Re: Confusion over IO (Inherit Only) ACE on Vista

From: "Gerry Hickman" <gerry666uk2@xxxxxxxxxxxxxxxx>
Date: Fri, 19 Dec 2008 10:11:56 -0000

Dear Jialiang Ge,

Could you try running my BAT file on a Vista workstation with a D drive. When I run it, the results I see are unexpected.

d:\test\test BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

d:\test\test BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
NT AUTHORITY\Authenticated Users:C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

Note, there is no (ID) flags in the cacls.exe output, but there are (I) flags in the icacls.exe output. Why?

Now "reset inheritance propogation" for d:\test\test (e.g. untick and then re-tick the box in the GUI), then run

cacls.exe d:\test\test

The output says:

d:\test\test BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE

Note the (ID) flags are now shown.

The important part of this test is the first output from icacls and cacls, they do not agree...

--
Gerry Hickman
London (UK)

""Jialiang Ge [MSFT]"" <jialge@xxxxxxxxxxxxxxxxxxxx> wrote in message news:1nmHNiYYJHA.2052@xxxxxxxxxxxxxxxxxxxxxxxxx

Hello Gerry

It was my fault. The wording was not clear to express my meaning.

Cacls has different forms of output:

Cacls d:\test\
This lists the basic DACL of the file, and it does not display ACE
INHERITED_ACE, even after we reset "inheritance propagation", according to
our test result. However, the new tool, icacls, can display INHERITED_ACE
rightly.

Cacls d:\test\ /S
This outputs the SDDL of the file, and it can display the ID flag after we
reset "inheritance propagation".

The first part in my last reply refers to Cacls d:\test\. You are right. I
should have not said "by no means could we see which ACEs are inherited
from the parent in the output of Cacls.". The SDDL output of Cacls can tell
us the INHERITED_ACE info. I should have made my meaning clearer.

For the fourth question "If the default DACL setting is not correct, why is
the inheritance still working fine?", I'm still waiting for the product
group's comments. If this issue is indeed very urgent, you may consider
creating a support incident in our Customer Service & Support department
(http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx). Because it
is a known issue of our product, the support incident will be free of
charge.

Regards,
Jialiang Ge (jialge@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Follow-Ups:
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: "Jialiang Ge [MSFT]"

References:
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: "Jialiang Ge [MSFT]"
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: "Jialiang Ge [MSFT]"
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: Gerry Hickman
- Re: Confusion over IO (Inherit Only) ACE on Vista
  - From: "Jialiang Ge [MSFT]"

Prev by Date: Re: Confusion over IO (Inherit Only) ACE on Vista
Next by Date: Re: SSPI delegation using kerberos
Previous by thread: Re: Confusion over IO (Inherit Only) ACE on Vista
Next by thread: Re: Confusion over IO (Inherit Only) ACE on Vista
Index(es):
- Date
- Thread

Relevant Pages

Re: Confusion over IO (Inherit Only) ACE on Vista
... I think the confusion is because cacls.exe works differently on Vista than on Windows Server 2003? ... Cacls has different forms of output: ... INHERITED_ACE, even after we reset "inheritance propagation", according to ... creating a support incident in our Customer Service & Support department ...
(microsoft.public.platformsdk.security)
Re: Confusion over IO (Inherit Only) ACE on Vista
... Cacls has different forms of output: ... This lists the basic DACL of the file, and it does not display ACE ... INHERITED_ACE, even after we reset "inheritance propagation", according to ... creating a support incident in our Customer Service & Support department ...
(microsoft.public.platformsdk.security)
Re: Confusion over IO (Inherit Only) ACE on Vista
... ICACLS is an upgrade of the CACLS tool. ... is a flag new in Icacls. ... If the default DACL setting is not correct, why is the inheritance still ...
(microsoft.public.platformsdk.security)
Re: Confusion over IO (Inherit Only) ACE on Vista
... cacls in my Windows Vista and Windows Server 2003 are different. ... creating a support incident in our Customer Service & Support department ...
(microsoft.public.platformsdk.security)