Windows 2000 file security: ACLs

NTFS file security is handled with access control lists, which are lists of access control entries. Each ACE is either an ALLOW or a DENY rule, with a mask of permissions which it affects, and applies to a specified user or group. By combining all the ACEs in an object's ACL, the system calculates the effective permissions on the object for a given user. Actually that part about ACEs being either allow or deny is not true because there are auditing ACEs as well...
API representation

That's what ACLs look like in the abstract. To deal with them programmatically, we need to peer inside winnt.h. As you might expect (or as you should expect, if you've been following this article from the beginning), the user to which an ACE applies is stored as a SID. The permissions are stored as a 32-bit bitmask of the following values:

FILE_READ_DATA: Read from a file or pipe, or list the contents of a directory. FILE_WRITE_DATA: Write to a file or pipe, or create a new file inside a directory. FILE_APPEND_DATA: Append data to a file or pipe, create a new subdirectory inside a directory, or create a pipe instance. FILE_READ_EA: Read extended attributes. FILE_WRITE_EA: Write extended attributes. FILE_READ_ATTRIBUTES: Read attributes. FILE_WRITE_ATTRIBUTES: Write attributes. FILE_EXECUTE: Execute a file or access a directory. FILE_DELETE_CHILD: Delete a file from a directory. DELETE: Delete a file, pipe or directory. READ_CONTROL: Read permissions. WRITE_DAC: Write permissions. WRITE_OWNER: Take ownership. SYNCHRONIZE: Use object for synchronisation. Clearly, the exact effect of each value in the bitmask depends on the object to which the ACE applies. For example, FILE_READ_DATA when applied to a file gives permission to read the data from that file, whereas when applied to a directory it gives permission to list the contents of that directory. With this in mind, we observe that aliases exist for several of these permission names:

FILE_LIST_DIRECTORY: Equivalent to FILE_READ_DATA FILE_ADD_FILE: Equivalent to FILE_WRITE_DATA FILE_ADD_SUBDIRECTORY: Equivalent to FILE_APPEND_DATA FILE_CREATE_PIPE_INSTANCE: Equivalent to FILE_APPEND_DATA FILE_TRAVERSE: Equivalent to FILE_EXECUTE

Inherited folder permissions are displayed as: OI - Object inherit - This folder and files. (no inheritance to subfolders)

CI - Container inherit - This folder and subfolders. IO - Inherit only - The ACE does not apply to the current file/directory

These can becombined as folllows: (OI)(CI) (OI)(CI)(IO) (CI)(IO) (OI) (IO) This folder, subfolders, and files. Subfolders and files only. Subfolders only. Files only.

So BUILTIN\Administrators:(OI)(CI)F means that both files and Subdirectories will inherit 'F' (Fullcontrol) similarly (CI)R means Directories will inherit 'R' (Read folders only = List permission) To actually change the inheritance of a folder/directory use iCACLS /grant or iCACLs /deny When cacls is applied to the current folder only there is no inheritance and so no output.