Article ID: 161722
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows NT Advanced Server 3.1
- Microsoft Windows NT Workstation 3.1
- Microsoft Windows NT Advanced Server 3.1
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q161722
SUMMARY
When you choose to install Windows NT to an NTFS partition during Setup, Windows NT installs to a FAT partition first, and then converts the partition to NTFS.
Windows NT needs a way of assigning default NTFS permissions to system files and folders. The Windows NT 3.5x Winperms.txt and Windows NT 4.0 Perms.inf files are used as templates to assign the correct permissions for built-in accounts (such as Server Operators, Backup Operators, Everyone, and so on) to the directory structure. These Access Control Entries (ACE) are pre-defined and cannot be used to add non-built-in user account permissions.
Windows NT 3.5x uses Setacl.exe to apply these default permissions. SetAcl.exe is a table driven program that reads the Winperms.txt file of the form:
dir1\dir2\dir3 5,7 dir1\dir2\file1 1,2,3 file2 4,5
where the first column is a full pathname to either a file or a directory, and the list of integers represents an Access Control Entry (ACE) to be applied.
In Windows NT 3.51, ACE values ACE-0 through ACE-17 have the following definitions:
- ACE-0 NULL ACE, used as a placeholder.
- ACE-1 Placed on a directory. This ACE causes RWX access to be inherited by all new objects created in the directory and all new directories. For example, "Anyone can write".
- ACE-2 Placed on a directory. This ACE is inherit only, so it is not evaluated when the directory is accessed. It propagates all access to containers and objects and substitutes the creator's SID when it is propagated.
- ACE-3 Used to implement RWXD to Administrators.
- ACE-4 Used to grant RWXD to Server Operators.
- ACE-5 Used for files being placed in a directory protected by an ACE of type 2 above (to make it look like the protection was inherited, even though it was not).
- ACE-6 Placed on a directory to grant WORLD RX permission to the directory and all files and subdirectories.
- ACE-7 Placed on a directory to grant Administrators All Access to the directory and all files and subdirectories.
- ACE-8 Placed on a directory to grant Server Operators All Access to the directory and all files and subdirectories.
- ACE-9 Used to grant WORLD RX access.
- ACE-10 Used to grant WORLD RWX access.
- ACE-11 Used to grant Account Operators RWXD permissions.
- ACE-12 Used to grant Print Operators All Access to files and all subdirectories.
- ACE-13 Used to grant Account Operators All Access to all subdirectories and objects created beneath it.
- ACE-14 Used to grant Account Operators All Access.
- ACE-15 Used to grant Print Operators All Access.
- ACE-16 Used to grant Server Operatorss All Access.
- ACE-17 Used to grant Administrators All Access.
The following are default ACE Assignments for specific rights:
Anyone Can Write Directories get 1,2,3, optionally 4 if Lanman product Files get 5,10 Administrators Control Directories get 6,2,7, optionally 8 if Lanman product Files get 5,9,16,17 Administrators Exclusive Directories get 9,2,7 Files get 5,17 Creator Exclusive Directories get 10,2 Files get 5 Home Directory Parent Directories get 9,3,11 No files Administrators, server operators & print operators Directories get 6,2,7, optionally 8,12 Files get 9,5,15,16,17 Administrators and Account Operators Directories get 6,2,7, optionally 13 Files get 6,5,14,17
Windows NT 4.0 uses ACE-1 through ACE-18 and uses a different numbering scheme. The numbers in the Perms.inf file are simply used as indices to a table in code. There is no way to extend the table.
NOTE: Some of these are not applicable for Windows NT Workstation.
ACE codes:
Index Permission Inherit --------------------------------- 1 AccountOpsRWXD Containers 2 AdminAll Containers, Objects 3 AdminRWXD Containers 4 CreatorOwnerAll Containers, Objects 5 NetUsersDenyAll Containers, Objects 6 PrintOperatorsAll Containers, Objects 7 ReplicatorRWXD Containers, Objects 8 ReplicatorRX Containers, Objects 9 SysOpsAll Containers, Objects 10 SysOpsRWXD Containers, Objects 11 WorldAll Containers, Objects 12 WorldRWX Containers 13 WorldRWXD Containers, Objects 14 WorldRX Containers 15 WorldRX Containers, Objects 16 WorldRWX Containers, Objects 17 SystemAll Containers, Objects 18 PowerUsersRWXD Containers, Objects
Use the chart below for predefined combinations of ACEs:
d1 = 2,13,4,17 d2 = 2,4,14,17 d3 = 15,4,2,17 d4 = 15,4,2,13,17,18 d5 = 15,4,2,17,18 d6 = 2,4,15,17,18 d7 = 15,2,7,4,17 d8 = 14,3,17 d9 = 12,4,17 d10= 2,13,4,17 f1 = 2,15,17 f2 = 2,13,17 f3 = 2,15,17,18 f4 = 11
MORE INFORMATION
For additional information, please see the following article(s) in the Microsoft Knowledge Base:
ARTICLE-ID: 153094
TITLE : Restoring Default Permissions to Windows NT System Files
ARTILCE-ID: 157963
TITLE : SETACL.EXE not available in Windows NT 4.0
Fixacls.exe can be found in the Windows NT 4.0 Resource Kit Supplement 2.
When system permissions have been lost, FIXACLS can restore default permissions to the system files. For example, the Windows NT convert command only converts your file system to NTFS. It does not set the default permissions after the conversion. FIXACLS fills this gap.
To use FIXACLS, your user account needs "Backup files and folders" privileges on the computer where the files and folders are stored, and you must be logged on as a member of the Administrators group for the domain or computer where your user account is defined. Otherwise, "Access denied" error messages may occur.
FIXACLS sets the permissions to the values defined in %SYSTEMROOT%\Inf\Perms.inf. Therefore, access to this file is also required to run FIXACLS.
The self-extracting archive file, Fixacl1.exe, distributed by Microsoft Press, contains the executable and documentation for Fixacls.exe.
Fixacl1.exe is available for download from the following Microsoft FTP site:
Additional query words: fixacl reskit 4.00 prodnt
Keywords: kbsetup KB161722