Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

The Permissions on 'Folder' are incorrectly ordered.

5,184 views
Skip to first unread message

Mark Travis

unread,
Mar 11, 2004, 12:43:13 AM3/11/04
to
Hi all,

This error deals with a program I have written using AdsSecurity library. I
have managed to reproduce the error through a number of manual steps which I
describe here

1. I create a folder on a network drive (mapped from a Windows 2003 server)
that has a number of doman\groups included in the drives DACL (all have the
ADS_ACEFLAG_INHERIT_ACE flag set to true).
2. Using the Windows UI (Windows XP in my case), I grant generic access to
the folder to 'domain\jbloggs'.
3. I create a folder under the folder created in Step 1, and view its DACL
via the Windows UI with no problems.
4. Using the Microsoft vb script found at the following Microsoft kb site, I
grant generic access to the folder created in Step 1 to 'domain\auser'
http://support.microsoft.com/default.aspx?scid=kb;en-us;818362
6. I create a second folder under the folder created in Step 1, and view its
DACL via the Windows UI. At this point I receive the following error
'The permissions on 'Folder' are incorrectly ordered...'

When I view the DACL via the ADsSecurity library, all entries appear to have
lost the ADS_ACEFLAG_INHERITED_ACE flag.

The script performs the same steps as I do in my application. Any
information as to why this is occurring would be greatly appreciated.

Thanks in advance

Mark


Rhett Gong [MSFT]

unread,
Mar 11, 2004, 5:48:13 AM3/11/04
to
Hi Mark,
The error ----"The Permissions on Folder are incorrectly ordered, which may cause some
entries to be ineffective." is caused by not ordering Access Control Entries (ACEs) in an
Access Control List (ACL). The Allow ACEs should be placed before the Inherit ACEs in the
ACL. If an Inherit ACE is listed before an Allow ACE, the ACL is deemed to be an invalid
ACL.
This problem is caused in the step 4. AccessControlList.Add Method append an ACE to the
end of the ACL. Please use AccessControlList.Insert and let me know if it could resolve your
problem. Thanks!

Have a nice day!
Rhett Gong [MSFT]
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to newsgroups only. Thanks.

Richard Mueller [MVP]

unread,
Mar 11, 2004, 2:07:43 PM3/11/04
to
Mark Travis wrote:

Hi,

It sounds like this KB article applies:

http://support.microsoft.com/default.aspx?scid=kb;en-us;269159

However, I thought that XP clients reordered the ACE's for you. Perhaps I'm
wrong. In any case, I would try reordering them per the KB article. I always
do this, so my code will work on older clients.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--


Mark Travis

unread,
Mar 11, 2004, 6:35:24 PM3/11/04
to
Thanks to Richard and Rhett for the replies. This is the first time I have
had to use a news group and I am afraid I made a few mistakes. Sorry if I
have wasted anybodies time.

The first mistake was that I pointed to the wrong knowledge base article. I
did get the sample script from
http://support.microsoft.com/default.aspx?scid=kb;en-us;269159
which has an ACE sorting algorithm in it. I have been scouring the web for
days and I had a number of articles open when I wrote the request for help.

The second mistake was that I left out a piece of information. The folder I
ran the script on, call it Folder 1, does not throw an error when I view the
DACL via the Windows UI. All folders I then created under Folder 1, call one
of them Folder 2, threw the error. (NOTE: any documents created under Folder
1 do not throw the error)

When I viewed the DACL on Folder 1, all ACE's that were to be inherited by
child objects, had the ADS_ACEFLAG_INHERIT_ACE flag set. When I viewed the
DACL on Folder 2 (after clicking OK for the OS to sort message box), none of
the ACE's had the ADS_ACERFLAG_INHERITED_ACE flag set.

Funny enough though, I ran through a test to see what kind of security hole
this can cause.
1. Open the Properties window for Folder 2
2. Click the Security tab and get the 'Permissions incorrectly ordered'
message box
3. Click Cancel on the message box. This appears to clear the DACL and
insert a full control ACE for 'Everyone'
4. Click OK on the Properties window
5. Reopen the Properties window for Folder 2
6. Click the Security tab. All inherited ACE's are there (along with the
full control ACE for Everyone)

I am lost as to where I have gone wrong. This feels like it should be a
simple process.

Anyway, I hope this makes sense.

Thanks again

Mark


"Richard Mueller [MVP]" <rlmuelle...@ameritech.NOSPAM.net> wrote in
message news:etI8e05B...@TK2MSFTNGP10.phx.gbl...

