Does FCSvr read ACL permissions set in OD?

Similar Messages

• How are permissions set for Reader XI Protected Mode?

  Hi, all,
  I've just installed Reader XI, and I immediately ran into an issue with Protected Mode "protecting" me from my workflow.  I'm trying to access a .kml file on my desktop to import some annotations into a Reader Enabled PDF file.  When I get the popup window saying that I don't have permissions to open this file, I head for the Reader security settings.  Adobe kindly provided us with a UI to select files, folders, and hosts to treat as priviledged.  I enter my desktop folder's path using the UI, and save.  I restart Reader, expecting this setting to help.  In fact, the security UI reports that  my desktop folder is priviledged, which is good.  The operation still fails, with the exact same error message.  Is this the anticipated behavior, and if so, what is the privileged file, folder, and host for?  I can't read or write files to my priviledged locations.  Is this correct?
  Thanks
  Joe White

  Does it work if you change the file extension to .xml from .kml?

• Read all items when when item-level permissions set

  I have a SharePoint 2010 list where the general user population should be able to submit and read only their own items.
  Item-level permissions set as follows:
  Read access : Read items that were created by the user
  Creaed and Edit access : Create items and edit items that were created by the user
  That works fine.
  Now, I have a small group of power users that need read-access to all list items. I can do that by granting 'Contribute' permissions, but I don't want them to be able to modify items, so I prefer granting only read permissions. When I do that, they can't
  see all the items due to the item-level permission settings.
  Is there a permission level that I can use (perhaps a custom permission level) that enables a read-all (and overrides the item-level permission)?

  With these specific settings, there are not. It is possible to do security through obscurity by only showing views that allow the users to see their items and use audience targeting for the others, but that is not true security, so it will depend on your
  requirements.
  Andy Wessendorf SharePoint Developer II | Rackspace [email protected]

• Need to set read/write permissions to ALL subfolders

  So I have a clients folder created on the server, and workgroup with employees setup to access the shared clients folder. You can log onto it from outside, and access the folders. However they all need to be able to write as well; save files, move files, etc.
  I have the permissions set for the workgroup to read/write on the clients root folder, but it only applies to that folder. Any folders underneath it dont take effect. And there are hundreds of folders and subfolders.
  Obviously there must be an option so that i the permissions i set to the root clients folder are applied to ALL subfolders! How do i do it?!
  Please and thanks!

  Server Admin>File Sharing>Share Points, Permissions tab, click on the gear icon and select "Propagate Permissions..."

• NorthWinds DB-Can't set READ DATA/READ DESIGN permissions for MSysObjects

  I tried to set READ DATA and READ DESIGN for object MSysObjects as stated in the tutorial for Migrating Northwind Access DB but I get a "You can't change permissions for 'MSysObjects'". The error message says that to change permissions for this object, I must have Administer permission for it. How do I get permissions? Can someone please help.

  Hi Robert,
  Apologies for the delay in responding, but I see you've since found a workaround yourself, which is great.
  As a minimum we recommend that a user applies the read data/read design permissions, but users with "Update Data" have sufficient permissions in order to create a connection to the MS Access MDB file via Oracle SQL Developer. Generally, once you're in the Admins group, there should be no issues setting the required permissions of the MSys~ tables. However, I have known MS Access to be a little temperamental when it comes to allowing for permissions settings on these tables. If necessary, go to the "Change Owner" tab of the "User and Group Permissions" dialog, and set the New Owner of the table in question to Admin.
  Regards,
  Hilary

• Re-setting Read&Write permissions on external drive?

