README.TXT
----------
(for version 4.5)

NT Command Line Security Utilities
Copyright 1996,1997,1998 Keith Woodard, Fernando Trias
All Rights Reserved

NEW WEBSITE ADDRESS - COME AND VISIT: http://www.pedestalsoftware.com


NEW WITH VERSION 4.0 -- CONTROL NTFS AND REGISTRY AUDITING !!!!

NEW WITH VERSION 4.5 -- CONTROL USERS AND GROUPS THROUGH A SINGLE EASY
                        TO USE PROGRAM !!!


The NT Command Line Security Utilities contain several programs for
manipulating and viewing NT file security attributes and NT registry
security. These programs provide a method for scripting and non-
destructively changing permissions.

Here are a list of the programs:

NTFS:::
-------
saveacl.exe    - saves file, directory and ownership permissions to a file
restacl.exe    - restores file permissions and ownership from a saveacl file
listacl.exe    - lists file permissions in human readable format
swapacl.exe    - swaps permissions from one user or group to another
grant.exe      - grants permissions to users/groups on files
revoke.exe     - revokes permissions to users/groups on files
igrant.exe     - grants permisssions to users/groups on directories
irevoke.exe    - revokes permissions to users/groups on directories
setowner.exe   - sets the ownership of files and directories
auditadd.exe   - add audit triggers to files and directories
auditdel.exe   - remove audit triggers from files and directories.

REGISTRY:::
-----------
reglistacl.exe  - print registry subkey security to the screen
reggrant.exe    - grant access to users and groups on registry subkeys
regrevoke.exe   - revoke access from users and groups on subkeys
regsetowner.exe - change registry subkey ownership
regswapacl.exe  - swaps permissions from one user or group to another
regauditadd.exe - add audit triggers to keys
regauditdel.exe - remove audit triggers from keys

SHARE::::
-----------
sharelistacl.exe - list permissions on a local or remote share
sharegrant.exe   - grant permissions to a local or remote share
sharerevoke.exe  - revoke permissions from a local or remote share

NT USERS AND GROUPS:::
----------------------
ntuser.exe       - manipulate account and group properties

OTHER::::
---------
nu.exe         - 'net use' replacement. shows which drives you're connected as.


Listacl and reglistacl also display the current auditing state of files,
directories, and registry keys.

Each of the programs contains a built-in help screen. Just run any of the
programs with a "-h" argument and the help screen will be displayed.

You'll find the latest utilities on:
      ftp://ftp.pedestalsoftware.com/pub/pedestal
or surf to
      http://www.pedestalsoftware.com/
and download there!



Some Uses of NTSEC
==================

A. Applying the same permissions to many machines:

Permissions saved by saveacl which contain SIDs from domain accounts may
be applied to machines outside the domain (or in the domain). Well known
groups and built-in accounts will be correctly intrepreted in any NT domain.
This gives a good method for creating a standard set of permissions for a
particular directory structure (such as the SystemRoot) which can be applied
very easily to any number of NT servers or workstations in any domain with restacl.
Permissions saved on files which do not exist on the selected target directory
or files are ignored.

For example:
   1. set your system directory permissions to your "standard"
   2. save the permissions to a file called winnt.acl:
            saveacl -r winnt\* winnt.acl
   3. apply those permissions to other machines:
            restacl winnt.acl


B. Access permissions even if you don't have access.

All the utilities will attempt to perfom their functions with the "Backup
files and directories" priviledge if you use the -usepriv option, which means
that even if you don't explicitly have rights to modify a file's security
attributes and you have this user right, the function will succeed.


C. File ownership may be changed to any user. You not limited to just
   taking ownership.

      setowner newowner dir:\file


D. Swap user and group permissions in place:

Swapacl is very powerful and provides a great way to substitute permissions
on files. You can switch between users and groups, users and users, groups
and users, or groups and groups. A great example is if you have a directory
structure with a complicated permission tree and a person in your organization
leaves, you can use swapacl to give all the permissions which were granted
to another staff member without wiping out all the other permissions set on
the files and directories.




Shareware Details
=================
The NT Security Utilities are SHAREWARE and may be used for a 30 day trial.
If after 30 days, you are unsatisfied with the NT Security Utilities, remove
them from your systems. NOTE: AFTER 30 DAYS, IF LEFT UNREGISTERED, THE SOFTWARE
WILL STOP WORKING. You may purchase NT Security Utilites under the
following plans:


1) NTSEC without auditing features:

   $15 (USD) per copy.

2) NTSEC with AUDITING and NTUSER features:

   $45 (USD) per copy.

