Re: Confusion over IO (Inherit Only) ACE on Vista
- From: "Gerry Hickman" <gerry666uk2@xxxxxxxxxxxxxxxx>
- Date: Thu, 20 Nov 2008 13:52:59 -0000
Dear Jialiang Ge,
Thank you for the update on this. I think the two things as related to the same problem.
1. The adding of the BUILTIN\Administrators:(F) ACL to every sub-folder on Windows Server is done because inheritance might break, but it should not break in the first place!
2. In my app I'd like to add an ACE that will inherit down for all existing and newly created folders below it.
One thing I noticed while experimenting with this, is that if I set an inheritable ACE at the top of a big tree of folders and files, there's a long delay, and it seems the ACE has to be applied to every folder and file below the root? I find this odd, because I thought inheritance was supposed to solve the performance problems of having to apply the ACE all the way down the tree...
Anyway, I have enough information for now, I found the Athorization section of the SDK which covers this in some detail, so I'll set up some more specific tests.
--
Gerry Hickman
London (UK)
""Jialiang Ge [MSFT]"" <jialge@xxxxxxxxxxxxxxxxxxxx> wrote in message news:wYdgfTuSJHA.4804@xxxxxxxxxxxxxxxxxxxxxxxxx
Good morning Gerry
The change of default DACL in Vista does not apply to Windows Server 2003
and Windows Server 2008. The default DACL settings in 2003 and 2008 are
similar to that in Windows XP, except one major difference: the very first
entry "BUILTIN\Administrators:(F)".
I don't think the very first entry "BUILTIN\Administrators:(F)" is a bad
idea. It appears there because of this Local Policy setting:
Windows Server 2003 -> Administrative Tools -> Local Security Policy ->
Local Policy -> Security Options -> System objects: Default owner for
objects created by members of the Administrators group.
In Windows 2003, the default value of this setting is "Administrators
group". Thus, if the folder was created by a member of the Administrators
group, the folder would be owned by "Administrators group", and the ACE
entry "BUILTIN\Administrators:(F)" would be added. The rest "Full Control"
ACEs are inherited from the parent folder:
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
This setting ensures that administrators could have better chance to
full-control the folder, even if the folder does not inherit ACE from its
parent.
In Windows XP, the default value of "System objects: Default owner for
objects created by members of the Administrators group" is "Object creator"
(see KB: http://support.microsoft.com/kb/318825/en-us), thus you do not see
the entry "BUILTIN\Administrators:(F)" in XP, instead, you see an
additional Full-control ACE for the creator.
Does this explanation answer your concerns on "BUILTIN\Administrators:(F)"?
If you really dislike it, you may consider changing the above security
option in Windows Server 2003.
Ultimately, what I'm trying to achieve is to add an ACE to a DACL that
will simply inherit down to all new sub-folders created below it. This
is for user's own homeDirectory shares and also for areas of
corporate-wide mapped drives where multiple users can create
sub-folders in their own top-level folders.
It seems that what you are trying to do can be achieved with this option in
the dialog "Advanced Security Settings for <foldername>" of the
most-top-level folder:
"Replace permission entries on all child objects with entries shown here
that apply to child objects"
All subfolders and files will have all their permission entries reset to
the same permissions as the parent object. But please note: If you do this,
after you click Apply or OK, you cannot undo this operation if you click to
clear the check boxes. Please let me know whether you like this idea. I'm
researching to see how to do it programmatically.
Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support
=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================
.
- Follow-Ups:
- Re: Confusion over IO (Inherit Only) ACE on Vista
- From: Jialiang Ge [MSFT]
- Re: Confusion over IO (Inherit Only) ACE on Vista
- References:
- Confusion over IO (Inherit Only) ACE on Vista
- From: Gerry Hickman
- RE: Confusion over IO (Inherit Only) ACE on Vista
- From: "Jialiang Ge [MSFT]"
- Re: Confusion over IO (Inherit Only) ACE on Vista
- From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
- From: "Jialiang Ge [MSFT]"
- Confusion over IO (Inherit Only) ACE on Vista
- Prev by Date: Re: Schannel client authentication problem with optional client certificate
- Next by Date: Re: Delete File - Bypass NTFS?
- Previous by thread: Re: Confusion over IO (Inherit Only) ACE on Vista
- Next by thread: Re: Confusion over IO (Inherit Only) ACE on Vista
- Index(es):
Relevant Pages
|
