single character,
[0-9] or [a-z] to match ranges of characters, etc.




