Reason and functioning of split NTFS permissions

  acl, ntfs, powershell, windows

On a fresh formatted non-system NTFS volume of type hard disk media (unpartitionable USB thumb drive is different) under Windows 10, the NTFS ACEs are as follows (Get-Acl):

FileSystemRights  : -536805376
AccessControlType : Allow
IdentityReference : NT AUTHORITYAuthenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITYAuthenticated Users
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITYSYSTEM
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : NT AUTHORITYSYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : BUILTINAdministrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTINAdministrators
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTINUsers
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : -1610612736
AccessControlType : Allow
IdentityReference : BUILTINUsers
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

The corresponding SDDL-string is (also from Get-Acl): O:SYG:SYD:AI(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1301bf;;;AU)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)

My question is not about the meaning of the ACEs. I know, that each pair of ACEs are practically twins, one noninherited for the root folder of the volume, one inheriting only for subfolders and files. I also know about the meaning of the numbers after some FileSystemRights, there are many sources in the web about them: The permissions of two "twins" are practically the same, the only difference is, that the noninheriting permissions use "File" rights, while the inheriting permissions use "Generic" rights (you see the latter ones as Gs in the SDDL-String). The only reason, why the latter ones are represented as number, is because no appropriate enumeration names exist.

Rather, my questions are as follows:

(1) Why does Windows automagically split the original four permissions into eight (two of a pair), after such a fresh format?

(2) Why do neither the GUI (-> Properties -> Security tab), nor icacls, nor cacls reflect this split, but only PowerShell?

(3) Why does Windows inherit both permissions of a pair to child file system objects, although only each one of these permissions are inheritable?

I have one additional question. If you add an arbitrary ACE per -> Properties -> Security tab to such an ACL, save, and after that, remove this additional ACE immediately again, the ACEs of the freshly formatted drive suddenly look like you would have expected from the beginning (Get-Acl again):

FileSystemRights  : Modify, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITYAuthenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITYSYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTINAdministrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : BUILTINUsers
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Corresponding SDDL-String (Get-Acl): O:SYG:SYD:PAI(A;OICI;0x1301bf;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)

(4) Why does Windows automagically merge the split permissions into one again, in the moment, you add an ACE, even if you remove it afterwards?

Source: Windows Questions

LEAVE A COMMENT