Skip to main content

Adding NTFS DACL access control entries to the NTFS security descriptor

Adding DACL (discretionary access control list) access control entries (ACEs) to the NTFS security descriptor is the second step in configuring and applying NTFS ACLs to a file or folder. Each entry identifies which object is allowed or denied access, and defines what the object can or cannot do to the files or folders defined in the ACE.

About this task

You can add one or more ACEs to the security descriptor's DACL.

If the security descriptor contains a DACL that has existing ACEs, the command adds the new ACE to the DACL. If the security descriptor does not contain a DACL, the command creates the DACL and adds the new ACE to it.

You can optionally customize DACL entries by specifying what rights you want to allow or deny for the account specified in the -account parameter. There are three mutually exclusive methods for specifying rights:

  • Rights

  • Advanced rights

  • Raw rights (advanced-privilege)

Note
If you do not specify rights for the DACL entry, the default is to set the rights to Full Control .

You can optionally customize DACL entries by specifying how to apply inheritance.

The value for any optional parameter is ignored for Storage-Level Access Guard. See the man pages for more information.

  1. Add a DACL entry to a security descriptor: vserver security file-directory ntfs dacl add -vserver vserver_name -ntfs-sd SD_name -access-type {allow|deny} -account name_or_SID optional_parameters

    Example

    vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type deny -account domain\joe -rights full-control -apply-to this-folder -vserver vs1

  2. Verify that the DACL entry is correct: vserver security file-directory ntfs dacl show -vserver vserver_name -ntfs-sd SD_name -access-type {allow|deny} -account name_or_SID

    Example

    vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1 -access-type deny -account domain\joe

                           Vserver: vs1
                 Security Descriptor Name: sd1
                            Allow or Deny: deny
                      Account Name or SID: DOMAIN\joe
                            Access Rights: full-control
                   Advanced Access Rights: -
                                 Apply To: this-folder
                            Access Rights: full-control