Re: NTFS inherited permissions bug on W2K

From: Tony Chow (tchow@BLUETENTACLE.COM)
Date: 10/09/01 

Message-ID:  <50B30C640EC48648ABAA34F00D737A96CDA8@leto.bluetentacle.local>
Date:         Tue, 9 Oct 2001 14:43:53 -0700
From: Tony Chow <tchow@BLUETENTACLE.COM>
Subject:      Re: NTFS inherited permissions bug on W2K
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

This is a known, though seldom-mentioned problem. The cause is the way
NTFS v5 permission inheritance works. Each file, folder, and registry
key has a full set of ACEs, including those explicitly assigned to it
AND those it inherited. The only distinguishing feature of inherited
ACEs is that they are marked as such. For example, if the C:\hello
folder has the following explicitly assigned ACEs:

Administrators--Full
System--Full
Everyone--Read

C:\hello\world, which "inherits" the permissions from its parent folder,
will have exactly the same ACEs, except each is marked with an inherited
flag:

Administrators--Full (inherited)
System--Full (inherited)
Everyone--Read (inherited)

And when you move the "world" folder to another folder that have
different permissions, the ACEs are retained, which is why you see
permissions on the "world" folder marked as "inherited" even though the
parent folder has no such permissions!

======================================
Delivery co-sponsored by Trend Micro, Inc.
======================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?siS&BI;$5&UL;=http://www.ant
ivirus.com/smex2000_rebate

Relevant Pages

  • Re: Need help with Shared drives and permissions
    ... I believe by "default" at the root C:\ the permissions should be ... I turn on "Inheritance" at the root as I do want all the above at ... Now when I get to a sub folder where it is strictly ... traverse through that folder yet alone be able to view or see the folders. ...
    (microsoft.public.windows.server.general)
  • Re: Authenticated users permissions
    ... In NTFS when you block inheritance at a folder, ... will turn them into the initial explicit permissions on the new inheritance ... > Authenticated Users access. ...
    (microsoft.public.security)
  • Re: programmatically change permissions on folder in windows?
    ... as seen in the Adv / Edit drill-in, then the new ACE ... if inheritance is blocked at some ... > programmatically change permissions on folder in windows ... > Then folder> security> Advanced> Permissions> Replace permission entries ...
    (microsoft.public.win2000.security)
  • Re: Need help with Shared drives and permissions
    ... If you check a sub folder and see that it is inheriting ... that inherits permissions from a parent folder and add a user or group. ... I turn off inheritance. ...
    (microsoft.public.windows.server.general)
  • Re: cannot delete folders or files with empty security users
    ... When you disabled the Inheritance from the parent you should have ... to remove the current permissions. ... owner can add the permissions to the folder. ... > properties window of that folder is empty and contains no groups or users. ...
    (microsoft.public.windows.server.general)