3) $2000 (USD) for an unlimited site license of NTSEC with auditing and
   NTUSER.

4) $5000 (USD) for an unlimited site license of NTSEC with auditing and
   NTUSER plus the full source code.  All source is contained in C++
   classes and compiled with MS Visual C++ (nmake makefile).

Check, money order or purchase orders should be sent to:

Keith Woodard
NT Security Utilities Registration
20E Curlew Road
Quincy, MA 02169

All purchases must be in US Dollars. Checks not in US Dollars should
include a $50 bank fee (no, I do not profit from this, this is the
amount my bank charges for collection).

Payment via electronic funds transfer is also available. A $15 bank
fee will apple to all EFTs. Again, this is the amount my bank charges.

For other payment options, please contact Pedestal Software by sending
email, calling or faxing.

email: keith@pedestalsoftware.com
fax:   617-471-9091
voice: 617-471-0729

I hope you like the NT Security Utilities and contribute to their success and
the success of other products like it by registering your copy.

Please see the accompanying file 'license.txt' for licensing and
disclaimer information.
	

--------------------------------------------------------------------------
INSTALLATION
--------------------------------------------------------------------------

1. unzip all the files into a directory in your path. some of the files
   contain long filenames, so you will need a 32-bit unzip utility.
2. Simply launch any of the utilites to begin your evaluation. This will
   enable all the utilities for a period of 30 days.
3. Evaluate the software for 30 days. After 30 days all the utils will
   stop working.



This is version 4.5 of the utilities. Bug reports can be sent to 
woodardk@netcom.com

I love to hear from people who are using my programs, so please send me
your comments!

One last reminder:  I've spent a lot of time developing this software and
have tried to make it as bug free as possible.  My time, the cost of the
computer, operating system, compilers, books, and developers resources
are not cheap!  Register your copy!



PROGRAM HELP:
===================

saveacl.exe
--------------------------------------------------------------------------
Copy NT file security descriptors to a file.

usage: SAVEACL [-dirsonly | -filesonly] [-r] filemask output-file [-x file file
...]

        -r    Recurse into subdirectories
        -dirsonly    Store ACLs for directories only.
        -filesonly   Stores ACLs for files only skipping directories.
        -x    Exclude these files. Files may contain wildcards.
        Note: file-mask * matches all files, *.* does not!




restacl.exe
----------------------------------------------------------------------------
Restores NT file security descriptors from a file generated by SAVEACL.
RESTACL will restore file permissions on files relative to the current
directory.

usage: RESTACL [-listonly] [-owneronly | -noowner] [-absolute] acl-file [file fi
le ...]
               [-x file file ...]

        -listonly    Just list affected files. Do not apply permissions.
        -owneronly   Restore file ownership only.
        -noowner     Restore all ACLs EXCEPT file ownership.
        -absolute    Restore using the absolute path, otherwise, strip
                     drive and UNC prefix (default).
        -x           Exclude these files.
        If a file list is not specified, the default is to restore ACLs
        to all files. The file arguments may contain wildcards.
        Wildcards will match directory names as well as file names.



listacl.exe
--------------------------------------------------------------------
LISTACL prints file permissions to the screen for the selected files.

usage: LISTACL [-r] [-owneronly] [-dirsonly] [-usepriv] file file ... [-x
               file file ...]
       LISTACL -h

        -h          This help screen
        -r          Recurse into subdirectories.
        -owneronly  List only file ownership.
        -dirsonly   Only list directories.
        -usepriv    Allow listacl to temporarily take ownership in order to
                    view permissions. Previous owner is restored automatically.
        -x          Exclude these files from the list (may use wilcards).



swapacl.exe
--------------------------------------------------------------------
Swaps one ACL in place of another

usage: SWAPACL [-noowner | -owneronly] [-r] name-to-swap-out name-to-swap-in
               file file ... [-x file file ...]

        -noowner    Do not change file ownership.
        -owneronly  Change file ownership only, do not modify file ACLs
        -r          Recurse into subdirectories.
        -x          Exclude these files from modification (may use wilcards).

Names are textual names of groups or users and may consist of a domain name
and user or group name. For example MYDOMAIN\mygroup.



grant.exe
------------------------------------------------------------
GRANT adds permissions to selected files (not directories).

usage: GRANT [-r] [-replace] [-clear] [-usepriv] user:[r][w][x][d][p][o] ... fil
e
             file ... [-x file file ...]