Mark Travis

unread,
Mar 11, 2004, 7:24:09 PM3/11/04
to
I have also tried the following script

http://support.microsoft.com/default.aspx?scid=kb;en-us;279682

With the same problems arrising.

Any help would be greatly appreciated

Regards

Mark


"Mark Travis" <mtr...@sysdel.skmconsulting.com> wrote in message
news:O1Zh0C8B...@TK2MSFTNGP10.phx.gbl...

Rhett Gong [MSFT]

unread,
Mar 11, 2004, 10:21:44 PM3/11/04
to
Hi Mark,
Please check if the following steps are what you are trying:
1> create a folder (we named it as folder1) on a network drive, then check the DACL with Windows UI without any error. And found that
ADS_ACEFLAG_INHERIT_ACE is set for folder1.
2> create a new folder (folder2) under folder1. then using windows UI to check the DACL with no problems.
3> add ace to folder2 with the script found at http://support.microsoft.com/default.aspx?scid=kb;en-us;279682
4> create another folder (folder3) under folder1. then check the DACL for folder3 and get error 'The permissions on 'Folder' are incorrectly ordered...'

You also tried kb269159 in step3 but it did not help.

Please let me know if these are correct steps to repro your problem. If there is anything missing, please feel free to post it in the newsgroup.

Thanks,

Mark Travis

unread,
Mar 11, 2004, 11:19:17 PM3/11/04
to
Hi Rhett,

Sorry about the email mix up

The steps you mentioned are not quite right.The steps I took to reproduce
the error are as follows

1. Create Folder 1 on network drive
2. Add ace to Folder 2 with script
http://support.microsoft.com/default.aspx?scid=kb;en-us;279682
3. Create Folder 2 under Folder 1
4. Check the DACL on Folder 2 via the UI and get the error 'The permissions
on 'Folder 2' are incorrectly ordered...'

The noting of the inheritance flags was because the inherit ACE's on Folder
1 seemed to be copied to Folder 2 and not marked as inherited. The strange
thing was if the copied ACE's were deleted from Folder 2, the same ACE's
re-appeared against Folder 2 marked as inherited (gray check boxes).

Thanks again

Mark


"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message
news:UgUxpE%23BEH...@cpmsftngxa06.phx.gbl...

Rhett Gong [MSFT]

unread,
Mar 12, 2004, 4:56:10 AM3/12/04
to
A bit confused on your steps:

>2. Add ace to Folder 2 with script
>http://support.microsoft.com/default.aspx?scid=kb;en-us;279682
>3. Create Folder 2 under Folder 1
What folder you added ace to when the folder2 was not created. Do you mean folder1?

Mark Travis

unread,
Mar 12, 2004, 8:09:04 AM3/12/04
to
Sorry, A typo.

The steps are

1. Create Folder 1 on network drive

2. Add ace to Folder 1 with script


http://support.microsoft.com/default.aspx?scid=kb;en-us;279682
3. Create Folder 2 under Folder 1

4. Check the DACL on Folder 2 via the UI and get the error 'The permissions
on 'Folder 2' are incorrectly ordered...'

Thanks

Mark


"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message

news:YuVNJhB...@cpmsftngxa06.phx.gbl...

Rhett Gong [MSFT]

unread,
Mar 15, 2004, 8:36:23 PM3/15/04
to
Hi Mark,
I have reproed it with Windows 2003 boxes.
Simply, we can turn off the inherit in parent folder to avoid this problem. But I don't think it is a good
solution for this problem. Currently, I am trying to find another way for it. Please be patient. I will update
you as soon as possible.

BTW: What is your version and size of adssecurity.dll? And What is your version of system?

Thanks,

Mark Travis

unread,
Mar 16, 2004, 1:34:20 AM3/16/04
to
Hi Rhett,

Thanks for all the effort. The information you have asked for is

adssecurity.dll
Version : 1.0.0.1
Size : 52.0 KB (53,248 bytes)
Created : Wednesday, 11 April 2001, 2:33:56 PM

Windows XP
Version 5.1 (Build 2600 xpsp2.030422-1633 - Service Pack 1)

Patience is not a problem. I am not critical path yet. I am currently
looking at WMI as a possible alternative but I still have a bit of reading
to do before I attempt a solution. Obviously, I would prefer to use adsi but
ultimately I need a solution, regardless of the technology I use.

Again, thanks for the effort.

Regards

Mark

"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message

news:CguMJcv...@cpmsftngxa06.phx.gbl...