  I have a 40GB external drive on which I backed up my "Documents" on a Windows machine (now discarded). Now that I switched to a Mac (thank God) I would like to use the "old" external drive, but I only have "Read Only" permissions and no lock icon to unlock and reset the disk permissions.
  Would greatly appreciate advice on making this disk writable again. Thanks in advance.
  Cheers,
  Veit

  Select and right (control) click on the disk icon for the drive. From the contextual menu, select +Get Info+. At the bottom of the info window is +Sharing and Permissions+ where you can change permissions.
  However, if the Windows drive is using NTFS, you will only be able to Read it. Mac OS X cannot Write to an NTFS-formatted drive. If this is your situation, you should copy off your valuable data on the drive and reformat it as +Mac OS Extended (Journaled)+ using Disk Utility (Erase tab). Be sure to select the entire DRIVE in the sidebar, and not the volume indented below the drive.

• How do you create default Read/Write Permissions for more than 1 user?

  My wife and I share an iMac, but use separate User accounts for separate mail accounts, etc.
  However, we have a business where we both need to have access to the same files and both have Read/Write permissions on when one of us creates a new file/folder.
  By default new files and folders grant Read/Write to the creator of the new file/folder, and read-only to the Group "Staff" in our own accounts or "Wheel" in the /Users/Public/ folder, and read-only to Everyone.
  We are both administrators on the machine, and I know we can manually override the settings for a particular file/folder by changing the permissions, but I would like to set things up so that the Read/Write persmissions are assigned for both of us in the folder for that holds our business files.
  It is only the 2 of us on the machine, we trust each other and need to have complete access to these many files that we share. I have archiveing programs running so I can get back old versions if we need that, so I'm not worried about us overwriting the file with bad info. I'm more concerned with us having duplicates that are not up to date in our respective user accounts.
  Here is what I have tried so far:
  1. I tried to just set the persmissions of the containing folder with us both having read/write persmissions, and applied that to all containing elements.
  RESULT -> This did nothing for newly created files or folders, they still had the default permissions of Read/Write for the creating User, Read for the default Group, Read for Everyone
  2. I tried using Sandbox ( http://www.mikey-san.net/sandbox/ ) to set the inheritance of the folder using the methods laid out at http://forums.macosxhints.com/showthread.php?t=93742
  RESULT -> Still this did nothing for newly created files or folders, they still had the default permissions of Read/Write for the creating User, Read for the default Group, Read for Everyone
  3. I have set the umask to 002 ( http://support.apple.com/kb/HT2202 ) so that new files and folders have a default permission that gives the default group Read/Write permissions. This unfortunately changes the default for the entire computer, not just a give folder.
  I then had to add wife's user account to the "Staff" group because for some reason her account was not included in that. I think this is due to the fact that her account was ported into the computer when we upgraded, where as mine was created new. I read something about that somewhere, but don't recall where now. I discovered what groups we were each in by using the Terminal and typing in "groups username" where username was the user I was checking on.
  I added my wife to the "Staff" group, and both of us to the "Wheel" group using the procedures I found at
  http://discussions.apple.com/thread.jspa?messageID=8765421&#8765421
  RESULT -> I could create a new file using TextEdit and save it anywhere in my account and it would have the permissions: My Username - Read/Write, "Staff" or "Wheel" (depending on where I saved it) - Read/Write, Everyone - Read Only, as expected from the default umask.
  I could then switch over to my wife's account, open the file, edited it, and save it, but then the permissions changed to: Her Username - Read/Write, (unknown) - Read/Write, Everyone - Read Only.
  And when I switch back to my account, now I can open the file, but I can't save it with my edits.
  I'm at my wits end with this, and I can believe it is impossible to create a common folder that we can both put files in to have Read/Write permissions on like a True Shared Folder. Anyone who has used windows knows what you can do with the Shared folder in that operating system, ie. Anyone with access can do anything with those files.
  So if anyone can provide me some insight on how to accomplish what I really want to do here and help me get my system back to remove the things it seems like I have screwed up, I greatly appreciate it.
  I tried to give as detailed a description of the problem and what I have done as possible, without being to long winded, but if you need to know anything else to help me, please ask, I certainly won't be offended!
  Thanks In Advance!
  Steve

