Re: Confusion over IO (Inherit Only) ACE on Vista
- From: "Gerry Hickman" <gerry666uk2@xxxxxxxxxxxxxxxx>
- Date: Thu, 11 Dec 2008 15:09:04 -0000
Dear Jialiang Ge,
My program is now able to report all details of Security Descriptors set on NTFS FileSystem directories. BUT I've run into a problem I don't understand. Each Security Descriptor has a set of control flags that determine things like inheritance from the parent. There's a flag called
SE_DACL_AUTO_INHERITED
From reading the SDK, my understanding is that this flag did not exist onNT4, but is set by default on Server 2003/2008/XP/Vista, such that if you create a sub-folder it will inherit permissions from above. BUT when I look at the bit flags on the Security Descriptor, I see
0x8004 (SE_SELF_RELATIVE | SE_DACL_PRESENT)
The 0x0400 flag is not set and SDDL doesn't show any inheritance. If I go into Windows Explorer, untick the inheritance box and then re-tick the inheritance box, the bit flags on the folder then become 0x8404 and the SDDL shows AI.
I ran my tests on the D: drives of Windows 2003 server and Vista, which were created with FORMAT.EXE
If I look at the C drive on the Vista machine, which was created by the o/s installer, the flags on the folders are set to 0x8404.
--
Gerry Hickman
London (UK)
""Jialiang Ge [MSFT]"" <jialge@xxxxxxxxxxxxxxxxxxxx> wrote in message news:zw5gmDhSJHA.4804@xxxxxxxxxxxxxxxxxxxxxxxxx
Good morning Gerry.
This is a very good question: Why are there two ACEs for each trustee
(Administrators, System, Authenticated Users, etc) in Windows Vista?
The default NTFS Discretionary Access Control List (DACL) settings are
changed in Windows Vista. This is documented in the KB article
Changes to the default NTFS Discretionary Access Control List (DACL)
settings in Windows Vista
http://support.microsoft.com/kb/949608
===================================
In Windows XP, the default DACL settings for the %systemroot% directory and
for the data drives are like this:
BUILTIN\Administrators Full control (OI)(CI)
, where there is only one entry for the Administrators group. The setting
is not only granted to the current dir, but also inherited by the sub dirs
and files.
When a user creates a folder in XP, the user will have "Full Control"
permission on "This folder only". So there is no inherit permission to
subfolders. When another user creates a new subfolder, the first user does
not have permission to modify the subfolder. (This explains the example at
the beginning of the KB article)
===================================
In Windows Vista, the default settings are changed:
BUILTIN\Administrators Full control
BUILTIN\Administrators Full control (OI)(CI)(IO)
The first line is the security setting of the current folder, and the
second line is the "Inherit Only (IO)" securities, and it "does not apply
to the folder upon which it is applied" as you understood. The two entries
allow us to separate the security of the current dir from the inheritance
security (OI)(CI)(IO). For example:
BUILTIN\Users Read and execute
BUILTIN\Users Generic read, generic execute (OI)(CI)(IO)
Does the above KB and explanation answer your questions? Please feel free
to tell me if you have any other questions or concerns.
Have a very nice day!
Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: Confusion over IO (Inherit Only) ACE on Vista
- From: "Jialiang Ge [MSFT]"
- Re: Confusion over IO (Inherit Only) ACE on Vista
- Prev by Date: programmatically access to kerberos
- Next by Date: Re: CredEnumerate returns FALSE/ERROR_NOT_FOUND
- Previous by thread: programmatically access to kerberos
- Next by thread: Re: Confusion over IO (Inherit Only) ACE on Vista
- Index(es):
Relevant Pages
|