        -r          Recurse into subdirectories.
        -replace    Replace existing user's permissions with ones specified.
        -clear      Clear _all_ permissions first (destructive, be careful!)
        -usepriv    Allow grant to temporarily take ownership in order to
                    set permissions. Restore files privilege required.
        r           Add READ permission
        w           Add WRITE permission
        x           Add EXECUTE permission
        d           Add DELETE permission
        p           Add CHANGE-PERMISSIONS permission
        o           Add TAKE-OWNERSHIP permission
        all         Same as RWXDPO
        change      Same as RWXD
        user        A valid user or group name. You may specify up to 30 users.
        -x          Exclude these files from the list (may use wilcards).

Without -replace or -clear, GRANT will append to any existing permissions.


REVOKE
-------
REVOKE removes permissions from selected files (not directories).

usage: REVOKE [-r] user:[r][w][x][d][p][o] file file ... [-x file file ...]

        -r          Recurse into subdirectories.
        -usepriv    Allow revoke to temporarily take ownership in order to
                    set permissions. Restore files privilege required.
        r           Remove READ permission
        w           Remove WRITE permission
        x           Remove EXECUTE permission
        d           Remove DELETE permission
        p           Remove CHANGE-PERMISSIONS permission
        o           Remove TAKE-OWNERSHIP permission
        all         Same as RWXDPO
        change      Same as RWXD
        user        A valid user or group name or wildcard
        -x          Exclude these files from the list (may use wilcards).

REVOKE will remove only the selected permissions leaving any existing
permissions.



igrant.exe
-------------------------------------------------------------------
IGRANT adds permissions to selected directories (not files).

usage: IGRANT [-r] [-replace] [-clear] user:DirPerms,FilePerms ... dir
              dir ... [-x dir dir ...]

        -r          Recurse into subdirectories.
        -replace    Replace existing user's permissions with ones specified.
        -clear      Clear _all_ permissions first (destructive, be careful!)
        -usepriv    Allow igrant to temporarily take ownership in order to
                    set permissions. Restore files privilege required.
        DirPerms    Permissions for access to the directory.
        FilePerms   Permissions inherited by files in the directory.
        user        A valid user or group name
        -x          Exclude these directories (may use wilcards).

        Permissions are specified via combinations of the following flags:
        r           Add READ permission
        w           Add WRITE permission
        x           Add EXECUTE permission
        d           Add DELETE permission
        p           Add CHANGE-PERMISSIONS permission
        o           Add TAKE-OWNERSHIP permission
        -           No changes
        all         Same as RWXDPO
        change      Same as RWXD

Without -replace and -clear, IGRANT will append to any existing
permissions.



irevoke.exe
-------------------------------------------------------------------
IREVOKE removes permissions to selected directories (not files).

usage: IREVOKE [-r] user:DirPerms,FilePerms dir dir ...
              [-x dir dir ...]

        -r          Recurse into subdirectories.
        -usepriv    Allow irevoke to temporarily take ownership in order to
                    set permissions. Backup files privilege required.
        DirPerms    Directory permissions to remove.
        FilePerms   Inherited file permissions to remove
        user        A valid user or group name or wildcard
        -x          Exclude these directories (may use wilcards).

        Permissions are specified via combinations of the following flags:
        r           Revoke READ permission
        w           Revoke WRITE permission
        x           Revoke EXECUTE permission
        d           Revoke DELETE permission
        p           Revoke CHANGE-PERMISSIONS permission
        o           Revoke TAKE-OWNERSHIP permission
        -           No changes
        all         Same as RWXDPO
        change      Same as RWXD

IREVOKE will remove from existing permissions. It will not overwrite
other permissions which are already set on the target directories.

Example: IREVOKE *:all,all dir1
          will remove all permissions on directory dir1.




setowner.exe
------------------------------------------------------------
Set file ownership.

usage: SETOWNER [-r] [-addpriv] new-owner file file ... [-x file file ...]

        file        File or directory to set ownership on (may contain
                    wildcards)
        -r          Recurse into subdirectories.
        -addpriv    Allow setowner to add permissions automatically to files
                    and directories, which you don't currently have access to,
                    to the currently logged in user.
                    It is not destructive of existing permissions.
        -x          Exclude these files from modification (may use wilcards).