  Thanks again, V.K., for your assistance and especially for the very prompt responses.
  I was unaware that I could create a volume on the HD non-destructively using disk utility. This may then turn out to be the better solution after all, but I will have to free up space on this HD and try that.
  Also, I was obviously unaware of the special treatment of file creation by TextEdit. I have been using this to test my various settings, and so the inheritance of ACLs has probably been working properly, I just have been testing it incorrectly. URGH!
  I created a file from Word in my wife's account, and it properly inherited the permissions of the company folder: barara - Custom, steve - Custom, barara - Read/Write, admin - Read Only, Everyone - Read Only
  I tried doing the chmod commands on $TMPDIR for both of us from each of our accounts, but I still have the same behavior for TextEdit files though.
  I changed the group on your shared folder to admin from wheel as you instructed with chgrp. I had already changed the umask to 002, and I just changed it back to 022 because it didn't seem to help. But now I know my testing was faulty. I will leave it this way though because I don't think it will be necessary to have it set to 002.
  I do apparently still have a problem though, probably as a result of all the things I have tried to get this work while I was testing incorrectly with TextEdit.
  I have just discovered that the "unknown user" only appears when I create the a file from my wife's account. It happens with any file or folder I create in her account, and it exists for very old files and folders that were migrated from the old computer. i.e. new and old files and foders have permissions: barara - Read/Write, unknown user - Read Only, Everyone - Read Only
  Apparently the unknown user gets the default permissions of a group, as the umask is currently set to 022 and unknown user now gets Read Only permissions on new items, but when I had umask set to 002, the unknown user got Read/Write permissions on new items.
  I realize this is now taking this thread in a different direction, but perhaps you know what might be the cause of this and how to correct or at least know where to point me to get the answer.
  Also, do you happen to know how to remove users from groups? I added myself and my wife to the Wheel group because that kept showing up as the default group for folders in /Users/Shared
  Thanks for your help on this, I just don't know how else one can learn these little "gotchas" without assistance from people like you!
  Steve

• Files created in VFS by the user have read only permissions

  Hello,
  I am currently packaging an application : let's call it 'myapp'. This application is installed in c:\Program Files\myapp (quite classical).
  To run properly, the application needs to have Write Access to c:\Program Files\myapp.
  I am packaging the application with the APPV5 Sequencer SP3 and I checked the option "Allow virtual applications full write permissions to the virtual file system".
  When running the application with APPV5 Client SP3, I see files been created in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp" and so everything seems to work correctly. The permissions on those
  files are set to Full Control for the user who has launched the application.
  What I also did is creating 'RunVirtual' registry key in order to run Microsoft Word in the Virtualized Environment of 'myapp' and this works fine also : when I launch WORD, I can save a document in "C:\Program Files\myapp" and this document appears
  in "C:\Users\%username%\AppData\Local\Microsoft\AppV\Client\VFS\<packageid>\ProgramFilesX64\myapp".
  The strange thing is that the permissions on this DOC file are not the same as the ones set on the other files in the same folder : in fact, the DOC file permissions are set to "Everyone, Read - Read and Execute" (with also permissions the Trusted
  Installer, Administrators, etc...). So actually, the user who saved the files can never modify it after. This should not be important because it is not a usual location to save Word document but actually, the application itself launches automatically Word
  to perform some document automation tasks and save temporary files in this location. So when this file has been created once, it cannot never be reused or deleted. This is causing troubles for the application.
  Any idea to force the Full Control permissions on these files ?
  Thanks in advance
  Olivier

