{"id":103110,"date":"2019-11-18T07:00:00","date_gmt":"2019-11-18T15:00:00","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/oldnewthing\/?p=103110"},"modified":"2019-11-18T03:33:53","modified_gmt":"2019-11-18T11:33:53","slug":"20191118-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20191118-00\/?p=103110","title":{"rendered":"I set the same ACL with the GUI and with <CODE>icacls<\/CODE>, yet the results are different"},"content":{"rendered":"<p>A customer found that if they used the GUI and the <code>icacls<\/code> program to deny Delete permission to a folder, the results were different, even though the resulting ACLs are the same.<\/p>\n<p>Create a user, say, <i>Bob<\/i>, and create a folder, say, <code>C:\\test<\/code>.<\/p>\n<p><b>With the GUI<\/b><\/p>\n<ul>\n<li>Right-click the folder and select <i>Properties<\/i>.<\/li>\n<li>Go the <i>Security<\/i> tab, click <i>Advanced<\/i>.<\/li>\n<li>Click the <i>Add<\/i> button to add a new ACE.<\/li>\n<li>Select <i>Bob<\/i> as the Principal.<\/li>\n<li>Set the <i>Type<\/i> to <i>Deny<\/i>.<\/li>\n<li>Click <i>Show advanced permissions<\/i>.<\/li>\n<li>Check <i>Delete<\/i> and uncheck everything else.<\/li>\n<li>Click <i>OK<\/i> a bunch of times to save the changes.<\/li>\n<\/ul>\n<p><b>With <code>icacls<\/code><\/b><\/p>\n<ul>\n<li>From a command prompt, type <code>icacls C:\\test \/deny Bob:D<\/code><\/li>\n<\/ul>\n<p>If you followed the GUI steps, then Bob can open the directory in Explorer. On the other hand, if you followed the <code>icacls<\/code> steps, then Bob cannot open the directory in Explorer.<\/p>\n<p>In both cases, running <code>icacls<\/code> to view the permissions report the same results:<\/p>\n<pre>C:\\&gt; icacls c:\\test\r\ntest THISPC\\Bob:(DENY)(D)\r\n     BUILTIN\\Administrators:(I)(OI)(CI)(F)\r\n     NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)\r\n     BUILTIN\\Users:(I)(OI)(CI)(RX)\r\n     NT AUTHORITY\\Authenticated Users:(I)(M)\r\n     NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)\r\n<\/pre>\n<p>How is it possible that the permissions are identical, yet the results are different depending on <i>how<\/i> you set the permissions?<\/p>\n<p>The problem is that your tools are lying to you. The Deny ACE on the directory is not what <code>icacls<\/code> reports.<\/p>\n<p>If you change the security with the GUI, then the Deny ACE is <code>0x00010000<\/code> = <code>DELETE<\/code>. But if you change it with the <code>icacls<\/code> program, then the Deny ACE is is <code>0x00110000<\/code> = <code>DELETE | SYNCHRONIZE<\/code>.<\/p>\n<p>So the <code>icacls<\/code> program is lying when it says that it denied Delete (D) permission. It actually denied both Delete and Synchronize.<\/p>\n<p>And then on top of that, the <code>icacls<\/code> program is lying when it says that the actual ACE is a Deny D. It&#8217;s hiding the denied <code>SYNCHRONIZE<\/code> access.<\/p>\n<p>And it&#8217;s that denied <code>SYNCHRONIZE<\/code> access which is the difference. Explorer cannot open a folder where <code>SYNCHRONIZE<\/code> is denied. (And the command prompt cannot <code>chdir<\/code> into such a directory either.)<\/p>\n<p>I&#8217;m guessing that the <code>icacls<\/code> is doing this extra work as a courtesy, but it also makes diagnosing problems more difficult.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sometimes your tools lie to you.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-103110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>Sometimes your tools lie to you.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=103110"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103110\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=103110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=103110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=103110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}