Names are textual names of groups or users and may consist of a domain name
and user or group name. For example MYDOMAIN\mygroup.



reglistacl.exe
--------------
List registry security

usage: reglistacl [-lm|-cr|-cu|-u] [-r] [-s server] subkey

        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys

Permission codes:
  Q = Query Value       W = Set Value
  C = Create Subkey     E = Enumerate Subkey
  N = Notify            L = Create Link
  D = Delete            R = Read Control
  P = Write DAC         O = Write Owner



reggrant.exe
------------
Grant security on registry keys

usage: reggrant [-lm|-cr|-cu|-u] [-clear] [-replace] [-r] [-q1|-q2] [-s server]
              user:perms user:perms ... subkey

        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys
        -q1     Quiet - skip display of unmodified keys
        -q2     Quiet - only print errors

Permission codes:
  Q = Query Value       W = Set Value
  C = Create Subkey     E = Enumerate Subkey
  N = Notify            L = Create Link
  D = Delete            R = Read Control
  P = Write DAC         O = Write Owner
  Full = QWCENLDRPO     Read = QENR




regrevoke.exe
-------------
Revoke security on registry keys

usage: regrevoke [-lm|-cr|-cu|-u] [-q1|-q2] [-r] [-s server] user:perms
           user:perms ... subkey

        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys
        -q1     Quiet - skip display of unmodified keys
        -q2     Quiet - only print errors

Permission codes:
  Q = Query Value       W = Set Value
  C = Create Subkey     E = Enumerate Subkey
  N = Notify            L = Create Link
  D = Delete            R = Read Control
  P = Write DAC         O = Write Owner
  Full = QWCENLDRPO     Read = QENR




regsetowner.exe
---------------
Set registry security subkey ownership

usage: regsetowner [-lm|-cr|-cu|-u] [-r] [-s server] newowner subkey

        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys


REGSWAPACL
--------
Swap ACLs on  registry keys

usage: regswapacl [-lm|-cr|-cu|-u] [-r] [-noowner|-owneronly]
                  [-q1|-q2] [-s server] from-user to-user subkey

        -lm        HKEY_LOCAL_MACHINE (default)
        -cr        HKEY_CLASSES_ROOT
        -cu        HKEY_CURRENT_USER
        -u         HKEY_USERS
        -r         Recurse subkeys
        -noowner   Do not swap key ownership
        -owneronly Only swap key ownership
        -s         Specify server name of registry to connect to
        -q1        Quiet - skip display of unmodified keys
        -q2        Quiet - only print errors



SHARELISTACL
------------
List share security

usage: sharelistacl [\\server\]share


SHAREGRANT
----------
Grant permissions on network shares

usage: sharegrant [-clear] [\\server\]share user:perms user:perms ...

        user        Any valid user or group
        perms       Can be one of none,read,change or full


SHAREREVOKE
-----------
Revoke permissions from network shares

usage: sharerevoke [\\server\]share user user ...

        user        Any valid user or group


AUDITADD
--------
AUDITADD sets audit triggers on files and directories.

usage: AUDITADD [-r] [-replace] [-clear] [-usepriv]
             user:[r(+-)][w(+-)][x(+-)][d(+-)][p(+-)][o(+-)] user:... file file... -x file file ... [-x file file ...]

        -r          Recurse into subdirectories.
        -replace    Replace existing user's audit permissions with ones
                    specified.
        -clear      Clear _all_ permissions first (destructive, be careful!)
        -usepriv    Allow auditadd to temporarily take ownership in order to
                    set permissions. Backup files privilege required.
        r           Add READ audit
        w           Add WRITE audit
        x           Add EXECUTE audit
        d           Add DELETE audit
        p           Add CHANGE-PERMISSIONS audit
        o           Add TAKE-OWNERSHIP audit
        +           Audit successful operation event
        -           Audit failure operation event
        +-          Audit both success and failure
        user        A valid user or group name. You may specify up to 30 users.
        -x          Exclude these files from the list (may use wilcards).

Without -replace or -clear, AUDITADD will append to any existing permissions.


AUDITDEL
--------
AUDITDEL removes audit triggers on files and directories.

usage: AUDITDEL [-r] [-usepriv] user:[r(+-)][w(+-)][x(+-)][d(+-)]
       [p(+-)][o(+-)] user:... file file ... [-x file file ...]

       or
       AUDITDEL [-r] [-usepriv] -clear file file ... [-x file file ...]

        -r          Recurse into subdirectories.
        -clear      Remove all auditing information.
        -usepriv    Allow auditadd to temporarily take ownership in order to
                    set permissions. Backup files privilege required.
        r           Remove READ audit
        w           Remove WRITE audit
        x           Remove EXECUTE audit
        d           Remove DELETE audit
        p           Remove CHANGE-PERMISSIONS audit
        o           Remove TAKE-OWNERSHIP audit
        +           Apply to successful operation events
        -           Apply to failure operation events
        +-          Apply to both success and failure audit events
        user        A valid user or group name. You may specify up to 30 users.
        -x          Exclude these files from the list (may use wilcards).