  Interesting, I can say I've never seen that, likely due to the fact like you say yourself, it would be unusual to save something to that directory, also most applications these days no longer write to directories other than in C:\ProgramData or in the users
  own profile.
  I'm honestly not sure of a good way to force that in this situation, unless, perhaps you have a UEM soluion like AppSense. You could have a Powershell script run through the package store and check permissions on the files and then set the persmissions according
  to the way you want using something like iCacls, SecEdit, SetACL or maybe using Get-ACL and Set-ACL in Powershell...there's a few different methods for doing this, you could pick the one that suits you best.
  If you don't have a UEM solution capable of this, maybe you could use some scripting in your App-V package itself, either on launch or perhaps process exit, you could run a script to do this. It may be better on process exit as it may slow launch times...but
  it's also better for a script which may take quite a while to process like this to be run outside of any launch or exit, to be honest
  PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
  rorymon.com Twitter: @Rorymon

• Read-Only Permissions for Everyone?

  We're running xServe / Tiger 10.4.11.
  We're using ACLs and have all users in a group with Read / Write Permissions. Across the board, no matter who creates a new document or directory, anytime a new file is created it's permissions are Read-Only for everyone except the author.
  I've checked the permissions in the ACL and everything is set to Read / Write. So why are the permissions defaulting to Read-Only?

  Hi,
  You could have a look at the thread below. Lucas used ProcMon that shows an access denied with the user which he was using.  Permission via group wasn't enough. Give your user full share/security access and everything works fine.
  https://social.technet.microsoft.com/Forums/en-US/99859604-a803-43f3-a172-159a500fcb90/the-deploy-software-updates-wizard-completed-with-errors-access-is-denied?forum=configmgrsum
  Best Regards,
  Joyce

• Access denied for folder when permissions set with WMI

  Hi,
  When I add/modify access rights based on the Win32_ACE class, there seems to be a difference in the result, then when setting it with the GUI in Windows.
  The situation is as follow:
  I want to set Modify access on a remote folder, but also want to avoid deletion of the folder itself. This can easily be done by setting "deny delete on this folder only" in addition to "allow modify to this folder, files and subfolders".
  So far no issue.
  Now I notice that, although the GUI shows exactly the same result in advanced settings of the security property, the folder set with WMI script gives a deny when opening it with the user account. The same folder, set with the same security and result in
  the advanced tab, but set in the GUI, works fine.
  Note: The reason that I use WMI is because the remote system is a standalone machine, not sharing the same domain or trust.
  I compared the ACEFlags, AceType and AccessMask for both the GUI set and script set permissions, and they are exactly the same.
  GUI => AccessMask:1179817 AceType:0 iAceFlags:3
  Script => AccessMask:1179817 AceType:0 iAceFlags:3
  What a strange world we live in... :-)
  Any idea?

  What Operating System Interface are you referring?  What program?
  You are being obtuse. What is it that you are trying to compare. THe settings in WMI cannot be directly compared to anything in the Security Wizard.
  ¯\_(ツ)_/¯
  Just the properties of the folder in Windows on the security tab. The result is the same for both the permissions set with the interface as well as the one set with the WMI script. The two references you see are just taken with WMI:
  Set by Windows interface => AccessMask:1179817 AceType:0 iAceFlags:3 
  Set by WMI script => AccessMask:1179817 AceType:0 iAceFlags:3
  This are the values "AceFlags", "AceType" and "AccessMask" from management class WIN32_ACE:
  http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx
  I just want to show that the actual ACE object returns the same values for both methods, but the effect appear to be that the script set permission are denied. And I am looking for the reason why.
  Can you provide the script that you're using to create the ACE(s) and add them? If I'm understanding what you're trying to do, there should be two ACEs created: one to allow the modify access and one to deny the folder deletion. The ACE you're showing is just
  an allow ACE (AceType 0).
  That is correct there are (or should be) two ACEs. I cannot get hold on my source right now (will be later today), but my code is based on this source:
  http://www.minasi.com/forum/topic.asp?TOPIC_ID=7501
  What I basically do is getting the DACL properties, loop through it to check that the user exists that I want to update. If it does I check that the current AceType is of the same type (allow or deny) that I am updating/adding. If that type is a match, I
  replace the ACE object with the new Flag, Type and Mask using a Win32_ACE object. If type type doesn't match, then I add both the current ACE with the new ACE at the same time. I noticed that if I don't do it at the same time, only the last remains. If the
  user doesn't match I check that the AceFlags is not equal to 16 (inherit) and then add the original ACE object in the ACE array. At the end I add the new ACE if the user was not found at all (new). The array of individual ACE objects is added to List of managementobjects
  and then again linked to the DACL value.

