W
w2k_user
I'm trying to write a script that will compare permissions for a large number
of files and folders on my hard drive, and it will also compare permissions
for a large number of registry keys.
I've noticed something strange about how Windows saves permissions for folders
and registry keys, though, and this will make my script writing much more
difficult.
Here's the strange thing -- you can check a folder or registry key's
permissions in Windows Explorer or Regedt32, and see one permission entry for
a particular group or user. But if you check the folder or registry key's
permissions on the command line using either cacls.exe or subinacl.exe, you
will sometimes see that Windows has saved two entries (ACEs) for the
group/user when it only needed to save one ACE. For example, I have a folder
that Explorer reports has one ACE for a particular user that is "Full Control"
and applies to "this folder, subfolders and files." But then cacls reports
that it has two ACEs for that user:
MYBOX\myuser:F
MYBOX\myuser
OI)(CI)(IO)F
For those that are unaware of what those inheritance flags mean: the first
entry gives Full Control to myuser for "this folder only". The second entry
gives Full Control to myuser for subfolders (CI) and files (OI), but not this
folder (IO). So when you put those 2 ACEs together, it means that myuser has
Full Control for "this folder, subfolders, and files". Why did Windows have
to create those 2 ACEs instead of just one ACE that granted Full Control for
"this folder, subfolders, and files"?
I notice the same strangeness with the HKEY_CURRENT_USER key. Regedt32 shows
that it has 4 different permissions, all of which apply to "this key and
subkeys". But when you use subinacl.exe, you will see that it has two ACEs
for each user/group -- one that applies to "this key only" and another that
applies to "subkeys only" -- for a total of 8 ACEs.
This strangeness wouldn't be a problem if Windows did it consistently, but it
doesn't. For some folders and registry keys, Explorer and Regedt32 will show
one permission for a group/user that applies to "this folder, subfolders and
files" or "this key and subkeys", and then Cacls and subinacl will show only
one ACE that applies to "this folder, subfolders and files" or "this key and
subkeys".
Even stranger is that I have a folder with a permission for a particular user
that applies to the folder, subfolders, and files. Cacls reports only one ACE
for it:
MYBOX\myuserOI)(CI)F
That folder contains several subfolders and files, and I want all of those
subfolders and files to inherit that permission. You would think that Windows
would just create the one ACE instead of two for all of the subfolders and
files, but it doesn't. Some of the subfolders and files have just the one
ACE, but others have two ACEs (one for "this folder only" and another for
"subfolders and files") for a reason that I just cannot figure out. If I can
just get Windows to have all of the subfolders and files inherit the one ACE
instead of two, then I can write my script pretty easily. But I just can't
figure out how to do that. I've tried clearing the permissions on all the
folders and files, and then re-propagating the main folder's permissions onto
all the subfolders and files, but it always ends up the same way -- the main
folder has one ACE, but some subfolders and files have two ACEs.
Thanks for taking the time to read this long post. Any ideas would be greatly
appreciated.
of files and folders on my hard drive, and it will also compare permissions
for a large number of registry keys.
I've noticed something strange about how Windows saves permissions for folders
and registry keys, though, and this will make my script writing much more
difficult.
Here's the strange thing -- you can check a folder or registry key's
permissions in Windows Explorer or Regedt32, and see one permission entry for
a particular group or user. But if you check the folder or registry key's
permissions on the command line using either cacls.exe or subinacl.exe, you
will sometimes see that Windows has saved two entries (ACEs) for the
group/user when it only needed to save one ACE. For example, I have a folder
that Explorer reports has one ACE for a particular user that is "Full Control"
and applies to "this folder, subfolders and files." But then cacls reports
that it has two ACEs for that user:
MYBOX\myuser:F
MYBOX\myuser
OI)(CI)(IO)FFor those that are unaware of what those inheritance flags mean: the first
entry gives Full Control to myuser for "this folder only". The second entry
gives Full Control to myuser for subfolders (CI) and files (OI), but not this
folder (IO). So when you put those 2 ACEs together, it means that myuser has
Full Control for "this folder, subfolders, and files". Why did Windows have
to create those 2 ACEs instead of just one ACE that granted Full Control for
"this folder, subfolders, and files"?
I notice the same strangeness with the HKEY_CURRENT_USER key. Regedt32 shows
that it has 4 different permissions, all of which apply to "this key and
subkeys". But when you use subinacl.exe, you will see that it has two ACEs
for each user/group -- one that applies to "this key only" and another that
applies to "subkeys only" -- for a total of 8 ACEs.
This strangeness wouldn't be a problem if Windows did it consistently, but it
doesn't. For some folders and registry keys, Explorer and Regedt32 will show
one permission for a group/user that applies to "this folder, subfolders and
files" or "this key and subkeys", and then Cacls and subinacl will show only
one ACE that applies to "this folder, subfolders and files" or "this key and
subkeys".
Even stranger is that I have a folder with a permission for a particular user
that applies to the folder, subfolders, and files. Cacls reports only one ACE
for it:
MYBOX\myuser
OI)(CI)FThat folder contains several subfolders and files, and I want all of those
subfolders and files to inherit that permission. You would think that Windows
would just create the one ACE instead of two for all of the subfolders and
files, but it doesn't. Some of the subfolders and files have just the one
ACE, but others have two ACEs (one for "this folder only" and another for
"subfolders and files") for a reason that I just cannot figure out. If I can
just get Windows to have all of the subfolders and files inherit the one ACE
instead of two, then I can write my script pretty easily. But I just can't
figure out how to do that. I've tried clearing the permissions on all the
folders and files, and then re-propagating the main folder's permissions onto
all the subfolders and files, but it always ends up the same way -- the main
folder has one ACE, but some subfolders and files have two ACEs.
Thanks for taking the time to read this long post. Any ideas would be greatly
appreciated.