Max L. Vaughn [MSFT]

unread,
Mar 18, 2004, 10:05:03 AM3/18/04
to
I've been working with Ray on this issue internally. Running from a 2003
client, their is no need to use ADsSecurity.dll. The ADsSecurityUtility
object is the way to go.

Here is what I did:
I created a VBS to add the ACE defined below. The VBS is included at the
end of this email.

I created a share on my XP machine and on my Win2k machines. I created a
testdir directory. I targeted both with the same ACE. I then went to each
share and added a directory. I checked the permissions, I did not get the
reorder box.

Check the constants below. Make sure they have values and they match what
would be expected from the script. If an enumeration type is not defined
in a type lib, VB will just set it to 0.

Here is the script I was talking about, be sure to modify it to fit your
environment.

'
' Define some constants:
'
'
' Define a ADS_RIGHTS_ENUM constants constants:
'
const ADS_RIGHT_DELETE = &h10000
const ADS_RIGHT_READ_CONTROL = &h20000
const ADS_RIGHT_WRITE_DAC = &h40000
const ADS_RIGHT_WRITE_OWNER = &h80000
const ADS_RIGHT_SYNCHRONIZE = &h100000
const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
const ADS_RIGHT_GENERIC_READ = &h80000000
const ADS_RIGHT_GENERIC_WRITE = &h40000000
const ADS_RIGHT_GENERIC_EXECUTE = &h20000000
const ADS_RIGHT_GENERIC_ALL = &h10000000
const ADS_RIGHT_DS_CREATE_CHILD = &h1
const ADS_RIGHT_DS_DELETE_CHILD = &h2
const ADS_RIGHT_ACTRL_DS_LIST = &h4
const ADS_RIGHT_DS_SELF = &h8
const ADS_RIGHT_DS_READ_PROP = &h10
const ADS_RIGHT_DS_WRITE_PROP = &h20
const ADS_RIGHT_DS_DELETE_TREE = &h40
const ADS_RIGHT_DS_LIST_OBJECT = &h80
const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Type definitions
'
const ADS_ACETYPE_ACCESS_ALLOWED = 0
const ADS_ACETYPE_ACCESS_DENIED = &h1
const ADS_ACETYPE_SYSTEM_AUDIT = &h2
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &h6
const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &h7
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Ace Flag Constants
'
const ADS_ACEFLAG_UNKNOWN = &h1
const ADS_ACEFLAG_INHERIT_ACE = &h2
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
const ADS_ACEFLAG_INHERITED_ACE = &h10
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
const ADS_ACEFLAG_FAILED_ACCESS = &h80
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' Flags constants for AD objects
'
const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &h2
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' From WinNT.h
'---------------------------------------------------------------------------
---
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' File Specific Access Rights
'
Const DELETE = &h00010000
Const READ_CONTROL = &h00020000
Const WRITE_DAC = &h00040000
Const WRITE_OWNER = &h00080000
Const SYNCHRONIZE = &h00100000

Const STANDARD_RIGHTS_REQUIRED = &h000F0000

Dim STANDARD_RIGHTS_READ : STANDARD_RIGHTS_READ = READ_CONTROL
Dim STANDARD_RIGHTS_WRITE : STANDARD_RIGHTS_WRITE = READ_CONTROL
Dim STANDARD_RIGHTS_EXECUTE: STANDARD_RIGHTS_EXECUTE = READ_CONTROL

Const STANDARD_RIGHTS_ALL = &h001F0000

Const SPECIFIC_RIGHTS_ALL = &h0000FFFF

'
' AccessSystemAcl access type
'

Const ACCESS_SYSTEM_SECURITY = &h01000000

'
' MaximumAllowed access type
'

Const MAXIMUM_ALLOWED = &h02000000

'
' These are the generic rights.
'

Const GENERIC_READ = &h80000000
Const GENERIC_WRITE = &h40000000
Const GENERIC_EXECUTE = &h20000000
Const GENERIC_ALL = &h10000000

'
' AccessMask constants for FILE ACEs
'
Const FILE_READ_DATA = &h0001 ' file & pipe
Const FILE_LIST_DIRECTORY = &h0001 ' directory

Const FILE_WRITE_DATA = &h0002 ' file & pipe
Const FILE_ADD_FILE = &h0002 ' directory

Const FILE_APPEND_DATA = &h0004 ' file
Const FILE_ADD_SUBDIRECTORY = &h0004 ' directory
Const FILE_CREATE_PIPE_INSTANCE = &h0004 ' named pipe