• Reading NTFS permissions and changing them with PowerShell

  Hi,
  I have a large folder structure which contains the shares for several sites.  I've been asked to change the permissions for a group on each of these folders from 'full control' to 'read and execute' on the top level only.  My problem is that the
  name of the group to change is different on each folder.  They follow the same naming convention however which I've attempted to show in the example below.
  Folder1 has a group named FOL1-AdminUsers which has full control, there are several other administrative AD groups with permissions to the folder which must remain the same.  Similarly there is a Folder2 which has a group named FOL2-AdminUsers
  which needs to be changed and so on.
  The part of the script I'm having trouble with is reading the existing permissions from a specific folder and searching for the group I need to change.  Everything else has been fairly straight forward but I've just become completely stuck
  on this.  I'd really appreciate any help anybody could give me or if you could point me in the right direction for further assistance.     
  Many thanks,
  Gary.

  Hi Gary,
  you can read access permissions from a folder by using the Get-Acl cmdlet (Get-Acl "C:\ExampleFolder"). This will return an
  DirectorySecurity object. This comes with an Access CodeProperty that will return all permissions on the folder:
  $Acl = Get-Acl "C:\ExampleFolder"
  $Acl.Access
  It has many useful methods as well, so check out its members:
  $Acl | Get-Member
  Finally, there are useful tools for manipulating Acls, notably the official Set-Acl cmdlet or Rohn's AccessControl Module (Thanks Rohn, it's awesome) in the Gallery.
  If the module is a bit complex for you, there are some simple functions - shameless advertisement incoming - you could instead use: New-AccessRule and
  Add-AccessRule.
  Cheers,
  Fred
  There's no place like 127.0.0.1
  Thanks for the compliment!
  Gary, Rhys and Fred already mentioned that the info you're looking for is in the Access property when you use the built-in Get-Acl cmdlet. You could also use the Get-AccessControlEntry function from
  the module Fred mentioned:
  # List all ACEs for a single folder
  Get-AccessControlEntry C:\Folder
  # List all ACEs for specific principals (this example searches for two):
  Get-AccessControlEntry C:\Folder -Principal FOL*AdminUsers, AnotherUserNameHere
  # List ACEs for all subfolders (uses PSv3 syntax):
  dir C:\Folder -Directory -Recurse | Get-AccessControlEntry

• Crazy ACL permissions issues!

  I have Server 10.5.2 setup on a G5 dual 2.0. I have a share point which is an entire drive. At the root level I have 2 groups with read write access and 2 individuals with read write privs. Posix is set as root for owner read write, admin as group read write, and world as read. Inherit is checked as well.
  Problem is that it does not work correctly on certain files when saving from photoshop it will say that the file is locked. I can then do a save as to the desktop and copy it over manually to the server, replacing the other file, with no error. I know this might be a photoshop issue but would like to know if anyone else has had problems with this. It almost seems as if Photoshop does not honor ACL's.

