Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

Article ID : 949608
Last Review : March 26, 2008
Revision : 1.0
On This Page

INTRODUCTION

In Windows Vista, the NTFS file system Discretionary Access Control Lists (DACLs) have been changed to enable data sharing and collaboration in data directories that are outside protected directories. A user’s protected directory is the user’s profile. For example, assume that the C: Users Denise Pictures directory is a protected directory. A data directory is a directory that is created outside this protected directory structure. D: Pictures is a directory that is outside the protected structure.

Assume that Denise Smith logs on to her Windows Vista-based computer and that she creates a new directory on her external hard disk (drive D). Denise names the directory FamilyPictures. Later, Denise’s son, Brian, logs on to the computer. Brian creates a new directory that is named SummerVacationPics in the FamilyPictures directory. Then, Brian saves several pictures in the SummerVacationPics directory. If the Windows XP DACL settings are applied to the SummerVacationPics directory, Denise cannot edit any of the pictures in the SummerVacationPics directory. This behavior occurs because the DACLs mark Brian as the only user who has Write permissions. However, DACL default behavior has been changed in Windows Vista. Therefore, in Windows Vista, Denise can perform photo editing tasks on the pictures in the SummerVacationPics directory.

These DACL changes let users share and edit files without specifying the credentials in the User Account Control dialog box. Additionally, users can manually make a directory private. This feature guarantees that users can easily maintain data confidentiality and data integrity on data drives. Private directories are readable by an administrator if the administrator has been granted elevated mode permissions. The elevated mode feature should be used to keep data private from standard users. The Windows Vista DACL settings are applied during installation, and they are migrated to any detected drive that meets one of the following criteria:

• The drive does not contain a Windows operating system.
• The drive is formatted by using the default Windows XP DACL settings.

Back to the top

MORE INFORMATION

Tool updates

The Convert.exe and Format.exe command-line tools have been changed in Windows Vista to include new options for the new DACL settings. However, these tools cannot convert existing Windows XP DACL settings to the Windows Vista DACL settings. To change an existing Windows XP DACL setting to a Windows Vista DACL setting, you must use the Cacls.exe command-line tool in Windows Vista. For example, the following command converts existing Windows XP DACL settings on the D: data drive to Windows Vista DACL settings:

Cacls D: /s:D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;SDGXGWGR;;;AU)(A;OICI;GXGR;;;BU)

Back to the top

DACL settings in Windows Vista

Use the following table of abbreviations to determine the results of access control entry (ACE) inheritance.

Access control entry inheritance abbreviations

Abbreviation Description
CI Container inherit. The access control entry will be inherited by directories.
OI Object inherit. The access control entry will be inherited by files.
IO Inherit only. The access control entry does not apply to the current file and directory.
NP Inheritance will not be propagated.

Windows XP %systemroot% directory and data drive DACL settings

The following are the default DACL settings for the %systemroot% directory and for the data drive in Windows XP.

User or group Access control entry Access control entry inheritance
BUILTIN Administrators Full control (OI)(CI)
NT AUTHORITY SYSTEM Full control (OI)(CI)
CREATOR OWNER Full control (OI)(CI)(IO)
BUILTIN Users Read (OI)(CI)
BUILTIN Users Special access: FILE_APPEND_DATA (CI)
BUILTIN Users Special access: FILE_WRITE_DATA (CI)(IO)
Everyone Read

Windows Vista data drive DACL settings

The following are the new Windows Vista DACL settings for data drives that are created by using the Format.exe program.

