GetNamedSecurityInfo VS GetFileSecurity

From: Frederic P. (P._at_discussions.microsoft.com)
Date: 06/26/05

  • Next message: Frederic P.: "RE: Impersonation / access rights for application" 
    Date: Sat, 25 Jun 2005 18:29:03 -0700

    Hi,

    I am trying to read the security on different files and folders but I am
    getting different results depending on the method I use to get the security
    descriptor:
    "GetFileSecurity", "GetKernelObjectSecurity", and "GetUserObjectSecurity"
    all return the same security descriptor which doesn't have any inherited aces
    in it (INHERITED_ACE is never set on any aces).

    On the other hand, if I use "GetNamedSecurityInfo", I get the expected
    results which is a security descriptor containing aces with the INHERITED_ACE
    flag set. Sometimes, even the number of aces are different.

    I can get the problem with newly created files/folders with default ACL or
    older files/folders (even c:\CONFIG.sys). Some files work, others don't???

    The freeware "SetAcl" also returns explicit aces when listing the security
    descriptor of the files so I don't think the problem is in my code (SetAcl
    uses "GetKernelObjectSecurity" to access the security descriptors).

    If I call "ConvertToAutoInheritPrivateObjectSecurity" on the files/folders
    with the problem, everythings goes back to normal; all 4 methods return the
    same security descriptor.

    Questions:
    What is the difference behind "GetNamedSecurityInfo" and "GetFileSecurity"?
    Why am I getting only explicit aces on certain files/folders when using
    "GetFileSecurity"?

    This behaviour occured on Windows XP.

    Thanks.

  • Next message: Frederic P.: "RE: Impersonation / access rights for application"

    Relevant Pages

    • RE: AD Magic
      ... The point is that you check if the user are member of the groups which are effected by the automatic reset. ... permissions to access the mailbox and go through the items therein ... If a security descriptor for a user account ...
      (microsoft.public.windows.server.active_directory)
    • Re: Bug oder feature? NTFS Rechte
      ... >"In Relaxed Security mode, the security descriptor ... >USER) is added to each member of the Users group. ... Windows NT 4.0, ... the presence of the security descriptor ...
      (microsoft.public.de.german.windows.terminaldienste)
    • Re: Delegating Rights to Help Desk Users
      ... every server. ... Used to set print queue security. ... To change security settings (see "Security Descriptor String Format" in MSDN ... Windows Printing Team ...
      (microsoft.public.win2000.printing)
    • Re: Delegating Rights to Help Desk Users
      ... Used to set print queue security. ... To change security settings (see "Security Descriptor String Format" in MSDN ... Windows Printing Team ... I am trying this on my local machine with Admin rights. ...
      (microsoft.public.win2000.printing)
    • CIFS on VMS, multi-user share per user security setup question
      ... and 'connects as another user' to log in to the samba ... When I added new sets of ACEs for the CIFS identifiers of each of the ... any other account had created. ... Another item is attempting to modify the security profile from the ...
      (comp.os.vms)