Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

Exchange 5.5 Access Rights and the Exchange Store

Exchange Server 2003

Previous versions of Microsoft® Exchange Server 2003 supported a custom access control system using the PR_ACL_TABLE table for folders in the store. This access control list (ACL) granted users access rights for each such folder and the items within it. With the Exchange store, all mailbox stores and one public store are accessible using MAPI and backward compatibility with this access control system. You can use MAPI or Component Object Model (COM) components in the Platform SDK (such as the ACL.DLL component) to grant users the access rights listed in the following table.

Access right Enables you to Mask (Hex)
frightsReadAny Read any items. 0x001
frightsCreate Create items. 0x002
frightsEditOwned Edit any items owned by the user. 0x008
frightsDeleteOwned Delete any items owned by the user. 0x010
frightsEditAny Edit any item. 0x020
frightsDeleteAny Delete any item. 0x040
frightsCreateSubfolder Create subfolders for the specified folder. 0x080
frightsOwner Set permissions on the specified folder. 0x100
frightsContact Appear as the contact on the specified folder. Not part of rightsAll. 0x200
frightsFolderVisible Make the specified folder visible to the trustee. 0x400
Note  Unlike in previous versions of Exchange, in which ACLs were used only at the folder level to grant a user a particular access right, all Exchange store items (folders and non-folders) can have these rights appear in access control entries (ACEs) that either grant or deny that access right to a trustee.

In the PR_ACL_TABLE property, you identify trustees by using a long-term entry identifier for the user or group in Microsoft Active Directory®. When the PR_ACL_TABLE table for a folder is updated, the Exchange store makes adjustments to the item's actual security descriptor.

Access rights for non-folder items and properties cannot be represented using the PR_ACL_TABLE property for a folder. However, property tags for the XML security descriptor are provided in the EDKMDB.h header file in the MSDN® Library, Platform SDK section.

The Exchange Canonical ACL Format

MAPI clients such as Microsoft Outlook® 2000 display security settings for a folder using information found in the folder's PR_ACL_TABLE property. To give MAPI clients the ability to properly view these settings for folders in the Exchange store, you need to structure the ACL using the Exchange Canonical ACL format. When you use this format, the PR_ACL_TABLE property is correctly populated with access rights that map to the earlier Exchange security model.

In this format, there are two logical sections in the discretionary ACL for a folder:

  1. ACEs that apply to the folder itself.
  2. ACEs that apply only to items (messages) in the folder. These ACEs are found only in the subitem_inheritable_aces section of the DACL.

Within each of these subsections, the ACEs must be in a particular order, as in the following example:


REPEAT <n>
   GRANT ACCESS RIGHT FOR USER A
   DENY ACCESS RIGHT FOR USER A
REPEAT <m>
   GRANT ACCESS RIGHT FOR DL B
   GRANT ACCESS RIGHT FOR DL C
REPEAT <m>
   GRANT ACCESS DENY FOR DL B
   GRANT ACCESS DENY FOR DL C
REPEAT <0 or 1>
   GRANT ACCESS RIGHT FOR EVERYONE

Both n and m can be 0 (zero).

For example, the following descriptor is in Exchange Canonical ACL format. It defines the security settings presented in the following table when viewed in Outlook 2000. The settings are based on the permission roles presented on the Security property page for the folder item.

TrusteeOutlook permissions role
DefaultAuthor
user8, test (DOMAIN\testuser8)None
user7, test (DOMAIN\testuser7)Contributor
user6, test (DOMAIN\testuser6)Reviewer
user5, test (DOMAIN\testuser5)Non-editing author
user4, test (DOMAIN\testuser4)Author
user3, test (DOMAIN\testuser3)Publishing author
user2, test (DOMAIN\testuser2)Editor
user1, test (DOMAIN\testuser1)Publishing editor
user0, test (DOMAIN\testuser0)Owner
AnonymousContributor
testgroup1 (DOMAIN\testgroup1)Reviewer
testgroup2 (DOMAIN\testgroup2)Publishing author

<S:security_descriptor xmlns:S="http://schemas.microsoft.com/security/"
   xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
   D:dt="microsoft.security_descriptor">
 <S:revision>1</S:revision>
 <S:owner S:defaulted="0">
  <S:sid>
   <S:string_sid>S-1-5-32-544</S:string_sid>
   <S:type>alias</S:type>
   <S:nt4_compatible_name>BUILTIN\Administrators</S:nt4_compatible_name>
  </S:sid>
 </S:owner>
 <S:primary_group S:defaulted="0">
  <S:sid>
   <S:string_sid>S-1-5-21-527237240-507921405-1708537768-513</S:string_sid>
   <S:type>group</S:type>
   <S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name>
   <S:ad_object_guid>{2bdc2b0c-a8e1-4fd3-8135-1a12ec24d256}</S:ad_object_guid>
  </S:sid>
 </S:primary_group>
 <S:dacl S:defaulted="0" S:protected="0" S:autoinherited="1">
  <S:revision>2</S:revision>
  <S:effective_aces>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
     <S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
     <S:display_name>user8, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
     <S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
     <S:display_name>user8, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
     <S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
     <S:display_name>user7, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
     <S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
     <S:display_name>user7, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
     <S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
     <S:display_name>user2, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
     <S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
     <S:display_name>user2, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
     <S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
     <S:display_name>test user1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
     <S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
     <S:display_name>test user1</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1fc9ff</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
     <S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
     <S:display_name>user, test0</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>2</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="1">
    <S:access_mask>1fc9bd</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_denied_ace S:inherited="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="1">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-1-0</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
  </S:effective_aces>
  <S:subcontainer_inheritable_aces>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
     <S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
     <S:display_name>user8, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
     <S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
     <S:display_name>user8, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
     <S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
     <S:display_name>user7, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
     <S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
     <S:display_name>user7, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
     <S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
     <S:display_name>user2, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc914</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
     <S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
     <S:display_name>user2, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
     <S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
     <S:display_name>test user1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
     <S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
     <S:display_name>test user1</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1fc9ff</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
     <S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
     <S:display_name>user0, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
    <S:access_mask>2</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="1" S:no_propagate_inherit="0">
    <S:access_mask>1fc9bd</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208af</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc916</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>dc910</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
    <S:access_mask>1208ab</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-1-0</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
  </S:subcontainer_inheritable_aces>
  <S:subitem_inheritable_aces>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
     <S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
     <S:display_name>user8, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
     <S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
     <S:display_name>user7, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
     <S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
     <S:display_name>user6, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>120ca9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
     <S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
     <S:display_name>user5, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
     <S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
     <S:display_name>user4, test</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
     <S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
     <S:display_name>test user3</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
     <S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
     <S:display_name>user2, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
     <S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
     <S:display_name>test user1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
     <S:type>user</S:type>
     <S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
     <S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
     <S:display_name>user0, test</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="1" S:no_propagate_inherit="0">
    <S:access_mask>1f0fbf</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-7</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1208a9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_allowed_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
     <S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
     <S:display_name>testgroup1</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
    <S:access_mask>1f0716</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
     <S:type>group</S:type>
     <S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
     <S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
     <S:display_name>testgroup2</S:display_name>
    </S:sid>
   </S:access_denied_ace>
   <S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
    <S:access_mask>120ea9</S:access_mask>
    <S:sid>
     <S:string_sid>S-1-1-0</S:string_sid>
     <S:type>well_known_group</S:type>
     <S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
    </S:sid>
   </S:access_allowed_ace>
  </S:subitem_inheritable_aces>
 </S:dacl>
</S:security_descriptor>

Show:
© 2014 Microsoft. All rights reserved.