I found SetACL tool very handy.
In addition to implementation of security settings in batch files (that’s what it was created for), I quite successfully used it in automation of infrastructure maintenance and testing jobs that occure daily and even hourly.

As any command line tool, powerful but simple, it requires instructions written in its own metalanguage. You can find the full reference through this external link.

Examples below represent some of my findings and experiments.
In the next post I demonstrate using of SetACL in automation scripts.

Protect ‘Child01’ folder from permission inheritance

I.e. Set “Allow inheritable permissions from the parent object to propagate to this object” checkbox to “Off”.

C:\Test>setacl -on "C:\Test\Parent\Child01" -ot file -actn setprot -op "dacl:p_c;sacl:p_c"

Deny access to common user groups

 “Users”, “Domain Users” can no longer access the folder.

C:\Test>setacl -on "C:\Test\Parent\Child01" -ot file -actn trustee -trst "n1:users;ta:remtrst;w:dacl" -actn trustee -trst "n1:domain users;ta:remtrst;w:dacl"

Allow access for a user account

“Change” permission is assigned to “testuser” user account. Now the user is allowed to modify the folder (“Child01”) and has full control on all of its children objects.

C:\Test>setacl -on "C:\Test\Parent\Child01" -ot file -actn ace -ace "n:testuser;p:change"

Set special permissions for ‘Child01’ 

Now “testuser” can not delete its own root folder (“Child01”).

C:\Test>setacl -on "C:\Test\Parent\Child01" -ot file -actn ace -ace "n:testuser;p:delete;i:np;m:deny;w:dacl"