Re: NTFS Effective Permissions?
From: Gerry Hickman (gerry666uk_at_yahoo.co.uk)
Date: 01/25/05
- Next message: Gerry Hickman: "Re: global objects in wsh"
- Previous message: Andrew Madsen: "Scripting for NIC Teaming"
- In reply to: Al Dunbar [MS-MVP]: "Re: NTFS Effective Permissions?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 25 Jan 2005 21:09:22 +0000
Hi Al,
> I provided some specific
> values in previous posts that gave the specific ACE flag values in question
> that differed, yet you seem to be ignoring that aspect of the issue I am
> trying to understand here.
No, I'm not ignoring it - I've got the print-out in front of me, but I
was hoping to be able to test a profile on one of my own machines to see
if I got the same results. It's not exactly easy to create a set of
folders with the exact permissions, flags and masks that you posted in
the example. How am I supposed to test it if I can't re-create it?
Anyway, here's a few thoughts:
I'm assuming all your numeric data is in hex? The ACE_FLAGS usually
define the type of inheritance. Note that this can even apply to HOW the
object was created in the first place. In the "Jon" profile you have
some aceflags of 0. This agrees with CACLS - note that the first three
entries for Jon end with ':F' in CACLS - no inheritance at all. In
Windows 2000, this usually DOES show up in the GUI - if you check the
parent folder of such an object it will have a tick box at the foot of
the "View/Edit" dialog. However, maybe if the object was created
programatically, and hard-coded permissions were set, this tick box
would not be ticked, because the parent object would not know what's
going on below...
In the case of the accessmask, it appears they are all identical
(001F01FF full control), except for the last 3 of the Jon profile which
are showing as "Generic full control". The difference between "ordinary
full control" and "generic full control" is somewhat unclear, and almost
certainly cannot be displayed in the GUI of Win2k or XP!
You are therefore right in saying the GUI cannot display all possible
combinations. I'm guessing the reason is related to having to restrict
the GUI to combinations of ACEs that can sensibly be adjusted by a user.
-- Gerry Hickman (London UK)
- Next message: Gerry Hickman: "Re: global objects in wsh"
- Previous message: Andrew Madsen: "Scripting for NIC Teaming"
- In reply to: Al Dunbar [MS-MVP]: "Re: NTFS Effective Permissions?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