  Hi
  You might have better luck in creating a folder within the drive and sharing that instead of the whole drive.
  The other guys are correct though about using DTP packages (especially Quark - although I think this has been addressed with Quark 7) and image editing applications across a network. I have not seen the kind of ACL issues you describe when the share point has been a folder rather than the drive. Cant you use standard POSIX for those share-points only and use ACLs for the others?
  I think Adobe have said that CS3 only is capable of working across a network. Anything less than that will give you problems.
  Hope this helps, Tony

• Granting read/write permissions on Oracle Server processes

  Hi
  I'm trying to set up a BFILE datatype in a table. I have created the directory and the current user has permissions to read and write to that folder. (The current user has the create any directory permission granted). The insert statement does not give an error but when I look at the table the BFILE column contains an error of <Value Error>.
  I suspect it may be because the current user does not have server read/write permissions on the directory I'm using. Can anybody help me with a correcting this please?
  Here is what I've used so far:
  CREATE or replace DIRECTORY pic_dir AS 'c:\temp'
  INSERT INTO picture (pic_id, filename)
  VALUES (1, bfilename('pic_dir', 'image1.jpg'))

  Many thanks for the reply.
  I am using the procedure as below (formats better if copied into Notepad). Gives me an error of "ORA-22285: non-existent directory or file for FILEOPEN operation" referring to the line containing the DBMS_LOB.FILEOPEN command.
  I suspect there is something wrong with the SELECT statement because I can get the procedure to run fine on the text file if I provide the BFILE location directly into the bfile_loc variable (as opposed to using the SELECT statement to retrieve it from the db).
  I created a directory: CREATE OR REPLACE DIRECTORY pic_dir AS 'C:\temp'
  I then created a table: CREATE TABLE picture (pic_id NUMBER, filename BFILE)
  Next I added a row: INSERT INTO picture VALUES(1, BFILENAME('pic_dir', 'testfile.txt'))
  CREATE OR REPLACE PROCEDURE read_bfile IS
  sep_char CONSTANT RAW(100) := UTL_RAW.CAST_TO_RAW(CHR(32));      --separating character (space)
  end_file CONSTANT RAW(100) := UTL_RAW.CAST_TO_RAW(CHR(10));      --end of file character (new line)
  bfile_loc BFILE;                               --pointer to BFILE
  cur_pos NUMBER := 1;                          --current position in file
  char_read BINARY_INTEGER := 0;                     --number of characters read
  read_buff VARCHAR2(500);                          --read buffer
  end_word NUMBER;                              --end of current word
  ret_val BOOLEAN := FALSE;                         --return value
  BEGIN
  select filename into bfile_loc from picture where pic_id = 1;
  DBMS_LOB.FILEOPEN(bfile_loc, dbms_lob.file_readonly);
  LOOP
  -- establish end of current word
  end_word := DBMS_LOB.INSTR(bfile_loc, sep_char, cur_pos, 1);
  -- process end-of-file
  IF (end_word = 0) THEN
  end_word := DBMS_LOB.INSTR(bfile_loc, end_file, cur_pos, 1);
  char_read:= end_word - cur_pos - 1;
  DBMS_LOB.READ(bfile_loc, char_read, cur_pos, read_buff);
  dbms_output.put_line(UTL_RAW.CAST_TO_VARCHAR2(read_buff));
  EXIT;
  END IF;
  -- read until end-of-file
  char_read:= end_word - cur_pos;
  DBMS_LOB.READ(bfile_loc, char_read, cur_pos, read_buff);
  dbms_output.put_line(UTL_RAW.CAST_TO_VARCHAR2(read_buff));
  cur_pos := cur_pos + char_read+ 1;
  END LOOP;
  DBMS_LOB.CLOSE(bfile_loc);
  END;

• Default acl permissions for root and user?

  after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

  Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
  <SNIP>
  Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
  It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
  Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
  Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
  After much head scratching it turns out to be a sACL (Service Access Control List) issue.
  This thread solved the mystery!
  http://discussions.apple.com/thread.jspa?threadID=1654864
  To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
  Open Server Admin on a computer (any), and connect with the local admin to the machine.
  Select the server and authenticate.
  Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
  If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
  Save.
  Try logging in again… should be a good one!
  </SNIP>

