Exchange 5.5 Access Rights and the Exchange Store
Exchange Server 2003
Previous versions of Microsoft® Exchange Server 2003 supported a custom access control system using the PR_ACL_TABLE table for folders in the store. This access control list (ACL) granted users access rights for each such folder and the items within it. With the Exchange store, all mailbox stores and one public store are accessible using MAPI and backward compatibility with this access control system. You can use MAPI or Component Object Model (COM) components in the Platform SDK (such as the ACL.DLL component) to grant users the access rights listed in the following table.
| Access right | Enables you to | Mask (Hex) |
|---|---|---|
| frightsReadAny | Read any items. | 0x001 |
| frightsCreate | Create items. | 0x002 |
| frightsEditOwned | Edit any items owned by the user. | 0x008 |
| frightsDeleteOwned | Delete any items owned by the user. | 0x010 |
| frightsEditAny | Edit any item. | 0x020 |
| frightsDeleteAny | Delete any item. | 0x040 |
| frightsCreateSubfolder | Create subfolders for the specified folder. | 0x080 |
| frightsOwner | Set permissions on the specified folder. | 0x100 |
| frightsContact | Appear as the contact on the specified folder. Not part of rightsAll. | 0x200 |
| frightsFolderVisible | Make the specified folder visible to the trustee. | 0x400 |
Note Unlike in previous versions of Exchange, in which
ACLs
were used only at the folder level to grant a user a particular access right, all
Exchange store
items (folders and non-folders) can have these rights appear in access control entries (ACEs) that either grant or deny that access right to a trustee.
In the PR_ACL_TABLE property, you identify trustees by using a long-term entry identifier for the user or group in Microsoft Active Directory®. When the PR_ACL_TABLE table for a folder is updated, the Exchange store makes adjustments to the item's actual security descriptor.
Access rights for non-folder items and properties cannot be represented using the PR_ACL_TABLE property for a folder. However, property tags for the XML security descriptor are provided in the EDKMDB.h header file in the MSDN® Library, Platform SDK section.
The Exchange Canonical ACL Format
MAPI clients such as Microsoft Outlook® 2000 display security settings for a folder using information found in the folder's PR_ACL_TABLE property. To give MAPI clients the ability to properly view these settings for folders in the Exchange store, you need to structure the ACL using the Exchange Canonical ACL format. When you use this format, the PR_ACL_TABLE property is correctly populated with access rights that map to the earlier Exchange security model.
In this format, there are two logical sections in the discretionary ACL for a folder:
- ACEs that apply to the folder itself.
- ACEs that apply only to items (messages) in the folder. These ACEs are found only in the subitem_inheritable_aces section of the DACL.
Within each of these subsections, the ACEs must be in a particular order, as in the following example:
REPEAT <n> GRANT ACCESS RIGHT FOR USER A DENY ACCESS RIGHT FOR USER A REPEAT <m> GRANT ACCESS RIGHT FOR DL B GRANT ACCESS RIGHT FOR DL C REPEAT <m> GRANT ACCESS DENY FOR DL B GRANT ACCESS DENY FOR DL C REPEAT <0 or 1> GRANT ACCESS RIGHT FOR EVERYONE
Both n and m can be 0 (zero).
For example, the following descriptor is in Exchange Canonical ACL format. It defines the security settings presented in the following table when viewed in Outlook 2000. The settings are based on the permission roles presented on the Security property page for the folder item.
| Trustee | Outlook permissions role |
|---|---|
| Default | Author |
| user8, test (DOMAIN\testuser8) | None |
| user7, test (DOMAIN\testuser7) | Contributor |
| user6, test (DOMAIN\testuser6) | Reviewer |
| user5, test (DOMAIN\testuser5) | Non-editing author |
| user4, test (DOMAIN\testuser4) | Author |
| user3, test (DOMAIN\testuser3) | Publishing author |
| user2, test (DOMAIN\testuser2) | Editor |
| user1, test (DOMAIN\testuser1) | Publishing editor |
| user0, test (DOMAIN\testuser0) | Owner |
| Anonymous | Contributor |
| testgroup1 (DOMAIN\testgroup1) | Reviewer |
| testgroup2 (DOMAIN\testgroup2) | Publishing author |
<S:security_descriptor xmlns:S="http://schemas.microsoft.com/security/"
xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
D:dt="microsoft.security_descriptor">
<S:revision>1</S:revision>
<S:owner S:defaulted="0">
<S:sid>
<S:string_sid>S-1-5-32-544</S:string_sid>
<S:type>alias</S:type>
<S:nt4_compatible_name>BUILTIN\Administrators</S:nt4_compatible_name>
</S:sid>
</S:owner>
<S:primary_group S:defaulted="0">
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-513</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name>
<S:ad_object_guid>{2bdc2b0c-a8e1-4fd3-8135-1a12ec24d256}</S:ad_object_guid>
</S:sid>
</S:primary_group>
<S:dacl S:defaulted="0" S:protected="0" S:autoinherited="1">
<S:revision>2</S:revision>
<S:effective_aces>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
<S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
<S:display_name>user8, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
<S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
<S:display_name>user8, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
<S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
<S:display_name>user7, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
<S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
<S:display_name>user7, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
<S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
<S:display_name>user2, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
<S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
<S:display_name>user2, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
<S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
<S:display_name>test user1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
<S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
<S:display_name>test user1</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1fc9ff</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