Const FILE_READ_EA = &h0008 ' file & directory

Const FILE_WRITE_EA = &h0010 ' file & directory

Const FILE_EXECUTE = &h0020 ' file
Const FILE_TRAVERSE = &h0020 ' directory

Const FILE_DELETE_CHILD = &h0040 ' directory

Const FILE_READ_ATTRIBUTES = &h0080 ' all

Const FILE_WRITE_ATTRIBUTES = &h0100 ' all

Dim FILE_ALL_ACCESS : FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or
SYNCHRONIZE Or &h1FF

dim FILE_GENERIC_READ : FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or _
FILE_READ_DATA Or _
FILE_READ_ATTRIBUTES Or _
FILE_READ_EA Or _
SYNCHRONIZE

dim FILE_GENERIC_WRITE : FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or _
FILE_WRITE_DATA Or _
FILE_WRITE_ATTRIBUTES Or _
FILE_WRITE_EA Or _
FILE_APPEND_DATA Or _
SYNCHRONIZE

dim FILE_GENERIC_EXECUTE : FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE
Or _
FILE_READ_ATTRIBUTES Or _
FILE_EXECUTE Or _
SYNCHRONIZE

Const FILE_SHARE_READ = &h00000001
Const FILE_SHARE_WRITE = &h00000002
Const FILE_SHARE_DELETE = &h00000004
'
' AceFlags values for files
'
Const OBJECT_INHERIT_ACE = &H1
Const CONTAINER_INHERIT_ACE = &H2
Const NO_PROPAGATE_INHERIT_ACE = &H4
Const INHERIT_ONLY_ACE = &H8
Const INHERITED_ACE = &H10

'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
'<<<<<<<<<<<<<<<<<<<<<<<<< Begin IADsSecurityUtility Constants >>>>>>>>>>>>
'
' Supported on XP
'
'typedef enum
'
' ADS_PATHTYPE_ENUM
'
Const ADS_PATH_FILE = 1
Const ADS_PATH_FILESHARE = 2
Const ADS_PATH_REGISTRY = 3
'
' ADS_SD_FORMAT_ENUM
'
Const ADS_SD_FORMAT_IID = 1
Const ADS_SD_FORMAT_RAW = 2
Const ADS_SD_FORMAT_HEXSTRING = 3
'
'<<<<<<<<<<<<<<<< END IADsSecurityUtility Constants >>>>>>>>>>>>>>>>>>>>>
'
'++++++++++++++++++ MAIN SCRIPT ++++++++++++++++++++++++++++++++++
'
Dim oAce ' variable for the new ACE
Dim oDacl ' variable for the DACL of the object
Dim oSD ' variable for the Security Descriptor of the
object
Dim oADsSecurityUtility ' variable for the ADsSecurityUtility object
'
' Create an ACE object
' and an IADsSecurityUtlity object
'
set oAce = CreateObject("AccessControlEntry")
Set oADsSecurityUtility = CreateObject("ADsSecurityUtility")
'
' Retreive the Security Descriptor for the given NTFS File path
'
Set oSD = oADsSecurityUtility.GetSecurityDescriptor(
"\\maxvdc4\rambo\testdir", ADS_PATH_FILE, ADS_SD_FORMAT_IID )
'
' Retrieve the Discrestionary ACL for the Key
'
Set oDACL = oSD.DiscretionaryACL
'
' Set the IADsAccessControlEntry::Trustee attribute
'
oAce.Trustee = "br549\karenwo"
'
' Set the IADsAccessControlEntry::AccessMask attribute
'
oAce.AccessMask = FILE_GENERIC_READ
'
' Set the IADsAccessControlEntry::AceType attribute
'
oAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
'
' Set the IADsAccessControlEntry::AceFlags attribute
'
oAce.AceFlags = OBJECT_INHERIT_ACE Or _
CONTAINER_INHERIT_ACE
'
' Place the ACE on the DACL
'
oDACL.AddAce oAce
'
' Place the DACL back onto the SD
'
oSD.DiscretionaryAcl = oDACL
oADsSecurityUtility.SetSecurityDescriptor "\\maxvdc4\rambo\testdir",
ADS_PATH_FILE, oSD, ADS_SD_FORMAT_IID
'
' Clean up
'
Set oAce = Nothing
Set oDACL = Nothing
Set oSD = Nothing
Set oADsSecurityUtility = Nothing
WScript.Echo "<<<<<<<<<<<<< Done >>>>>>>>>>>>>>>>"

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support


Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.

0 new messages