Hello,
recently we have migrated file share from hardware NAS to windows 2008 R2 server. We have moved files itself and then migrated ACLs with icacls /save icacls /restore, but suddenly found that certain user groups (custom global group, not Domain admins or some other privileged group) doesn't have access to their folders. All ACL looks ok, and effective permissions shows expected rights. But users still can't access folder with access denied error. And of course they could previously access this folder on hardware NAS. I found that if I grant identical rights once again to folder (with icacls /grant), then users can access folders with no problem. I have found difference between ACEs of the folder with subinacl and Scripting guy's powershell script, while icacls shows identical access rights.
ACE of user's group on problem folder:
subinacl:
/pace =domain\groupname ACCESS_ALLOWED_ACE_TYPE-0x0 CONTAINER_INHERIT_ACE-0x2 OBJECT_INHERIT_ACE-0x1 INHERITED_ACE-0x10 Type of access: Special acccess : -Delete Detailed Access Flags : FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4 FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20 FILE_DELETE_CHILD-0x40 FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000
sddl strings from script:
A;OICI;CCDCLCSWRPWPDTLOCRSDRC;;;S-1-5-21-3502908216-181598100-2883415322-1472)
And the ACE from regranted directory that works well:
subinacl:
pace =domain\groupname ACCESS_ALLOWED_ACE_TYPE-0x0 Type of access: Special acccess : -Read -Write -Execute -Delete Detailed Access Flags : FILE_READ_DATA-0x1 FILE_WRITE_DATA-0x2 FILE_APPEND_DATA-0x4 FILE_READ_EA-0x8 FILE_WRITE_EA-0x10 FILE_EXECUTE-0x20 FILE_READ_ATTRIBUTES-0x80 FILE_WRITE_ATTRIBUTES-0x100 DELETE-0x10000 READ_CONTROL-0x20000 SYNCHRONIZE-0x100000
sddl strings from the script:
A;;0x1301bf;;;S-1-5-21-3502908216-181598100-2883415322-1472) A;OICI;CCDCLCSWRPWPDTLOCRSDRC;;;S-1-5-21-3502908216-181598100-2883415322-1472)
So after I have granted access rights manually, there appeared second ACE record for the user group.
0x1301bf = 100110000000110111111 = CCDCLCSWRPWPLOCRSDRC + Unknown bit 20
So the difference is that OI and CI is absent (I have run icacls /grant without these options), there is no DT right (delete tree) and added some mysterious bit 20.
There are almost 100 000 files and folders, so I can't manually check every directory. Can you please explain why original ACE is not sufficient to access directory and how can I fix existing ACEs to allow windows treat rights as it should be?