<S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
<S:display_name>user, test0</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>2</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1">
<S:access_mask>1fc9bd</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_denied_ace S:inherited="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-1-0</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
</S:effective_aces>
<S:subcontainer_inheritable_aces>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
<S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
<S:display_name>user8, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
<S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
<S:display_name>user8, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
<S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
<S:display_name>user7, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
<S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
<S:display_name>user7, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
<S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
<S:display_name>user2, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc914</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
<S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
<S:display_name>user2, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
<S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
<S:display_name>test user1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
<S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
<S:display_name>test user1</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1fc9ff</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
<S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
<S:display_name>user0, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
<S:access_mask>2</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1" S:no_propagate_inherit="0">
<S:access_mask>1fc9bd</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208af</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc916</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>dc910</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
<S:access_mask>1208ab</S:access_mask>
<S:sid>
<S:string_sid>S-1-1-0</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
</S:subcontainer_inheritable_aces>
<S:subitem_inheritable_aces>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1117</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser8</S:nt4_compatible_name>
<S:ad_object_guid>{74116535-9aad-4995-957e-99e6640fb69b}</S:ad_object_guid>
<S:display_name>user8, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1116</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser7</S:nt4_compatible_name>
<S:ad_object_guid>{a145c819-2769-4ed7-b8c5-01ac0829d004}</S:ad_object_guid>
<S:display_name>user7, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1115</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser6</S:nt4_compatible_name>
<S:ad_object_guid>{f70d1982-9804-4a7e-8eff-553d193a2756}</S:ad_object_guid>
<S:display_name>user6, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>120ca9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1114</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser5</S:nt4_compatible_name>
<S:ad_object_guid>{fb3f5f39-11b1-4071-8956-e1452831ff57}</S:ad_object_guid>
<S:display_name>user5, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>120ea9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1113</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser4</S:nt4_compatible_name>
<S:ad_object_guid>{ec73ab98-1b80-42a6-9887-545400d08c9b}</S:ad_object_guid>
<S:display_name>user4, test</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>120ea9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1141</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser3</S:nt4_compatible_name>
<S:ad_object_guid>{67f9fe57-b2be-4ea5-bf43-bd3888390aaf}</S:ad_object_guid>
<S:display_name>test user3</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1112</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser2</S:nt4_compatible_name>
<S:ad_object_guid>{2ab61a07-e6c0-4c1b-a7fe-ff841ffb240e}</S:ad_object_guid>
<S:display_name>user2, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1140</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser1</S:nt4_compatible_name>
<S:ad_object_guid>{0724e453-7b94-4161-b224-3f5f45497203}</S:ad_object_guid>
<S:display_name>test user1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-500</S:string_sid>
<S:type>user</S:type>
<S:nt4_compatible_name>DOMAIN\testuser0</S:nt4_compatible_name>
<S:ad_object_guid>{386ca8b5-5a21-4cf7-8d0a-ae41ef903ae6}</S:ad_object_guid>
<S:display_name>user0, test</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="1" S:no_propagate_inherit="0">
<S:access_mask>1f0fbf</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-7</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1208a9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_allowed_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>120ea9</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_allowed_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1142</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup1</S:nt4_compatible_name>
<S:ad_object_guid>{57395759-90f4-4a78-9590-709b86613d06}</S:ad_object_guid>
<S:display_name>testgroup1</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_denied_ace S:inherited="0" S:no_propagate_inherit="0">
<S:access_mask>1f0716</S:access_mask>
<S:sid>
<S:string_sid>S-1-5-21-527237240-507921405-1708537768-1143</S:string_sid>
<S:type>group</S:type>
<S:nt4_compatible_name>DOMAIN\testgroup2</S:nt4_compatible_name>
<S:ad_object_guid>{feb5d452-9f83-4765-8e71-1045f01a2e1d}</S:ad_object_guid>
<S:display_name>testgroup2</S:display_name>
</S:sid>
</S:access_denied_ace>
<S:access_allowed_ace S:inherited="1" S:no_propagate_inherit="0">
<S:access_mask>120ea9</S:access_mask>
<S:sid>
<S:string_sid>S-1-1-0</S:string_sid>
<S:type>well_known_group</S:type>
<S:nt4_compatible_name>\Everyone</S:nt4_compatible_name>
</S:sid>
</S:access_allowed_ace>
</S:subitem_inheritable_aces>
</S:dacl>
</S:security_descriptor>