User or group Access control entry Access control entry inheritance
BUILTIN Administrators Full control
BUILTIN Administrators Full control (OI)(CI)(IO)
NT AUTHORITY SYSTEM Full control
NT AUTHORITY SYSTEM Full control (OI)(CI)(IO)
NT AUTHORITY Authenticated Users Modify
NT AUTHORITY Authenticated Users Modify (OI)(CI)(IO)
BUILTIN Users Read and execute
BUILTIN Users Generic read, generic execute (OI)(CI)(IO)

Windows Vista %systemroot% directory DACL settings

User or group Access control entry Access control entry inheritance
BUILTIN Administrators Full control
BUILTIN Administrators Full control (OI)(CI)(IO)
NT AUTHORITY SYSTEM Full control
NT AUTHORITY SYSTEM Full control (OI)(CI)(IO)
BUILTIN Users Read and execute (OI)(CI)
NT AUTHORITY Authenticated Users Modify (OI)(CI)(IO)
NT AUTHORITY Authenticated Users Append data
Mandatory Label High Mandatory Level No write (OI)(IO)(NP)

Back to the top

How to disable data drive migration when you build your image

In some environments, you may not want to convert the ACLs of your data drives. Scenarios in which you may not want to convert the ACLs of your data drive include the following:

• If your data drive is shared and if you use the BUILTIN Users ACLs to gain modify access.
• If you have many data files and many directories on your data drive, and you are not experiencing data access issues.

Note In this scenario, changing the ACLs is unnecessary and may significantly increase Windows Vista installation time.

Note The Windows Automated Installation Kit (WAIK) contains a set of deployment tools. Guidance about how to use the deployment tools is available from the Microsoft Download Center. WAIK is targeted at corporate customers who are doing automated Windows deployment. For more information about WAIK, visit the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c7d4bc6d-15f3-4284-9123-679830d629f2&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=c7d4bc6d-15f3-4284-9123-679830d629f2&DisplayLang=en)

To disable data drive migration, follow these steps.

1. Create a directory to store the Windows Imaging Format (WIM) file. For example, create a C: VistaRTM WIM directory.
2. Create a directory to store the uncompressed operating system image. For example, create a C: VistaRTM OS directory.
3. Copy the applicable Install.wim file to the temporary WIM directory that you created in step 1. For example, type the following command at a command prompt to copy the Install.wim file from the Windows Vista installation media:

Copy e: sources install.wim c: VistaRTM WIM install.wim
4. Copy the image filter driver from the WAIK deployment tools to the C: VistaRTM Driver directory. To do this, follow these steps:

a. Click Start Start, type cmd in the Start Search box, right-click cmd.exe in Programs list, and then click Run as administrator.
User If you are prompted for an administrator password or for confirmation, type the password, or click Continue.
b. At the command prompt, type the following commands. Press ENTER after each command.

cd c: VistaRTM Driver
wimfltr.sys

5. At the elevated command prompt, mount the applicable .wim image. For example, type the following command at the command prompt:

Imagex.exe /MountRW c: VistaRTM WIM install.WIM 1 c: VistaRTM OS

Note 1 is the value of the image index in the Install.wim file. Because the Install.wim file can list multiple Windows edition images, you should use the imagex /info install.wim command to display all the Windows editions in the Install.wim file. When you have identified the correct index for the Windows edition, use that value together with the /MountRW command.

For more information about the ImageX tool and about WIM, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx (http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx)
6. Edit the system registry hive for the WIM image. To do this, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (/Feedback.aspx?kbNumber=322756/) How to back up and restore the registry in Windows
a. Click StartStart, type regedit in the Start Search box, and then click regedit in the Programs list.
User
If you are prompted for an administrator password or for confirmation, type the password, or click Continue.
b. In Registry Editor, locate and then click HKEY_LOCAL_MACHINE, and then click Load Hive on the File menu.
c. In the Load Hive dialog box, select the SYSTEM directory in the Windows Vista directory, and then click Open. For example, select the C: VistaRTM OS Windows System32 config SYSTEM directory.
d. Type TEMP_HKLM in the Key Name box to create a temporary HIVE entry, and then click OK.
e. Locate and then click the following registry subkey.

