3

When I add/edit NTFS permissions for a user/group from command line via icacls application, i get multiple ACE entries in the list for the same thing, while from the GUI every ACE (since they are all the same) are compacted in a single entry.

I couldn't find any worthwhile information from official documentation for the reason why is this happening.

Has anyone experienced this or similar situations and can shed some light on this matter?

You can clearly see the situation in the attached image, one user has multiple entries and they should be compacted in one.

enter image description here

marsh-wiggle
  • 2,075
  • 4
  • 26
  • 44
m4dm4n
  • 31
  • 1
  • icacls is quite granular and will display inherited only (IO), container inherit (CI) and Full Access (F) permissions in a kind of enumeration, whereas the GUI will compact things. [icalcls (MSDN)](https://technet.microsoft.com/en-us/library/cc753525(v=ws.11).aspx) – John K. N. Mar 08 '17 at 18:29

1 Answers1

1

The Access Control List (ACL), all permissions for an file or folder, are separated in Access Control Entries (ACEs).

In your case the permission Full Access to this folder, subfolders and files is stored in 4 ACEs where the first three together are equivalent to the fourth.

I programmed some NTFS tools for permission management and seen this often when Full Access is granted (till Server 2008 R2 / Windows 7). The permissions are really stored that way in the ACL. Since Server 2012 / Vista the behauvior changed and I haven't found this any more.

Excecute "icacls C:\" and you will always find (till Server 2008 R2):

BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)

... which could also be stored in one ACE as

BUILTIN\Administrators:(OI)(CI)(F)

I haven't found out why it behaves this way, but it is very common.

marsh-wiggle
  • 2,075
  • 4
  • 26
  • 44