What causes "The permissions on <folder> are incorrectly ordered"?

Asked 27/11, 2017 at 8:7 Answered 1/5, 2020 at 2:15

While debugging a particularly troublesome error involving SQLite and IIS, we encountered a permissions problem when accessing the App_Data properties

The permissions on App_Data are incorrectly ordered, which may cause some entries to be ineffective.

Here's a screenshot as well:

My question isn't what incorrect ordering is, I think How do you programmatically fix a non-canonical ACL? already gives a good intro into the problem.

What I want to know is what types of ordering are incorrect? For example, if we put Full Control for Everyone, should that precede or follow some other permission? Are there any examples of incorrect ordering that trigger the error? We clicked Reorder so we no longer can reproduce the error on our machine.

Swindell answered 27/11, 2017 at 8:7 Comment(1)

Canonical ordering puts all DENY entries in front of all ALLOW entries. Doesn't matter what the entry is (full control, read-only, whatever) or who it applies to (everyone, a specific person, whatever). Just the DENY vs ALLOW – Nonfiction 31/1, 2018 at 15:41

For us, it was the Cygwin that created files which were showing these problems This thread explains it and possible remedies. cygwin sets file permission to 000

Also, something I wasn't seeing in other threads, our ACL had "NULL SID" in it: see the picture

Paynter answered 27/5, 2019 at 9:21 Comment(1)

Thanks. I tried PowerShell commands and magic bat-scripts but nothing worked. Running Cygwin as Administrator and doing rm -rf worked for me. – Enyo 12/11, 2020 at 10:32

HP has a simple solution:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c00810470

The TL;DR:

Assuming that you have lots of files/folders to fix (like I did) go to the folder above the ones you need to fix. Right-click and choose Properties on that folder, click on the Security tab. Then click the Advanced button at the bottom of the security tab.

HP doesn't tell you this but I had to in the Advanced window take ownership of the folder. The second line of the Advanced dialog lists the Owner of the folder and has a Change... link beside it. Click that link and find the user that you want to own the folder. Click the checkbox to apply this change to all children. You will then be prompted to close all properties dialogs because you have changed ownership.

Back to our regularly scheduled programming:

Go back to the Security tab of the Properties dialog and into the Advanced dialog. Now you can change permissions. I deleted a whole host of "DENY" permissions that had crept in because of (I think) writing the files on a Win 10 Pro computer and accessing them on a Win 10 Home computer with a different user. Again check the option to apply the changes to all children and click OK on all dialogs. Windows will go through your files one at a time resetting permissions.

Oratory answered 1/5, 2020 at 2:15 Comment(1)

Thanks, in my case, I guess created by cygwin, I had a NULL SID in the list of usernames, I removed that too. – Windowlight 28/7, 2022 at 7:13

Recommended topics

Hot tags