INFO: Creating Access Control Lists for Directories (115948)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows NT 3.1
    • the operating system: Microsoft Windows NT 3.5
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows XP
This article was previously published under Q115948

SUMMARY

The discretionary access control list (DACL) for a directory usually differs from that of a file. When assigning security to a directory, you are often specifying both the security for the directory and the security for any contained files and directories.

A directory's ACL will normally contain at least two access control entries (ACE):

  • An ACE for the directory itself and any subdirectories.
  • An ACE for any files in the directory.
If an ACE is to apply to object in the directory (subdirectories and files), the ACE is marked as an OBJECT_INHERIT_ACE and/or a CONTAINER_INHERIT_ACE. (In this article, a container means a directory.)

For example, when you use File Manager to set the security on a directory to "Change (RWXD)(RWXD)," the directory's DACL contains the following two ACEs: 
   ACE1 (applies to files in the directory)
      ACE flags:   INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE
      Access Mask: DELETE | GENERIC_READ | GENERIC_WRITE |
                   GENERIC_EXECUTE
				
   ACE2 (applies to the directory and subdirectories)
      ACE flags:   CONTAINER_INHERIT_ACE
      Access Mask: DELETE | FILE_GENERIC_READ | FILE_GENERIC_WRITE |
                   FILE_GENERIC_EXECUTE

MORE INFORMATION

The ACE flags are part of the ACE header. The structure of an ACE header can be found in the online help by searching on "ACE_HEADER".

In the above example, ACE1 applies only to contained files through the INHERIT_ONLY_ACE flag. If INHERIT_ONLY_ACE is not specified in an ACE, the ACE applies only to the current container.

NOTE: Adding one of these ACEs to a directory does not change the security for any contained files or directories. The ACEs are only copied to files and directories created after the ACEs have been added to the directory.

When adding your own security to files, it is easy to create a combination that File Manager does not recognize as a "standard" setting. This is shown in file manager as "special" security.

If you want to match the DACLs you create to those used by File Manager, you can set the security of a file or directory in File Manager and then check the DACLs and ACEs. A tool for this is provided as a sample called "Check_SD" in the Win32 SDK. Check_SD can be found in the Q_A\SAMPLES\CHECK_SD directory on the Win32 SDK CD.

REFERENCES

  • "Microsoft Win32 Programmer's Reference," Microsoft Corporation.
  • "Microsoft Win32 SDK API Reference help file," Microsoft Corporation.
Modification Type:MajorLast Reviewed:4/9/2004
Keywords:kbACL kbinfo kbKernBase kbSecurity KB115948
©2004 Microsoft Corporation. All rights reserved.