|
Posted by Roger Abell [MVP] on February 8, 2008, 1:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Brian,
I am sorry, but I do not understand what it is that you see
as the issue/error.
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
taken together are
BUILTIN\Users:(OI)(CI)(RX)
If as you say BUILTIN\Users:(RX) were wrong (i.e. being shown
in error by icacls when not in fact present), then Users would have
no grant to read files at c:\ nor to list the directory.
The other grants to Users do not carry read files or list directory:
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
where the two with (IO) are "inherit only" (they have effect only
for accesses of what they inherit onto) and the one without only
grants ability to create subdirectories under D:\
When an ACL has been access with the NTFS permissions
dialog it is not at all uncommon for its ACEs to be reordered
and consolidated when the ACL is applied.
Roger
> On a number of W2003 servers here, if I do
>
> icacls C:\
>
> I get...
>
> C:\ BUILTIN\Administrators:(F)
> BUILTIN\Administrators:(OI)(CI)(IO)(F)
> NT AUTHORITY\SYSTEM:(F)
> NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
> CREATOR OWNER:(OI)(CI)(IO)(F)
> BUILTIN\Users:(RX)
> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
> BUILTIN\Users:(CI)(AD)
> BUILTIN\Users:(CI)(IO)(WD)
> Everyone:(RX)
>
> The ACE BUILTIN\Users:(RX) is wrong!
>
> It *behaves* and indeed appears in the graphical DACL editing tool in
> Explorer (Properties -> Security-> Advanced) as if it were
>
> BUILTIN\Users:(CI)(OI)(RX)
>
> (That is to say it does get inherited by objects and containers).
>
> If I edit that ACE in Explorer - but save it without making any *visible*
> change then it subsequently appears correctly in ICACLS.
| 
XML site map