NT Gatekeeper: View Deny ACEs on a Non-SCTS Computer

I recently installed the Security Configuration Tool Set (SCTS) on all my internal Windows NT 4.0 file servers and plan to use it to run regular security audits on these machines. I used the SCTS's new ACL editor to define some deny access control entries (ACEs) on a few file-server folders. When I try to view these folders' security properties on an administrator workstation that doesn't have the SCTS installed, I receive the message The Security Configuration for foldername is not standard and cannot be displayed. Why am I receiving this message, and what can I do about it?

The message appears because of the different capabilities of the default NT ACL editor and the new ACL editor that comes with the SCTS. An important feature of the new ACL editor is its ability to display deny ACEs. Although NT has long supported deny ACEs, you can't use NT's default ACL editor to set and view them. By default, you can set deny ACEs only programmatically. When you use the default ACL editor to try to display an ACL containing deny ACEs, the system displays the message that Figure 5 shows. If you click No in this dialog box, the box disappears, and nothing else is displayed. If you click Yes, an empty ACL editor appears. To see a folder's or file's permissions in the scenario you describe, use the Cacls command-prompt utility, as Figure 6 shows, or install the SCTS on the workstation. After you install the SCTS, you can use its ACL editor, which Figure 7 shows, to view objects' security properties.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.