HKEY_LOCAL_MACHINE TEMP_HKLM Setup
f. On the Edit menu, point to New, and then click DWORD Value.
g. Type DDACLSys_Disabled, and then press ENTER.
h. Right-click DDACLSys_Disabled, and then click Modify.
i. In the Value data box, type 1, and then click OK.
7. After you modify the image, seal the image. To do this, type the following command at a command prompt:

imagex.exe /UnMount /commit c: VistaRTM OS
8. Replace the original Install.wim file by using the modified image. To do this, type the following command at a command prompt:

copy C: VistaRTM OS install.wim E: sources install.wim

Back to the top

How to define a protected drive DACL

Restrict file and directory creation for standard users

To specify that standard users cannot create directories or files outside their user profiles, run the following command at an elevated command prompt:

cacls D:P(A;;0x1301bf;;;SY)(A;IOCIOI;GA;;;SY)(A;;0x1301bf;;;BA)(A;IOCIOI;GA;;;BA)(A;OICI;0x1200a9;;;BU)

Enable standard users to create top-level directories

To specify that standard users can create top-level directories and that they will be the owners of a directory and all its subdirectories, run the following command at a command prompt:

cacls D:P(A;;0x1301bf;;;SY)(A;IOCIOI;GA;;;SY)(A;;0x1301bf;;;BA)(A;IOCIOI;GA;;;BA)(A;OICI;0x1200a9;;;BU)(A;;LC;;;BU)(A;OICIIO;GA;;;CO)

Back to the top

How to define a protected directory for a specific user

To specify that only a specific user can access a file or a directory outside the user profile, follow these steps:

1. To define a protected directory, you must first obtain the security identifier (SID) of the user who is currently logged on. To obtain the SID, run the following command at a command prompt:

whoami /all
2. Use the Cacls.exe command-line tool to specify a protected directory. To do this, type the following command at a command prompt:

Cacls Directory /S: D:PAI(A;OICI;GA;;;SID)(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)

Note Directory represents the directory path of the directory that you want to configure. SID represents the user’s SID.

The following sample commands use the PersonalSecureFolder directory. This directory is located in the D: directory.

• To determine the security access of the D: PersonalSecureFolder directory, type the following command at a command prompt:

icacls.exe PersonalSecureFolder

The command generates the following output:

BUILTIN Administrators:(I)(F)BUILTIN Administrators:(I)(OI)(CI)(IO)(F)NT AUTHORITY SYSTEM:(I)(F)NT AUTHORITY SYSTEM:(I)(OI)(CI)(IO)(F)NT AUTHORITY Authenticated Users:(I)(M)NT AUTHORITY Authenticated Users:(I)(OI)(CI)(IO)(M)
• To run the cacls.exe command in the D: PersonalSecureFolder directory, type the following command at a command prompt:

cacls D: PersonalSecureFolder /S: D:PAI(A;OICI;GA;;; S-1-5-21-2840286564-3180458239-1922922813-1001)(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)
• To determine the new NTFS DACL for the D: PersonalSecureFolder directory, type the following command at a command prompt:

icacls.exe D: PersonalSecureFolder

The command generates the following output:

HomePC Denise:(F)HomePC Denise:(OI)(CI)(IO)(F)NT AUTHORITY SYSTEM:(F)NT AUTHORITY SYSTEM:(OI)(CI)(IO)(F)BUILTIN Administrators:(F)BUILTIN Administrators:(OI)(CI)(IO)(F)

Back to the top


APPLIES TO
• Windows Vista Business
• Windows Vista Enterprise
• Windows Vista Home Basic
• Windows Vista Home Premium
• Windows Vista Ultimate
• Windows Vista Business 64-bit Edition
• Windows Vista Enterprise 64-bit Edition
• Windows Vista Home Basic 64-bit Edition
• Windows Vista Home Premium 64-bit Edition
• Windows Vista Ultimate 64-bit Edition

Back to the top

Keywords: 
kbexpertiseinter kbinfo KB949608

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image