Microsoft KB Archive/115948

{|
 * width="100%"|

INFO: Creating Access Control Lists for Directories

 * }

Q115948

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT, versions 3.1, 3.5
 * the operating system: Microsoft Windows 2000

-

SUMMARY
The discretionary access control list (DACL) for a directory usually differs from that of a file. When assigning security to a directory, you are often specifying both the security for the directory and the security for any contained files and directories.

A directory's ACL will normally contain at least two access control entries (ACE):


 * An ACE for the directory itself and any subdirectories.
 * An ACE for any files in the directory.

If an ACE is to apply to object in the directory (subdirectories and files), the ACE is marked as an OBJECT_INHERIT_ACE and/or a CONTAINER_INHERIT_ACE. (In this article, a container means a directory.)

For example, when you use File Manager to set the security on a directory to "Change (RWXD)(RWXD)," the directory's DACL contains the following two ACEs:

  ACE1 (applies to files in the directory) ACE flags:  INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE Access Mask: DELETE | GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE   ACE2 (applies to the directory and subdirectories) ACE flags:  CONTAINER_INHERIT_ACE Access Mask: DELETE | FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE

MORE INFORMATION
The ACE flags are part of the ACE header. The structure of an ACE header can be found in the online help by searching on "ACE_HEADER".

In the above example, ACE1 applies only to contained files through the INHERIT_ONLY_ACE flag. If INHERIT_ONLY_ACE is not specified in an ACE, the ACE applies only to the current container.

NOTE: Adding one of these ACEs to a directory does not change the security for any contained files or directories. The ACEs are only copied to files and directories created after the ACEs have been added to the directory.

When adding your own security to files, it is easy to create a combination that File Manager does not recognize as a "standard" setting. This is shown in file manager as "special" security.

If you want to match the DACLs you create to those used by File Manager, you can set the security of a file or directory in File Manager and then check the DACLs and ACEs. A tool for this is provided as a sample called "Check_SD" in the Win32 SDK. Check_SD can be found in the Q_A\SAMPLES\CHECK_SD directory on the Win32 SDK CD.