0

I have a case, where a user once had access to a directory and that user has been removed now. In fact their account has been deleted out of the AD entirely.

Typically when one sees a user deleted, but having an explicit ACL defined on a directory, then their will be a SID left behind noting the ACL is there, and no longer has reference to all of the other AD attributes like name, etc. Essentially an orphaned ACL entry, left there I assume by design in case you needed to undelete the user.

However I have a case of something different, if I look at the directory properties / security tab, the user in question nor the SID of the user is present.

However if I check the access property of object returned by the CMDLET Get-ACL I get a different result.

If I execute the command on the file server, I actually get the DOMAIN\username having an explicit permission

GET-Acl output for directory

If I run the exact same command on the same directory from another server (like the domain controller) I get the samne list, but in all other instances than local, the user shows up as the SID. So I have to assume that the file server simply has his SID to UN cached somewhere, this accounts for that variance, however it does not account for the fact that the security tab does not show this same permissions entries.

Worse still, is if I go multiple levels deeper, and check sub objects of this directory using powershell, I see the same results, this permission defined, but only in powershell, windows still shows nothing.

So I went for a third opinion and used accessenum from sysinternals, it does NOT show the extraneous ACL, however CALCS does! so now we are back to a 1-1 ratio of does/does not have the setting with no evidence to support the validity of either.

CALCS Output for same directory

The directory is directly on the root of a drive, no method powershell, CACLS, etc show this permission defined on the drive itself, nor do I have any reason to suspect it would have been in the past.

I am hesitant to try and do something like remove the ACL with powershell or CACLS without understanding what is going on here. Likewise, the typical enforce ownership/inheritance down the directory tree, remove all permissions and redefine will be a huge undertaking because there is a large file structure UNDER this directory whose ACLs fork many places.

Just to make sure I was not dealing with disk corruption or invalid data, I did a CHKDSK on the drive in question, which reported no error.

I am thinking this either has to be a bug, or corruption somewhere, but at a loss for where to look further, maybe hex editor on the disk itself?

So have I found some bug, error, or just overlooking something glaringly obvious?

Sabre
  • 425
  • 2
  • 15
  • I would try to get even more opinions, try `icacls.exe` and [SubInACL](https://www.microsoft.com/en-us/download/details.aspx?id=23510). All these tools should use the same Win32 API. In the past I have noticed some differences between `icacls.exe` and `Get-Acl` but nothing as bad as having a whole ACE missing. – Peter Hahndorf Aug 11 '16 at 17:54
  • What `datatype` was this enumeration? A pipe to `Get-Member` is a quick way to find out. – Colyn1337 Aug 11 '16 at 18:35
  • Using $users = @((Get-Acl $path).Access| Select-Object -ExpandProperty IdentityReference) the resulting $users | Get-Member shows to be of type System.Security.Principal.NTAccount. icacls shows the user account in question as well on all sub objects too. But windows absolutely does not, on the directory or the file structure below it.... – Sabre Aug 11 '16 at 19:48
  • Of interest... I have a mixed environment, server 2012R2 and 2008R2, the file server in question is '08, if I view the permissions from any of my other '08 servers through windows I *do not* see the permission in question, if I view from any of the '12 ones I do! O.o ntfsinfo shows they are both v3.1. This behavior is however very consistent, any server that is '08 does not show the permission, any that is '12 does. – Sabre Aug 12 '16 at 14:18

0 Answers0