Re: Why do some folders/registry keys have 2 permissions instead of 1?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/31/05
- Next message: Steve Parry [MVP]: "Re: Could not unload user registry hive when logoff"
- Previous message: w2k_user_at_nospam.com: "Why do some folders/registry keys have 2 permissions instead of 1?"
- In reply to: w2k_user_at_nospam.com: "Why do some folders/registry keys have 2 permissions instead of 1?"
- Next in thread: w2k_user_at_nospam.com: "Re: Why do some folders/registry keys have 2 permissions instead of 1?"
- Reply: w2k_user_at_nospam.com: "Re: Why do some folders/registry keys have 2 permissions instead of 1?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 31 Jan 2005 08:25:40 -0700
It gets even worse if you have storage that was once on an NT4
system that underwent upgrade.
AFAIK there is no overall answer to you, but rather just the
fact that the ACEs are adjusted by a variety of routines, not
all of which did things the same way. About the only common
thing is that what gets shown in Explorer's ACL editor is
digested such that when there are multiple ACEs that can
be shown with a generic ACE they are shown with one, even
though the actual SD has this represented not with a generic.
I once attempted something similar to what you are trying,
and eventually gave up due to the unending maze of complex
variations, especially for inherited ACEs.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA <w2k_user@nospam.com> wrote in message news:2rkrv0lmisj17bhgs371ja3m7of8uoi7ik@4ax.com... > I'm trying to write a script that will compare permissions for a large number > of files and folders on my hard drive, and it will also compare permissions > for a large number of registry keys. > > I've noticed something strange about how Windows saves permissions for folders > and registry keys, though, and this will make my script writing much more > difficult. > > Here's the strange thing -- you can check a folder or registry key's > permissions in Windows Explorer or Regedt32, and see one permission entry for > a particular group or user. But if you check the folder or registry key's > permissions on the command line using either cacls.exe or subinacl.exe, you > will sometimes see that Windows has saved two entries (ACEs) for the > group/user when it only needed to save one ACE. For example, I have a folder > that Explorer reports has one ACE for a particular user that is "Full Control" > and applies to "this folder, subfolders and files." But then cacls reports > that it has two ACEs for that user: > > MYBOX\myuser:F > MYBOX\myuser:(OI)(CI)(IO)F > > For those that are unaware of what those inheritance flags mean: the first > entry gives Full Control to myuser for "this folder only". The second entry > gives Full Control to myuser for subfolders (CI) and files (OI), but not this > folder (IO). So when you put those 2 ACEs together, it means that myuser has > Full Control for "this folder, subfolders, and files". Why did Windows have > to create those 2 ACEs instead of just one ACE that granted Full Control for > "this folder, subfolders, and files"? > > I notice the same strangeness with the HKEY_CURRENT_USER key. Regedt32 shows > that it has 4 different permissions, all of which apply to "this key and > subkeys". But when you use subinacl.exe, you will see that it has two ACEs > for each user/group -- one that applies to "this key only" and another that > applies to "subkeys only" -- for a total of 8 ACEs. > > This strangeness wouldn't be a problem if Windows did it consistently, but it > doesn't. For some folders and registry keys, Explorer and Regedt32 will show > one permission for a group/user that applies to "this folder, subfolders and > files" or "this key and subkeys", and then Cacls and subinacl will show only > one ACE that applies to "this folder, subfolders and files" or "this key and > subkeys". > > Even stranger is that I have a folder with a permission for a particular user > that applies to the folder, subfolders, and files. Cacls reports only one ACE > for it: > > MYBOX\myuser:(OI)(CI)F > > That folder contains several subfolders and files, and I want all of those > subfolders and files to inherit that permission. You would think that Windows > would just create the one ACE instead of two for all of the subfolders and > files, but it doesn't. Some of the subfolders and files have just the one > ACE, but others have two ACEs (one for "this folder only" and another for > "subfolders and files") for a reason that I just cannot figure out. If I can > just get Windows to have all of the subfolders and files inherit the one ACE > instead of two, then I can write my script pretty easily. But I just can't > figure out how to do that. I've tried clearing the permissions on all the > folders and files, and then re-propagating the main folder's permissions onto > all the subfolders and files, but it always ends up the same way -- the main > folder has one ACE, but some subfolders and files have two ACEs. > > Thanks for taking the time to read this long post. Any ideas would be greatly > appreciated. >
- Next message: Steve Parry [MVP]: "Re: Could not unload user registry hive when logoff"
- Previous message: w2k_user_at_nospam.com: "Why do some folders/registry keys have 2 permissions instead of 1?"
- In reply to: w2k_user_at_nospam.com: "Why do some folders/registry keys have 2 permissions instead of 1?"
- Next in thread: w2k_user_at_nospam.com: "Re: Why do some folders/registry keys have 2 permissions instead of 1?"
- Reply: w2k_user_at_nospam.com: "Re: Why do some folders/registry keys have 2 permissions instead of 1?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
