Re: Security Template does not apply folder permissions

I put a bit of syntax into Protect Your Windows Network
(http://www.protectyourwindowsnetwork.com). Microsoft has never documented
the syntax that I know of.

The syntax of the ACL is quite straight-forward though. It is just SDDL.
D:AR means "Auto-Inherit Required." It means that the ACL _should_ inherit
from the parent. D:AI means that the ACL _is_ inherited from the parent.
Normally, AI would never be set programmatically. It would be set when the OS
propagates inheritance from a parent to a child, so that programs can
determine that this has been done. AR is what programs should set to indicate
that they want this propagation to be done. However, setting AR does not
actually initiate a propagation. Prior to Windows Vista, there was no
documented way to actually trigger the propagation. However, secedit can do
it, if you use D:AI in the template. Doing so causes secedit to actually
start a propagation to this directory. This does not work in any other tool
that I have been able to find and is not documented. In fact, I am not sure
it was even intentional that it work that way.

In Windows Vista you can trigger a propagation with icacls /reset, so the
trick with using D:AI is no longer needed there.

"void.no.spam.com@xxxxxxxxx" wrote:

Jesper wrote:
You can't create a template that just sets the inheritance bit in the GUI.
You have to hand-edit the template to do that. Here is a sample template that
does it:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
1="c:\program files\common files\microsoft shared\vgx\vgx.dll", 0, "D:AI"


The D:AI is the part that does the trick. Replace the name of the file that
I have with the folder name and you should be good to go.

I just tried using the GUI on my work computer, and it worked. Here is
the template that the GUI saved:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%SystemDrive%\test\noinherit",0,"D:AR"


So it has D:AR instead of D:AI, and it doesn't have "1=" at the
beginning of the line. Is there any documentation that explains the
syntax of the security templates?

Now I wonder why it worked on my work computer, but not on my home
computer.


.

Relevant Pages

  • Re: Security Template does not apply folder permissions
    ... The syntax of the ACL is quite straight-forward though. ... that they want this propagation to be done. ... Hand editing the template would be a last resort, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Info-Ingres] PARTITION - LIST
    ... I suspect this was fixed as documentation bug between ... SQL has been corrected. ... Subject: PARTITION - LIST ... bad syntax (see extract of first page and the example page of CREATE ...
    (comp.databases.ingres)
  • Re: [kde] Kate tutorials some where?
    ... expression syntax. ... syntax and you might want to look for documentation of that. ... It had help which described the qt regex syntax, ... But I have seen the qt regex documentation. ...
    (KDE)
  • Re: Trouble getting off the ground with rsync
    ... "lying" is the wrong word. ... Either you DO know the syntax, ... because what is relevant to him is HIS documentation. ... If people drank ink instead of Schlitz, ...
    (comp.os.linux.misc)
  • Re: Solaris 10 advantages and drawbacks
    ... > some documentation in order to learn the syntax. ... > syntax, you generally can't make anything happen. ... list email set for notifications. ... email_add: Add email notifications. ...
    (comp.unix.solaris)