NULL DACL versis Empty DACL and Owner implcit access

There was question on microsoft.public.windowsxp.print_fax that I was able
to resolve, but there are some things that I do not completely understand.

Cannot install new printer drivers:
http://groups.google.com/group/microsoft.public.windowsxp.print_fax/browse_thread/thread/82d6284ca5b17f25

The poster received an 'Access denied' error installing a printer driver.
Process Monitor showed that it was able to create a "New" subfolder in
"C:\windows\system32\spool\drivers\w32x86\3" but not create a file in it.

According to the CACLS command line tool, he had correct permissions on the
"C:\windows\system32\spool\drivers\w32x86" folder. However, for the "3"
subfolder, CACLs listed no ACEs, leading us to believe that the DACL was
either NULL or empty (or is there a different explanation?)

Null DACLs and Empty DACLs:
http://msdn2.microsoft.com/en-us/library/aa379286.aspx

If the DACL were empty, it would grant everyone full access and I would not
expect the access described above to be denied. If the DACL were NULL, I
would expect that access would be denied to create a subfolder, but it was
not.

Owner of a New Object:
http://msdn2.microsoft.com/en-us/library/Aa379299.aspx

The above article would suggest that the owner would be granted implicit
WRITE_DAC permissions, so not even the owner should be able to create a
subfolder.

I myself tested a folder with an empty ACL created using the Access Control
Editor and found that the Effective Permissions page granted me, as the
owner, Read Permissions and Write Permissions. I believe this means I have
READ_DAC access as well as WRITE_DAC access, which seems to contradict the
above article. I was still denied access to create a subfolder, though, as
expected.

What can explain the fact that the poster (I think actually SYSTEM
impersonating the poser) was able to create a "New" subfolder but not create
a file in it? Thanks,

Paul


.

Relevant Pages

  • Re: Error Applying Security (Network Share)
    ... The owner of a folder can always change permissions to it even ... properties/security/advanced/owner and change owner to administrators. ... >I am experiencing a problem with permissions on a network share subfolder. ...
    (microsoft.public.windows.server.networking)
  • Re: Public Folder Owner cant create subfolders
    ... Even though I am a Owner of a Public ... try to modify permissions, the user and the permissions are greyed out. ... Client Permisions of a Public Folder just like I used to in Outlook. ... > them the permissions needed to create a subfolder, ...
    (microsoft.public.exchange.admin)
  • Re: SMS 2.0 - DSUW Security settings needed
    ... > Is this 'issue' present in SMS 2003? ... >> inherit permissions from the share and cannot trust that the underlying ... >> structure has the appropriate permissions. ... ACL the subfolder with the appropriate permissions and place ...
    (microsoft.public.sms.swdist)
  • Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
    ... CREATOR OWNER: full access, subfolders and files, non-inheritable ... = everyone can create files and folders ... A subfolder will get, ...
    (Full-Disclosure)
  • Re: SMS 2.0 - DSUW Security settings needed
    ... Is this 'issue' present in SMS 2003? ... > inherit permissions from the share and cannot trust that the underlying ... > structure has the appropriate permissions. ... > To work around this issue, create the share with a single subfolder under ...
    (microsoft.public.sms.swdist)