none
NTFS Access Control Entries difference between icacls output and GUI RRS feed

  • Question

  • When I add/edit NTFS permissions for a user/group from command line via icacls application, i get multiple ACE entries in the list for the same thing, while from the GUI every ACE (since they are all the same) are compacted in a single entry.

    I couldn't find any worthwhile information from official documentation for the reason why is this happening.

    Has anyone experienced this or similar situations and can shed some light on this matter?

    You can clearly see the situation in the attached image, one user has multiple entries and they should be compacted in one.

    http://imgur.com/a/WumO0

    Thursday, March 9, 2017 11:08 AM

All replies

  • Hi ,

    Is the following link also your thread?

    Please check hot2use's reply there. icacls displays permissions in a kind of enumeration.

    NTFS Access Control Entries difference between icacls output and GUI

    http://serverfault.com/questions/836514/ntfs-access-control-entries-difference-between-icacls-output-and-gui

    NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 13, 2017 9:26 AM
    Moderator
  • Hi,

    Thank you for the response. Yes, I've seen the reply, but the answer is very vague, without any explanations why is that happening, or with some additional documentation.

    What is the practical use of not compacting those permissions, is it intentional?

    Monday, March 13, 2017 10:18 AM
  • Hi brainbug123,

    Sorry for the late reply and thank you for your clarification.

    Based on my test, the different is mainly about the ACE Inheritance rule. This will be related to access subfolders. When we use the Icacls command, the parameters for [(CI)(OI)] would be related to the inheritance rule. For the GUI, it could be only display the option in the below.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 23, 2017 9:16 AM
    Moderator