README.TXT
----------

NT Command Line Security Utilities
Copyright 1996 Keith Woodard
All Rights Reserved

The NT Command Line Security Utilities contain several programs for
manipulating and viewing NT file security attributes. The programs have
been run and tested on versions 3.5 and 3.51 of NT Workstation and NT
Server. Here are a list of the programs:

saveacl.exe    - saves file, directory and ownership permissions to a file
restacl.exe    - restores file permissions and ownership from a saveacl file
listacl.exe    - lists file permissions in human readable format
swapacl.exe    - swaps permissions from one user or group to another
grant.exe      - grants permissions to users/groups on files
revoke.exe     - revokes permissions to users/groups on files
igrant.exe     - grants permisssions to users/groups on directories
irevoke.exe    - revokes permissions to users/groups on directories
setowner.exe   - sets the ownership of files and directories
nu.exe         - 'net use' replacement. shows which drives you're connected as.

Each of the programs contains a built-in help screen. Just run any of the
programs with a "-h" argument and the help screen will be displayed.

You'll find the latest utilities on:
	ftp://ftp.netcom.com/pub/wo/woodardk/


Some Uses of NTSEC
==================
Permissions saved by saveacl which contain SIDs from domain accounts may
be applied to machines outside the domain. Well known groups and built-in
accounts will be correctly intrepreted in any NT domain. This gives
a good method for creating a standard set of permissions for a particular
directory structure (such as the SystemRoot) which can be applied very easily
to any number of NT servers or workstations in any domain with restacl.
Permissions saved on files which do not exist on the selected target directory
or files are ignored.

All the utilities will attempt to perfom their functions with the "Backup
files and directories" priviledge, which means that even if you don't
explicitly have rights to modify a file's security attributes and you have
this user right, the function will succeed. This is what makes setting
file ownership possible - i.e. you can be administrator and set owership
to anyone you wish. Whereas file manager will only let you take ownership.

Swapacl is very powerful and provides a great way to substitute permissions
on files. You can switch between users and groups, users and users, groups
and users, or groups and groups. A great example is if you have a directory
structure with a complicated permission tree and a person in your organization
leaves, you can use swapacl to give all the permissions which were granted
to another staff member without wiping out all the other permissions set on
the files and directories.


Shareware Details
=================
The NT Security Utilities are SHAREWARE and may be used for a 10 day trial.
If after 10 days, you are unsatisfied with the NT Security Utilities, remove
them from your systems. You may purchase NT Security Utilites under the
following plans:

1) $5 per copy for academic institutions or 

2) $15 per copy for commercial businesses or government agencies or

3) $2000 for an unlimited site license and full source. All source is
   contained in C++ classes and compiled with MS Visual C++ 2.0 command
   line makefile.

Check, money order or purchase orders should be sent to:

Keith Woodard
NT Security Utilities Registration
106 Robets Lane
Suite 400
Alexandria, VA 22314

I hope you like the NT Security Utilities and contribute to their success and
the success of other products like it by registering your copy.

Please see the accompanying file 'license.txt' for licensing and
disclaimer information.


This is version 1.6 of the utilities. Bug reports can be sent to 
woodardk@netcom.com

I love to hear from people who are using my programs, so please send me
your comments!

One last reminder:  I've spent a lot of time developing this software and
have tried to make it as bug free as possible.  My time, the cost of the
computer, operating system, compilers, books, and developers resources
are not cheap!  Register your copy!



PROGRAM HELP:
===================

saveacl.exe
--------------------------------------------------------------------------
Copy NT file security descriptors to a file.

usage: SAVEACL [-dirsonly | -filesonly] [-r] filemask output-file [-x file file
...]

        -r    Recurse into subdirectories
        -dirsonly    Store ACLs for directories only.
        -filesonly   Stores ACLs for files only skipping directories.
        -x    Exclude these files. Files may contain wildcards.
        Note: file-mask * matches all files, *.* does not!




restacl.exe
----------------------------------------------------------------------------
Restores NT file security descriptors from a file generated by SAVEACL.
RESTACL will restore file permissions on files relative to the current
directory.

usage: RESTACL [-listonly] [-owneronly | -noowner] [-absolute] acl-file [file fi
le ...]
               [-x file file ...]

