icacls misreports BUILTIN\Users:(RX) on C:\

B

Brian McCauley

On a number of W2003 servers here, if I do

icacls C:\

I get...

C:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
Everyone:(RX)

The ACE BUILTIN\Users:(RX) is wrong!

It *behaves* and indeed appears in the graphical DACL editing tool in
Explorer (Properties -> Security-> Advanced) as if it were

BUILTIN\Users:(CI)(OI)(RX)

(That is to say it does get inherited by objects and containers).

If I edit that ACE in Explorer - but save it without making any *visible*
change then it subsequently appears correctly in ICACLS.
 
R

Roger Abell [MVP]

Hi Brian,

I am sorry, but I do not understand what it is that you see
as the issue/error.

BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
taken together are
BUILTIN\Users:(OI)(CI)(RX)

If as you say BUILTIN\Users:(RX) were wrong (i.e. being shown
in error by icacls when not in fact present), then Users would have
no grant to read files at c:\ nor to list the directory.
The other grants to Users do not carry read files or list directory:
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
where the two with (IO) are "inherit only" (they have effect only
for accesses of what they inherit onto) and the one without only
grants ability to create subdirectories under D:\

When an ACL has been access with the NTFS permissions
dialog it is not at all uncommon for its ACEs to be reordered
and consolidated when the ACL is applied.

Roger

"Brian McCauley" <Brian McCauley@discussions.microsoft.com> wrote in message
news:1B343B9A-66CD-43F3-A3E2-713EC2DA629C@microsoft.com...
> On a number of W2003 servers here, if I do
>
> icacls C:\
>
> I get...
>
> C:\ BUILTIN\Administrators:(F)
> BUILTIN\Administrators:(OI)(CI)(IO)(F)
> NT AUTHORITY\SYSTEM:(F)
> NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
> CREATOR OWNER:(OI)(CI)(IO)(F)
> BUILTIN\Users:(RX)
> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
> BUILTIN\Users:(CI)(AD)
> BUILTIN\Users:(CI)(IO)(WD)
> Everyone:(RX)
>
> The ACE BUILTIN\Users:(RX) is wrong!
>
> It *behaves* and indeed appears in the graphical DACL editing tool in
> Explorer (Properties -> Security-> Advanced) as if it were
>
> BUILTIN\Users:(CI)(OI)(RX)
>
> (That is to say it does get inherited by objects and containers).
>
> If I edit that ACE in Explorer - but save it without making any *visible*
> change then it subsequently appears correctly in ICACLS.
 
B

Brian McCauley

"Roger Abell [MVP]" wrote:

> BUILTIN\Users:(RX)
> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
> taken together are
> BUILTIN\Users:(OI)(CI)(RX)

Ah, so (GR,GE) is the same as (RX).

That's what I didn't get.

Why is it written in different forms in the two ACEs?
 
R

Roger Abell [MVP]

"Brian McCauley" <my-name-with-a-dot-in-it@uhb.nhs.uk.invalid> wrote in
message news:70B52ACF-15E5-4EA7-976C-942E3AB31875@microsoft.com...
>
>
> "Roger Abell [MVP]" wrote:
>
>> BUILTIN\Users:(RX)
>> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
>> taken together are
>> BUILTIN\Users:(OI)(CI)(RX)
>
> Ah, so (GR,GE) is the same as (RX).
>
> That's what I didn't get.
>
> Why is it written in different forms in the two ACEs?
>

Two separate notations, may be intermixed.
The grants in the initial NTFS view are the generics.
Use of icacls /? calls the older syntax the simple, and
the simples are made of the generics in the specifics.
Killer in English, but just icacls /?

Roger
 
B

Brian McCauley

"Roger Abell [MVP]" wrote:

> "Brian McCauley" <my-name-with-a-dot-in-it@uhb.nhs.uk.invalid> wrote in
> message news:70B52ACF-15E5-4EA7-976C-942E3AB31875@microsoft.com...
> >
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> BUILTIN\Users:(RX)
> >> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
> >> taken together are
> >> BUILTIN\Users:(OI)(CI)(RX)
> >
> > Ah, so (GR,GE) is the same as (RX).
> >
> > That's what I didn't get.
> >
> > Why is it written in different forms in the two ACEs?
> >
>
> Two separate notations, may be intermixed.
> The grants in the initial NTFS view are the generics.
> Use of icacls /? calls the older syntax the simple, and
> the simples are made of the generics in the specifics.
> Killer in English, but just icacls /?

icacls /? does not explain the concept of generics.

Indeed it implies that GR is a separate right that is orthogonal to RD etc
but I'm getting the impression that GR in fact implies RD,RA,REA...
 
R

Roger Abell [MVP]

"Brian McCauley" <my-name-with-a-dot-in-it@uhb.nhs.uk.invalid> wrote in
message news:FB4D5770-D7D4-4660-8352-49CD7C222216@microsoft.com...
>
>
> "Roger Abell [MVP]" wrote:
>
>> "Brian McCauley" <my-name-with-a-dot-in-it@uhb.nhs.uk.invalid> wrote in
>> message news:70B52ACF-15E5-4EA7-976C-942E3AB31875@microsoft.com...
>> >
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >> BUILTIN\Users:(RX)
>> >> BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
>> >> taken together are
>> >> BUILTIN\Users:(OI)(CI)(RX)
>> >
>> > Ah, so (GR,GE) is the same as (RX).
>> >
>> > That's what I didn't get.
>> >
>> > Why is it written in different forms in the two ACEs?
>> >
>>
>> Two separate notations, may be intermixed.
>> The grants in the initial NTFS view are the generics.
>> Use of icacls /? calls the older syntax the simple, and
>> the simples are made of the generics in the specifics.
>> Killer in English, but just icacls /?
>
> icacls /? does not explain the concept of generics.
>

True, but I did not say it does. It explains icacls syntax.
Generics have been around since very early NT, and you
likely can find them explained in the MSDN docs.
They are frequently needed sets of ACE flags that carry
permissions commonly used.

> Indeed it implies that GR is a separate right that is orthogonal to RD etc
> but I'm getting the impression that GR in fact implies RD,RA,REA...

You need to dig into how ACE flags work to carry the most
granular grants, and now in this example you are attempting to
define a generic in terms of other specifics (using the icacls
term). What I said was that the simple (using icacls term)
are made of the generics. The simples are almost the same
as the generics, except some (without looking) like I think modify
is composed of a couple generics instead of being a one to one.

Roger
 
You must log in or register to reply here.

Similar threads

M
icacls.exe doesn't show that ACL was inherited (I)
Replies
0
Views
120
MarcinBa
M
V
execute permission denied on usb external hard drive on windows 10
Replies
0
Views
179
vh4
V
P
Windows Server 2016 - VSS system writer missing
Replies
0
Views
241
Pax_Rupert
P
P
How can I use icacls to acheive the same deny results as with the
Replies
1
Views
219
Pelle Plutt
P
N
Give Full access to C:\Windows\Assembly (Win Vista)
Replies
1
Views
134
Paul Montgumdrop
P
Back
Top Bottom