REGAUDITADD
--------
Add audit triggers on registry keys

usage: regauditadd [-lm|-cr|-cu|-u] [-clear] [-replace] [-r] [-q1|-q2]
           [-s server] user:perms user:perms ... subkey

        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys
        -s      Specify server name of registry to connect to
        -q1     Quiet - skip display of unmodified keys
        -q2     Quiet - only print errors

Permission codes:
  Q = Query Value       W = Set Value
  C = Create Subkey     E = Enumerate Subkey
  N = Notify            L = Create Link
  D = Delete            R = Read Control
  P = Write DAC         O = Write Owner



REGAUDITDEL
--------
Remove audit triggers on registry keys

usage: regauditdel [-lm|-cr|-cu|-u] [-r] [-q1|-q2]
           [-s server] user:perms user:perms ... subkey

       or

       regauditdel [-lm|-cr|-cu|-u] [-r] [-q1|-q2] [-s server] -clear subkey

        -clear  Remove all auditing information
        -lm     HKEY_LOCAL_MACHINE (default)
        -cr     HKEY_CLASSES_ROOT
        -cu     HKEY_CURRENT_USER
        -u      HKEY_USERS
        -r      Recurse subkeys
        -s      Specify server name of registry to connect to
        -q1     Quiet - skip display of unmodified keys
        -q2     Quiet - only print errors

Permission codes:
  Q = Query Value       W = Set Value
  C = Create Subkey     E = Enumerate Subkey
  N = Notify            L = Create Link
  D = Delete            R = Read Control
  P = Write DAC         O = Write Owner




NTUSER.EXE
-----------
Usage: NTUSER [-s <server>] ADD <user> [options]
                            CHANGE <user> [options]
                            DELETE <user>
                            SHOW <user | *>
                            RENAME <old_user> <new_user>
                            GROUPS <user>
                            [L]GROUP ADD <group> [options]
                            [L]GROUP CHANGE <group> [options]
                            [L]GROUP DELETE <group>
                            [L]GROUP SHOW <group | *>
                            [L]GROUP RENAME <old_group> <new_group>
                            [L]GROUP APPEND <group> <user>
                            [L]GROUP REMOVE <group> <user>
                            HELP OPTIONS
                            HELP FLAGS     (used by -set and -unset)

    -s <server> is the server on which to operate


NTUSER OPTIONS::

-full_name <name>
-comment <comment_text>
-usr_comment <comment>
-country_code <number>
-code_page <number>
-parms <text>
-home_dir <directory>
-script_path <path>
-profile <direcotory>
-workstations <computer_name>
-logon_server <computer_name>
-password <new_password>
-password_age <number_days>
-password_expired <bool>
-acct_expires <dd/mm/yy [hh:mm]>
-max_storage <amt_disk>
-set <flag>     * -set item can be repeated
-unset <flag>   * -unset item can be repeated


NTUSER FLAGS::

Note: UF_SCRIPT and UF_NORMAL_ACCOUNT are always set if no other flags
are specified when adding new accounts.

UF_SCRIPT : The logon script executed. This value must be set for LAN
Manager 2.0 or Windows NT.

UF_ACCOUNTDISABLE : The user's account is disabled.

UF_HOMEDIR_REQUIRED : The home directory is required. This value is
ignored in Windows NT.

UF_PASSWD_NOTREQD : No password is required.

UF_PASSWD_CANT_CHANGE : The user cannot change the password.

UF_LOCKOUT : The account is currently locked out. When changing a
user, this value can be cleared to unlock a previously locked
account. This value cannot be used to lock a previously unlocked
account.

UF_DONT_EXPIRE_PASSWD : Represents the password, which should never
expire on the account. This value is valid only for Windows NT.

UF_NORMAL_ACCOUNT : This is a default account type that represents a
typical use.

UF_TEMP_DUPLICATE_ACCOUNT : This is an account for users whose primary
account is in another domain. This account provides user access to
this domain, but not t o any domain that trusts this domain. The User
Manager refers to this account ty pe as a local user account.

UF_WORKSTATION_TRUST_ACCOUNT : This is a computer account for an
Windows NT Work station or Windows NT Server that is a member of this
domain.

UF_SERVER_TRUST_ACCOUNT : This is a computer account for an Windows NT
Backup Do main Controller that is a member of this domain.

UF_INTERDOMAIN_TRUST_ACCOUNT : This is a permit to trust account for a
Windows N T domain that trusts other domains.