        -listonly    Just list affected files. Do not apply permissions.
        -owneronly   Restore file ownership only.
        -noowner     Restore all ACLs EXCEPT file ownership.
        -absolute    Restore using the absolute path, otherwise, strip
                     drive and UNC prefix (default).
        -x           Exclude these files.
        If a file list is not specified, the default is to restore ACLs
        to all files. The file arguments may contain wildcards.
        Wildcards will match directory names as well as file names.



listacl.exe
--------------------------------------------------------------------
LISTACL prints file permissions to the screen for the selected files.

usage: LISTACL [-r] [-owneronly] file file ... [-x file file ...]
       LISTACL -h

        -h          This help screen
        -r          Recurse into subdirectories.
        -owneronly  List only file ownership.
        -x          Exclude these files from the list (may use wilcards).



swapacl.exe
--------------------------------------------------------------------
Swaps one ACL in place of another

usage: SWAPACL [-noowner | -owneronly] [-r] name-to-swap-out name-to-swap-in
               file file ... [-x file file ...]

        -noowner    Do not change file ownership.
        -owneronly  Change file ownership only, do not modify file ACLs
        -r          Recurse into subdirectories.
        -x          Exclude these files from modification (may use wilcards).

Names are textual names of groups or users and may consist of a domain name
and user or group name. For example MYDOMAIN\mygroup.



grant.exe
------------------------------------------------------------
GRANT adds permissions to selected files (not directories).

usage: GRANT [-r] [r][w][x][d][p][o] user file file ... [-x file file ...]

        -r          Recurse into subdirectories.
        r           Add READ permission
        w           Add WRITE permission
        x           Add EXECUTE permission
        d           Add DELETE permission
        p           Add CHANGE-PERMISSIONS permission
        o           Add TAKE-OWNERSHIP permission
        user        A valid user or group name
        -x          Exclude these files from the list (may use wilcards).

GRANT will append to any existing permissions. It will not overwrite
permissions which are already set on the target files


revoke.exe
-------------------------------------------------------------
REVOKE removes permissions from selected files (not directories).

usage: REVOKE [-r] [r][w][x][d][p][o] user file file ... [-x file file ...]

        -r          Recurse into subdirectories.
        r           Remove READ permission
        w           Remove WRITE permission
        x           Remove EXECUTE permission
        d           Remove DELETE permission
        p           Remove CHANGE-PERMISSIONS permission
        o           Remove TAKE-OWNERSHIP permission
        user        A valid user or group name
        -x          Exclude these files from the list (may use wilcards).

REVOKE will remove only the selected permissions leaving any existing
permissions.


igrant.exe
-------------------------------------------------------------------
IGRANT adds permissions to selected directories (not files).

usage: IGRANT [-r] (DirPerms | -) (FilePerms | -) user dir dir ...
              [-x dir dir ...]

        -r          Recurse into subdirectories.
        DirPerms    Permissions for access to the directory.
        FilePerms   Permissions inherited by files in the directory.
        user        A valid user or group name
        -x          Exclude these directories (may use wilcards).

        Permissions are specified via combinations of the following flags:
        r           Add READ permission
        w           Add WRITE permission
        x           Add EXECUTE permission
        d           Add DELETE permission
        p           Add CHANGE-PERMISSIONS permission
        o           Add TAKE-OWNERSHIP permission
        -           No changes

IGRANT will append to any existing permissions. It will not overwrite
permissions which are already set on the target directories.



irevoke.exe
-------------------------------------------------------------------
IREVOKE removes permissions to selected directories (not files).

usage: IREVOKE [-r] (DirPerms | -) (FilePerms | -) user dir dir ...
              [-x dir dir ...]

        -r          Recurse into subdirectories.
        DirPerms    Directory permissions to remove.
        FilePerms   Inherited file permissions to remove
        user        A valid user or group name
        -x          Exclude these directories (may use wilcards).

        Permissions are specified via combinations of the following flags:
        r           Add READ permission
        w           Add WRITE permission
        x           Add EXECUTE permission
        d           Add DELETE permission
        p           Add CHANGE-PERMISSIONS permission
        o           Add TAKE-OWNERSHIP permission
        -           No changes

IREVOKE will remove from existing permissions. It will not overwrite
other permissions which are already set on the target directories.


setowner.exe
------------------------------------------------------------
Set file ownership.

usage: SETOWNER [-r] new-owner file file ... [-x file file ...]

        file        File or directory to set ownership on (may
                    contain wildcards)
        -r          Recurse into subdirectories.
        -x          Exclude these files from modification (may use wilcards).

Names are textual names of groups or users and may consist of a domain name
and user or group name. For example MYDOMAIN\mygroup.




