So I have to factor and group your test . . .
4 directories:
- c:\testing\inherit_propagate
(this was set to inherit perms from its parent)
template File System section:
I told it to disable inheritance
and directly define some perms,
and then checked the "Propagate" box
"%SystemDrive%\testing\inherit_propagate",0,"D
AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
configure: had the template applied properly
post-configure analyze reported:
green check mark, did not put green check marks on the 2 subfolders
comment:
that all seems normal; green check marks are placed where the
sddl requires a change, but it would result in no change.
the subfolders are not required to be changed (only if not aligned
to the spec)
- c:\testing\inherit_replace
(this was set to inherit perms from its parent)
template File System section:
I told it to disable inheritance
and directly define some perms,
and then checked the "Replace" box
"%SystemDrive%\testing\inherit_replace",2,"D
AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
configure: had the template applied properly
post-configure analyze reported:
green check mark, and also green check marks on the 2 subfolders
comment:
as before, here subfolders were specified to be replace (2) regardless
Admittedly placement of checkmarks is a little "peculiar" and
takes some getting used to. Also, be aware the the counts of
discrepancies is known to be highly obscure (actually I was told
by a member of that team that it is actually just plain in error as
the summing propagates up)
- c:\testing\noinherit_propagate
(this had inheritance disabled,
and had some perms directly defined on it)
template File System section:
I removed all directly defined perms
and checked the inheritance box,
and then checked "Propagate"
"%SystemDrive%\testing\noinherit_propagate",0,"D:AR"
configure: directories were not affected at all.
post-configure analyze reported:
nothing, and nothing on the 2 subfolders
comment:
I do not repro this result
post-config analyze is green check, subdirs not checked
permissions are changed as expected, including the state
of the inheritance spec - but note, the non-inheriting subdir
is left unchanged (we are only propagating, not replacing
and that dir does not allow propagation onto it)
- c:\testing\noinherit_replace
(this had inheritance disabled,
and had some perms directly defined on it)
template File System section:
I removed all directly defined perms
and checked the inheritance box,
and then checked "Replace"
"%SystemDrive%\testing\noinherit_replace",2,"D:AR"
configure: directories were not affected at all.
post-configure analyze reported:
red X, but green check marks on the 2 subfolders
comment:
I do not repro this result
post-config analyze is green checked, subdirs green checked
permissions are as expected, including the state of the
inheritance spec, and entire sturcture is purely inheriting
from its parent, all subdirs included
Notes:
I defined the structure to parallel you cases, used your
template slightly editied, but in all critical ways unchanged,
did an NTbackup of the empty structure of dirs, opened
sec database in imported template with clearing, analyzed
(at this point variances were
red x at each upper dir, red x on each non-inheriting sub dir
of a *_replace upper dir, green check on each inheriting sub
dir of a *_replace upper dir, plain unmarked folders for all
sub dirs of *_propagate
these are what I would expect)
then configured, and finally reanalyzed.
Roger said:
I have never tried doing it that way, find it an interesting approach
(configure, but with no grants, however specifying to receive
inheritables), and am unsure just what did (or not) happen.
However, on an XP fully up-to-date, I cannot repro what you see,
instead seeing the expected behavior (i.e. dir is left with only
inherited permission settings). Does your line in the template
look like the following? (i.e. does it have 0,"D:AR" ?)
"%SystemDrive%\Temp\test",0,"D:AR"
I had originally encountered the problem on my XP laptop at home. Then
yesterday, I attempted to reproduce the problem on my XP machine at
work. But I couldn't reproduce it. However, I just did another test
on my work machine, and encountered the problem.
Here's what I did:
I created 4 directories:
- c:\testing\inherit_propagate (this was set to inherit perms from its
parent)
- c:\testing\inherit_replace (this was set to inherit perms from its
parent)
- c:\testing\noinherit_propagate (this had inheritance disabled, and
had some perms directly defined on it)
- c:\testing\noinherit_replace (this had inheritance disabled, and had
some perms directly defined on it)
(In addition, each of those directories contained 2 subdirectories for
the purpose of testing the Propagate and Replace options - one that
inherited, and one that did not inherit)
Then I created a security template and put 4 entries into the File
System section:
- one for c:\testing\inherit_propagate - I told it to disable
inheritance and directly define some perms, and then checked the
"Propagate" box
- one for c:\testing\inherit_replace - I told it to disable inheritance
and directly define some perms, and then checked the "Replace" box
- one for c:\testing\noinherit_propagate - I removed all directly
defined perms and checked the inheritance box, and then checked
"Propagate"
- one for c:\testing\noinherit_replace - I removed all directly defined
perms and checked the inheritance box, and then checked "Replace"
Then I saved the template, created a database, imported the template,
and configured the computer.
The c:\testing\inherit_propagate and c:\testing\inherit_replace
directories had the template applied properly. The
c:\testing\noinherit_propagate and c:\testing\noinherit_replace
directories were not affected at all.
I then analyzed the computer, and it reported the following:
- c:\testing\inherit_propagate - green check mark (however, it did not
put green check marks on the 2 subfolders for some reason)
- c:\testing\inherit_replace - green check mark, and also green check
marks on the 2 subfolders
- c:\testing\noinherit_propagate - nothing, and nothing on the 2
subfolders
- c:\testing\noinherit_replace - red X, but for some reason it put
green check marks on the 2 subfolders
Here is what the template looks like:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[File Security]
"%SystemDrive%\testing\noinherit_replace",2,"D:AR"
"%SystemDrive%\testing\noinherit_propagate",0,"D:AR"
"%SystemDrive%\testing\delete_this_one",0,"D
AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
"%SystemDrive%\testing\inherit_replace",2,"D
AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
"%SystemDrive%\testing\inherit_propagate",0,"D
AR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
As said, I have not done this objective that way, but instead define
permissions at the parent and specify to configure the parent and
replace existing permissions on substructure with inheritables.
Now, your circumstance might make that not workable, if the parent
has for example three subfolders and the one you want set to purely
inherit is only one (you want the other three unchanged). In that case
you would add definitions for the other two ticked for Do not allow
permissions to be changed. This would not work out so well if you
have a hundred subdirs, all but of few of which should be left as is.
However, that will do it.
Hmm, let me think about that.
Thanks for your help, Roger.
