Skip to main content

Account attributes for shared folders

The following account attributes exist for creating and updating shared folders:

  • ntfs-sddl An SDDL (Security Descriptor Definition Language) string which represents the ACL to set on the newly-created folder. This attribute can be used to perform "copy" or "replace" operations; the SID of the modeluid will be replaced with the SID of the account in the SDDL string. This attribute can also be used for setting, and can be ignored if the other ntfs- attributes are preferred.

    When part of the sddl string contains %ACCT_SID%, it will be replaced by the SID of the Active Directory account ID or the value of the pseudo-attribute _acctSID.

  • ntfs-dacl A multi-valued attribute where each value represents the modification to the ACL of the folder. Each value in this attribute uses "bare" the KVGroup syntax format to apply the modification. This attribute can be configured using one of the following formats:

    • {grant=<sid|acct>;mask={<perm>;<perm>;};flags={<flag>;<flag>;};[replace;]}

    • {deny=<sid|acct>;mask={<perm>;<perm>;};flags={<flag>;<flag>;};[replace;]}

    • {remove=<sid|acct>;[granted;|denied;]}

    Where:

    • <sid|acct> is the SID or account to which to apply the access.

    • <perm> is a permission mask with one of the following values:

      Simple permissions:

      • N – No access F – Full access M – Modify access RX – Read and execute access R – Read-only access W – Write-only access D – Delete access

      Fine-grained permissions

      • DE – Delete RC – Read control WDAC – Write DAC WO – Write owner S – Synchronize AS – Access system security MA – Maximum allowed GR – Generic read GW – Generic write GE – Generic execute GA – Generic all RD – Read data/list directory WD – Write data/add file AD – Append data/add sub-directory REA – Read extended attributes WEA – Write extended attributes X – Execute/traverse DC – Delete child RA – Read attributes WA – Write attributes

    • <flag> is one of the following:

      • OI – Object inherit CI – Container inherit IO – Inherit only NP – Don’t propagate inherit

    • replace – Replace the specified permissions, rather than modify individual permissions.

    • granted – Remove granted permissions

    • denied – Remove denied permissions

  • ntfs-owner The SID or account name of the group or account which should be the owner for this folder.

  • ntfs-group The SID or group name for the group which should be the primary group for this folder. This is only used for POSIX sub-systems.

  • inherit Controls inheritance behavior for ACLs on the folder. It can be configured to use one of the following values:

    • E – enable inheritance. This is valid for both create and update.

    • D – disable inheritance and copy ACE’s (only valid for update)

    • R – remove all inherited ACE’s (only valid for update)

    • N – no inheritance (only valid for create)

    Use of ntfs-sddl in conjunction with ntfs-dacl, ntfs-owner, ntfs-group or inherit is not permitted because the ntfs-sddl string contains all of the information in the other attributes.

  • propagate Controls permission propagation when updating folder ownership. It can be configured to use one of the following values:

    • S -- If ACLs are specified they are propagated based on inheritance rules.

    • R -- If ACLs are specified all child objects have their ACLs replaced with the specified ones.

    • E -- If ACLs are specified all inherited ACLs are replaced, but explicit ones are left.

    • N -- Only set permission of the object itself.

    R is the default value if nothing is specified. For ownership, S, R and E will cause the ownership to be set on all child objects. The attribute is ignored for create since there will not be child objects.

  • share-sddl An SDDL (Security Descriptor Definition Language) string which represents the ACL to set on the newly created folder. This attribute can be used to perform copy/replace operations; the SID of the modeluid is replaced with the SID of the account in the SDDL string. This attribute can also be used for setting and can be ignored if the other share-dacl is preferred.

    When part of the sddl string contains %ACCT_SID%, it will be replaced by the SID of the Active Directory account ID or the value of the pseudo-attribute _acctSID.

  • share-dacl A multi-valued attribute where each value represents the modification to the ACL of the folder. The format of each value of this attribute uses "bare" KVG syntax to apply the modification. It can use one of the following formats:

    • {grant=<sid|acct>;mask={<perm>;<perm>;}[replace;]}

    • {deny=<sid|acct>;mask={<perm>;<perm>;};[replace;]}

    • {remove=<sid|acct>;[granted;|denied;]}

    This is a simplified version of the ntfs-dacl attribute. The following <perm> mappings are equivalent to the share UI perms:

    • Full – F;

    • Read – RX;

    • Read and Write – RX;W;D

    Use of share-sddl in conjunction with share-dacl is not permitted because the share-sddl string contains all of the information in the share-dacl attribute.

  • share-comment The comment to be specified for the share.

  • share-path The local file system path to which the share applies.

  • share-max-uses The maximum number of connections to the share at any one time. Use the value of -1 for unlimited.

  • _acctSID Pseudo-attribute used to transfer the "objectSid" value from Active Directory.

  • _acctSAM Pseudo-attribute used to transfer the "sAMAccountName" value from Active Directory.

In this section: