NTUser Folder and File Access Rules
-
Hi, I am programmatically adding an Access Rule to a file for BUILTIN\Users and giving them Full Control. The same file also inherits from it's folder an Access Rule for BUILTIN\Users with lower control levels. My Question is, you can apparently set as many rules as there are combinations for a NTUser BUT which one will apply? Hopefully in the above case, Full Control will be granted. My second question - will the same apply to folders. Thanks, Glen
Glen Harvy
-
Hi, I am programmatically adding an Access Rule to a file for BUILTIN\Users and giving them Full Control. The same file also inherits from it's folder an Access Rule for BUILTIN\Users with lower control levels. My Question is, you can apparently set as many rules as there are combinations for a NTUser BUT which one will apply? Hopefully in the above case, Full Control will be granted. My second question - will the same apply to folders. Thanks, Glen
Glen Harvy
Hi Glen, If my memories of MS FS training serve me correctly deny takes precedence over all other permissions (even if you add explicit allow full control permissions to an object). The same is true for folders. For example, BULITIN\Joe has allow read-only permissions for a folder named ‘test’. The folder ‘test’ has a file within it which is inheriting permissions. You then add a permission to the file to allow him full control. The result will be that Joe will have full control as the inherited permission will be superseded by the explicit permission. However, if the allow read-only permission in the example above was changed to deny, the allow full control permission set on the object would be superdeded by the deny permission. KR Oliver
-
Hi Glen, If my memories of MS FS training serve me correctly deny takes precedence over all other permissions (even if you add explicit allow full control permissions to an object). The same is true for folders. For example, BULITIN\Joe has allow read-only permissions for a folder named ‘test’. The folder ‘test’ has a file within it which is inheriting permissions. You then add a permission to the file to allow him full control. The result will be that Joe will have full control as the inherited permission will be superseded by the explicit permission. However, if the allow read-only permission in the example above was changed to deny, the allow full control permission set on the object would be superdeded by the deny permission. KR Oliver
Hi Oliver, First, my sincere thanks for responding. I have delayed answering because I wanted to look further into this and do some testing. As you can see from the following, you can have different permissions for the same NTUser Account: 2009-03-26 17:12:51.6832 TestVista.Form1 Captured the ------------ BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 IdentityReference.Value: BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 AccessControlType: Allow 2009-03-26 17:12:51.6832 TestVista.Form1 FileSystemRights: FullControl 2009-03-26 17:12:51.6832 TestVista.Form1 InheritanceFlags: ContainerInherit, ObjectInherit 2009-03-26 17:12:51.6832 TestVista.Form1 IsInherited: False 2009-03-26 17:12:51.6832 TestVista.Form1 PropagationFlags: None <--> 2009-03-26 17:12:51.6832 TestVista.Form1 Captured the ------------ BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 IdentityReference.Value: BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 AccessControlType: Allow 2009-03-26 17:12:51.6832 TestVista.Form1 FileSystemRights: ReadAndExecute, Synchronize 2009-03-26 17:12:51.6832 TestVista.Form1 InheritanceFlags: ContainerInherit, ObjectInherit 2009-03-26 17:12:51.6832 TestVista.Form1 IsInherited: True 2009-03-26 17:12:51.6832 TestVista.Form1 PropagationFlags: None 2009-03-26 17:12:51.6832 TestVista.Form1 Captured the ------------ BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 IdentityReference.Value: BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 AccessControlType: Allow 2009-03-26 17:12:51.6832 TestVista.Form1 FileSystemRights: AppendData 2009-03-26 17:12:51.6832 TestVista.Form1 InheritanceFlags: ContainerInherit 2009-03-26 17:12:51.6832 TestVista.Form1 IsInherited: True 2009-03-26 17:12:51.6832 TestVista.Form1 PropagationFlags: None 2009-03-26 17:12:51.6832 TestVista.Form1 Captured the ------------ BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 IdentityReference.Value: BUILTIN\Users 2009-03-26 17:12:51.6832 TestVista.Form1 AccessControlType: Allow 2009-03-26 17:12:51.6832 TestVista.Form1 FileSystemRights: CreateFiles 2009-03-26 17:12:51.6832 TestVista.Form1 InheritanceFlags: ContainerInherit 2009-03-26 17:12:51.6832 TestVista.Form1 IsInherited: True 2009-03-26 17:12:51.6832 TestVista.Form1 PropagationFlags: None This at first confused me immensely but your comments and my searching has helped me understand a lot more. First, explicitly set permissions override inherited permissions, deny