icacls silently adds SYNCHRONIZE to DENY ACL and Explorer sometimes asks for that permission

Richard Sharpe realrichardsharpe at gmail.com
Tue Apr 9 15:16:09 MDT 2013

Hi folks,

I am seeing a weird problem.

This problem came about because a customer is trying to use icacls to
set a DENY:(D,WDAC) entry on a folder. This succeeds, however, if they
access the folder with Windows Explorer while using SMB2, they get
ACCESS DENIED, but if they access the folder with Windows Explorer
while using SMB1 they do not get ACCESS DENIED.

the icacls command used was: icacls z:\some-dir /deny SOME-USER:(D,WDAC)

SYNCHRONIZE always gets added, but icacls refuses to show it.

The problem seems to be that icacls silently adds SYNCHRONIZE along
with DELETE and WDAC to the DENY entry. Over SMB2, explorer asks for
permissions of 0x00100081 while over SMB1 it only asks for 0x00000081.

The above is against Samba 3.6.12+. However, even with Win7 accessing
W2K08R2 via SMB where I have added a deny entry as above, I get ACCESS
DENIED. I will check SMB1 soon.

The icacls command used on the W2K08R2 system was: icacls test_dir

Has anyone seen this issue before? The only way to avoid getting the
SYNCHRONIZE bit set is to use SDDL it seems (or smbcacls :-)

Richard Sharpe

More information about the samba-technical mailing list