• Powershell & ACL permissions

  So, not sure if this is actually a PowerShell issue or a simple lack of understanding of permissions on my part. So, when you look at permissions manually you have some base permissions; Modify, Read & Execute, Read, Write, etc. You also have Special
  Permissions, like Full Control and Read Attributes.
  I have a script that is pushing out changed permissions, and 
  Get-ACL $Target | Format-List
  gives me what looks to be correct permissions. But if, for example, I do
  $ACRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
  I would expect to see Read and Write in the basic permissions via the UI, and what I get in Special permissions only, and some that I didn't expect, but that are related, like Read Attributes. So, am I actually getting the results I should, and because I
  am applying this via ACL it's all Special permissions? Or is there some other mechanism for setting simple Read & Write permissions?
  Also, my need here is to make just a few files and folders available to users in ProgramData in an office where IT has generally locked down ProgramData (which then breaks functionality of some Autodesk products this year). Autodesk suggested manually setting
  the required permissions for All Users on the files and folders, but my sense is that using Authenticated Users would be better, because it limits the permissions a bit. Or is the Authenticated Users group an old concept, and there is a better practice here?
  I wouldn't be surprised if the same technique needs to be used on some Program Files folders, as Autodesk basically works form the assumption that everyone is a Local Admin, which is just insanity in my book and I would rather target specific files for access
  rather than throwing the gates open as Autodesk wants.
  Thanks!
  Gordon

  It's probably showing up as "Special" because the access control entry isn't set to apply to sub folders and files. Container objects (folders, registry keys, AD objects, and WMI namespaces) need their ACEs to apply to their children as well in order for
  them to not show up as "special". Here's how to create an ACE that gives Read and Write permissions that apply to a folder, its sub folders (ContainerInherit), and sub files (ObjectInherit):
  New-Object System.Security.AccessControl.FileSystemAccessRule (
  "Authenticated Users",
  "Read, Write", # Access enumeration string/numeric value
  "ContainerInherit, ObjectInherit", # InheritanceFlags (apply to sub folders and files)
  "None", # PropagationFlags (None simply means that this will apply to the object)
  "Allow" # ACE type
  The reason you're seeing more rights than you expect is because "Read" is actually multiple specific access rights being combined (specifically list directory, read extended attributes, read attributes,  and read permissions). To see that it translates
  to more than one right, you can convert it to binary:
  [convert]::ToString([System.Security.AccessControl.FileSystemRights]::Read.value__, 2)
  Notice that more than one bit is set. If you want to see what each of those bits means, you can use this function:
  function TranslateRights {
  param(
  $Rights = "Read",
  [Type] $Enumeration = [System.Security.AccessControl.FileSystemRights],
  [switch] $ListAll
  # Files/folders use the same enumeration, and the numeric access masks can mean slightly different things, e.g.,
  # bit 0 set means list directory for a folder or read data for a file. For that reason, it helps to have a collection
  # of the different meanings:
  $GroupedRights = @{}
  [enum]::GetNames($Enumeration) | ForEach-Object {
  $IntValue = [int] ($_ -as $Enumeration)
  # Only interested in numbers that are powers of 2
  if ($IntValue -band ($IntValue - 1)) { return }
  if ($GroupedRights.ContainsKey($IntValue)) {
  $GroupedRights.$IntValue += $_
  else {
  $GroupedRights.$IntValue = @($_)
  $GroupedRights.GetEnumerator() | sort Name | ForEach-Object {
  if ($_.Name -band ($Rights -as $Enumeration)) {
  $Granted = $true
  else {
  $Granted = $false
  $RightsString = $_.Value -join " / "
  if ($ListAll) {
  [PSCustomObject] @{
  Bit = [System.Math]::Log($_.Name, 2)
  Rights = $RightsString
  Granted = $Granted
  elseif ($Granted) {
  $RightsString
  And you could use it like this:
  TranslateRights -Rights Modify
  TranslateRights -Rights Modify -ListAll
  TranslateRights -Rights ReadKey -Enumeration ([System.Security.AccessControl.RegistryRights]) -ListAll