|
Posted by Roger Abell [MVP] on January 4, 2007, 12:39 am
If you were Registered and logged in, you could reply and use other advanced thread options
4 directories:
- c:\testing\inherit_propagate
(this was set to inherit perms from its parent)
template File System section:
I told it to disable inheritance
and directly define some perms,
and then checked the "Propagate" box
"%SystemDrive%\testing\inherit_propagate",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
> configure: had the template applied properly
> post-configure analyze reported:
green check mark, did not put green check marks on the 2 subfolders
comment:
that all seems normal; green check marks are placed where the
sddl requires a change, but it would result in no change.
the subfolders are not required to be changed (only if not aligned
to the spec)
- c:\testing\inherit_replace
(this was set to inherit perms from its parent)
template File System section:
I told it to disable inheritance
and directly define some perms,
and then checked the "Replace" box
"%SystemDrive%\testing\inherit_replace",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
> configure: had the template applied properly
> post-configure analyze reported:
green check mark, and also green check marks on the 2 subfolders
comment:
as before, here subfolders were specified to be replace (2) regardless
Admittedly placement of checkmarks is a little "peculiar" and
takes some getting used to. Also, be aware the the counts of
discrepancies is known to be highly obscure (actually I was told
by a member of that team that it is actually just plain in error as
the summing propagates up)
- c:\testing\noinherit_propagate
(this had inheritance disabled,
and had some perms directly defined on it)
template File System section:
I removed all directly defined perms
and checked the inheritance box,
and then checked "Propagate"
"%SystemDrive%\testing\noinherit_propagate",0,"D:AR"
> configure: directories were not affected at all.
> post-configure analyze reported:
nothing, and nothing on the 2 subfolders
comment:
I do not repro this result
post-config analyze is green check, subdirs not checked
permissions are changed as expected, including the state
of the inheritance spec - but note, the non-inheriting subdir
is left unchanged (we are only propagating, not replacing
and that dir does not allow propagation onto it)
- c:\testing\noinherit_replace
(this had inheritance disabled,
and had some perms directly defined on it)
template File System section:
I removed all directly defined perms
and checked the inheritance box,
and then checked "Replace"
"%SystemDrive%\testing\noinherit_replace",2,"D:AR"
> configure: directories were not affected at all.
> post-configure analyze reported:
red X, but green check marks on the 2 subfolders
comment:
I do not repro this result
post-config analyze is green checked, subdirs green checked
permissions are as expected, including the state of the
inheritance spec, and entire sturcture is purely inheriting
from its parent, all subdirs included
Notes:
I defined the structure to parallel you cases, used your
template slightly editied, but in all critical ways unchanged,
did an NTbackup of the empty structure of dirs, opened
sec database in imported template with clearing, analyzed
(at this point variances were
red x at each upper dir, red x on each non-inheriting sub dir
of a *_replace upper dir, green check on each inheriting sub
dir of a *_replace upper dir, plain unmarked folders for all
sub dirs of *_propagate
these are what I would expect)
then configured, and finally reanalyzed.
> Roger Abell [MVP] wrote:
>> I have never tried doing it that way, find it an interesting approach
>> (configure, but with no grants, however specifying to receive
>> inheritables), and am unsure just what did (or not) happen.
>> However, on an XP fully up-to-date, I cannot repro what you see,
>> instead seeing the expected behavior (i.e. dir is left with only
>> inherited permission settings). Does your line in the template
>> look like the following? (i.e. does it have 0,"D:AR" ?)
>> "%SystemDrive%\Temp\test",0,"D:AR"
>
> I had originally encountered the problem on my XP laptop at home. Then
> yesterday, I attempted to reproduce the problem on my XP machine at
> work. But I couldn't reproduce it. However, I just did another test
> on my work machine, and encountered the problem.
>
> Here's what I did:
>
> I created 4 directories:
> - c:\testing\inherit_propagate (this was set to inherit perms from its
> parent)
> - c:\testing\inherit_replace (this was set to inherit perms from its
> parent)
> - c:\testing\noinherit_propagate (this had inheritance disabled, and
> had some perms directly defined on it)
> - c:\testing\noinherit_replace (this had inheritance disabled, and had
> some perms directly defined on it)
>
> (In addition, each of those directories contained 2 subdirectories for
> the purpose of testing the Propagate and Replace options - one that
> inherited, and one that did not inherit)
>
> Then I created a security template and put 4 entries into the File
> System section:
> - one for c:\testing\inherit_propagate - I told it to disable
> inheritance and directly define some perms, and then checked the
> "Propagate" box
> - one for c:\testing\inherit_replace - I told it to disable inheritance
> and directly define some perms, and then checked the "Replace" box
> - one for c:\testing\noinherit_propagate - I removed all directly
> defined perms and checked the inheritance box, and then checked
> "Propagate"
> - one for c:\testing\noinherit_replace - I removed all directly defined
> perms and checked the inheritance box, and then checked "Replace"
>
> Then I saved the template, created a database, imported the template,
> and configured the computer.
>
> The c:\testing\inherit_propagate and c:\testing\inherit_replace
> directories had the template applied properly. The
> c:\testing\noinherit_propagate and c:\testing\noinherit_replace
> directories were not affected at all.
>
> I then analyzed the computer, and it reported the following:
> - c:\testing\inherit_propagate - green check mark (however, it did not
> put green check marks on the 2 subfolders for some reason)
> - c:\testing\inherit_replace - green check mark, and also green check
> marks on the 2 subfolders
> - c:\testing\noinherit_propagate - nothing, and nothing on the 2
> subfolders
> - c:\testing\noinherit_replace - red X, but for some reason it put
> green check marks on the 2 subfolders
>
> Here is what the template looks like:
>
> [Unicode]
> Unicode=yes
> [Version]
> signature="$CHICAGO$"
> Revision=1
> [File Security]
> "%SystemDrive%\testing\noinherit_replace",2,"D:AR"
> "%SystemDrive%\testing\noinherit_propagate",0,"D:AR"
>
"%SystemDrive%\testing\delete_this_one",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
>
"%SystemDrive%\testing\inherit_replace",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
>
"%SystemDrive%\testing\inherit_propagate",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
>
>
>> As said, I have not done this objective that way, but instead define
>> permissions at the parent and specify to configure the parent and
>> replace existing permissions on substructure with inheritables.
>> Now, your circumstance might make that not workable, if the parent
>> has for example three subfolders and the one you want set to purely
>> inherit is only one (you want the other three unchanged). In that case
>> you would add definitions for the other two ticked for Do not allow
>> permissions to be changed. This would not work out so well if you
>> have a hundred subdirs, all but of few of which should be left as is.
>> However, that will do it.
>
> Hmm, let me think about that.
>
> Thanks for your help, Roger.
>
| 
XML site map