locked
Owner not having full access to a file over a network mount RRS feed

  • Question

  • All,

    I work at a software backup company and I am trying to diagnose and patch issues we're seeing with customer systems.

    I have a set of items 1d, 1d/1f.txt, and 1d/2f.txt. I am the owner of these files. I mount a network drive to our testing share on a local server and create these items in a sub-directory of which I also am the owner. None of this is part of an Active Directory setup; I'm just using the classic NT Security Model here.

    Now, normally, the owner of the file or directory has full access to said file or directory. Knowing this, I had-craft the ACL of 1d to be the following:

    FileSystemRights  : Write, ReadPermissions, Synchronize
    AccessControlType : Deny
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : Read, Synchronize
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    

    My current user is a member of the BUILTIN\Administrators group.

    Here's my problem: when attempting to re-sync the files, we fail on obtaining the security information of the directory. I had expected that since I'm the owner of the directory, the "Deny" access control entry wouldn't get applied and I'd just get full access to the item, which is precisely what happens locally (i.e. not over a network mount).

    Why is the first access control entry being applied, even though I own the item?

    Sincerely,

    Peter Schultz

    Zetta.net, Inc. Engineering

    Tuesday, November 11, 2014 5:56 PM

Answers

  • Hi Peter,

    Owning a secured object means you have WRITE_DAC access to the object to change the DACL but it doesn't give you explicit access to the object itself.

    The order of ACEs applies and since the first ACE is a DENY, if you request for permissions goes against a WRITE, SYNCHRONIZE or READ, you'll receive an "ACCESS DENIED".

    thanks

    Frank K[MSFT]

    Friday, November 21, 2014 11:46 PM

All replies

  • Hi Peter,

    Owning a secured object means you have WRITE_DAC access to the object to change the DACL but it doesn't give you explicit access to the object itself.

    The order of ACEs applies and since the first ACE is a DENY, if you request for permissions goes against a WRITE, SYNCHRONIZE or READ, you'll receive an "ACCESS DENIED".

    thanks

    Frank K[MSFT]

    Friday, November 21, 2014 11:46 PM
  • Hello Frank,

    Thank you for your response. This clarifies our confusion and gives us an avenue for further support of Windows security information.

    Monday, November 24, 2014 8:37 PM
  • NP.

    Frank K [MSFT]

    Tuesday, November 25, 2014 7:25 AM