Why does adding NTFS SACL replace the DACL entries?
Applies to
- ONTAP 9
- CIFS
- NTFS
- SACL
- DACL
Answer
-
Configuring NTFS SACL with creating a new security descriptor will add 4 default NTFS DACL entries
cluster1::> vserver security file-directory ntfs show -vserver svm1 -ntfs-sd sd1
There are no entries matching your query.
cluster1::> vserver security file-directory ntfs sacl add -vserver svm1 -ntfs-sd sd1 -access-type failure -account demo\user -rights full-control -apply-to this-folder,sub-folders,filescluster1::> vserver security file-directory ntfs dacl show -vserver svm1 -ntfs-sd sd1
Vserver: svm1
NTFS Security Descriptor Name: sd1
Account Name Access Access Apply To
Type Rights
-------------- ------- ------- -----------
BUILTIN\Administrators
allow full-control this-folder, sub-folders, files
BUILTIN\Users allow full-control this-folder, sub-folders, files
CREATOR OWNER allow full-control this-folder, sub-folders, files
NT AUTHORITY\SYSTEM
allow full-control this-folder, sub-folders, files
4 entries were displayed.
- If file-directory apply is ran against the security descriptor, the existing NTFS DACLS will be overwritten by the default ones listed above
- This allows for data access if someone accidentally applied the security descriptor before defining more explicit DACLs
- Before applying the file security policy, modify the NTFS DACLs to those desired
- Removing these default DACLS without modification or replacement with the desired DACLS will result in a loss of data access