http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspxBackground Mike here. Windows uses the concept of a security descriptor to allow or deny security principals (user or groups) access to specific resources. A security descriptor is a data structure that contains: The memory location of a securityen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspx#3249348Tue, 02 Jun 2009 17:03:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3249348Ask the Directory Services Team<p>The Group Policy security client side extension can distribute security descriptors on files and registry</p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3249348" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspx#3249299Tue, 02 Jun 2009 15:16:55 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3249299MikeStephensMSFT<p>Hello jlupolt,</p> <p>Unfortunately, the ACL editor within Windows shows the interpreted permission of the null or empty DACL. The command line utility cacls.exe does report a null DACL by displaying &quot;No permissions are set.&quot; I have an upcoming post that includes a script that specifically looks for null DACLs within nested folders.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3249299" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspx#3249257Tue, 02 Jun 2009 12:30:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3249257HelgeKlein<p>Thanks for the article Mike.</p> <p>If you want to detect NULL vs. empty ACLs you can use my open source tool SetACL (<a rel="nofollow" target="_new" href="http://setacl.sourceforge.net/">http://setacl.sourceforge.net/</a>).</p> <p>You might also be interested in my &quot;primer&quot; article on Windows permissions where I also explain the differences between NULL and empty ACLs:</p> <p><a rel="nofollow" target="_new" href="http://blogs.sepago.de/helge/2009/03/12/permissions-a-primer-or-dacl-sacl-owner-sid-and-ace-explained/">http://blogs.sepago.de/helge/2009/03/12/permissions-a-primer-or-dacl-sacl-owner-sid-and-ace-explained/</a></p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3249257" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspx#3248968Mon, 01 Jun 2009 22:41:28 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3248968jlupolt<p>Thanks for this. How can a sysadmin tell the difference between an object with a null DACL and an object with an empty DACL? Would the permissions look the same if viewed in Explorer?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3248968" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/06/01/null-and-empty-dacls.aspx#3248933Mon, 01 Jun 2009 21:34:09 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3248933 Ask the Directory Services Team : Null and Empty DACLs<p>PingBack from <a rel="nofollow" target="_new" href="http://www.tscmpro.com/?p=4246">http://www.tscmpro.com/?p=4246</a></p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3248933" width="1" height="1">