I wrote a windows service in Python that scans a given directory for new folders. Whenever a new folder is created, the service creates 4 sub-folders and grants each one a different set of permissions. The problem is that within those subfolders, any folders created (essentially tertiary level, or sub-sub-folders) have the following error when accessing the permissions (through right-click-> properties->security):
"The permissions on test folder are incorrectly ordered, which may cause some entries to be ineffective"
To reiterate, we have folder A which is scanned. When I create folder B in folder A, folders 1,2,3,4 are created within B, with permissions provided by the script. Any folders created within (1,2,3,4) have the above error when opening up the directory permissions. Furthermore, the security entries for SYSTEM, Administrators and Authenticated Users appear twice when clicking on advanced.
The relevant portion of code is:
import win32security
import ntsecuritycon
for rw_user in rw:
sd=win32security.GetFileSecurity(in_dir+"\\"+dir_,win32security.DACL_SECURITY_INFORMATION)
dacl=sd.GetSecurityDescriptorDacl()
dacl.AddAccessAllowedAceEx(sec.ACL_REVISION_DS,sec.OBJECT_INHERIT_ACE|sec.CONTAINER_INHERIT_ACE,con.FILE_GENERIC_READ|con.FILE_ADD_FILE,p_dict[rw_user][0])
sd.SetSecurityDescriptorDacl(1,dacl,0)
win32security.SetFileSecurity(in_dir+"\\"+dir_,win32security.DACL_SECURITY_INFORMATION,sd)
This is based on the example found in Setting folder permissions in Windows using Python
Any help is greatly appreciated.
***EDITED TO ADD:
This is the output of icacls.exe on the folder created by the service:
PS C:\> icacls "C:\directory monitor\main\center\test\request"
C:\directory monitor\main\center\test\request PNIM\jmtzlilmi:(OI)(CI)(R,WD)
PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
PNIM\jmtzlilmi:(OI)(CI)(R,WD)
PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
This is the output of icacls on the directory that I created within the automatically created folder, the one that has duplicate entries:
PS C:\> icacls "C:\directory monitor\main\center\test\request\test folder"
C:\directory monitor\main\center\test\request\test folder PNIM\jmtzlilmi:(OI)(CI)(R,WD)
PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
PNIM\jmtzlilmi:(OI)(CI)(R,WD)
PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
The folder being monitored by the service is called center, the folder I created within is called test. The service then creates "request" within test, and I created "test folder" within request (yes, I'm brilliant at naming folders, I know. It's a bit more coherent in production.)
EDITED AGAIN:
Copied the wrong bit of code. I used AddAccessAllowedAceEx and NOT AddAccessAllowedAce. Many apologies...
rw? Windows subfolders tend to inherit permissions of their parent folder. If those settings are inherited, and you add them again, that could be the source for the doubles. – CAB