Why does adding NTFS SACL replace the DACL entries?
Applies to
- ONTAP 9
- CIFS
- NTFS
- SACL
- DACL
Answer
-
Configuring NTFS SACL with creating a new security descriptor will add 4 default NTFS DACL entries
cluster1::> vserver security file-directory ntfs show -vserver svm1 -ntfs-sd sd1
There are no entries matching your query.
cluster1::> vserver security file-directory ntfs sacl add -vserver svm1 -ntfs-sd sd1 -access-type failure -account demo\user -rights full-control -apply-to this-folder,sub-folders,filescluster1::> vserver security file-directory ntfs dacl show -vserver svm1 -ntfs-sd sd1
Vserver: svm1
NTFS Security Descriptor Name: sd1
Account Name Access Access Apply To
Type Rights
-------------- ------- ------- -----------
BUILTIN\Administrators
allow full-control this-folder, sub-folders, files
BUILTIN\Users allow full-control this-folder, sub-folders, files
CREATOR OWNER allow full-control this-folder, sub-folders, files
NT AUTHORITY\SYSTEM
allow full-control this-folder, sub-folders, files
4 entries were displayed.
- If file-directory apply is ran against the security descriptor, the existing NTFS DACLS will be overwritten by the default ones listed above
This allows for data access if someone accidentally applied the security descriptor before defining more explicit DACLs
- Before applying the file security policy, modify the NTFS DACLs to those desired
Removing these default DACLS without modification or replacement with the desired DACLS will result in a loss of data access