78 replies to this topic

[FredAI]

Hi.

I've been working on this for a while. I think now it's good enough to post it here.

Functions to do most everything with the DACL and ownership on all types of objects: Files or folders, Registry keys, services, Kernel and WMI objects, etc.

Here's a good example to test:

Plain Text        expandcollapse  popup

#include 'Permissions.au3'
_InitiatePermissionResources()

FileWrite(@ScriptDir&'test.txt','Test')
Local $TI = TimerInit()
Local $ret = _DenyAllAccess(@ScriptDir&'test.txt',$SE_FILE_OBJECT,@UserName)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Deny all access to test.txt and take ownership:'&@CRLF&@CRLF& _
'_DenyAllAccesss return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantReadAccess(@ScriptDir&'test.txt',$SE_FILE_OBJECT,'Administrators')
$TD = TimerDiff($TI)
MsgBox(0,'','Grant everyone read access, all access to admins and system, and set the owner: Admins group'&@CRLF&@CRLF& _
'_GrantReadAccesss return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
$ret = _GrantAllAccess(@ScriptDir&'test.txt')
$TD = TimerDiff($TI)
MsgBox(0,'','Grant everyone access'&@CRLF&@CRLF& _
'_GrantAllAccesss return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
$ret = _CopyFullDacl(@ScriptDir&'test.txt',$SE_FILE_OBJECT,@ScriptDir)
$TD = TimerDiff($TI)
MsgBox(0,'','Restore all inherited permissions'&@CRLF&@CRLF& _
'_CopyFullDacl return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
Local $aPerm[2][3] = [['Restricted',1,$GENERIC_ALL],['Users',1,$GENERIC_ALL]]
$ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Add two granted access aces: Restricted and Users'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted',1,$GENERIC_READ],['Users',1,$GENERIC_READ]]
$ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Give only read access to the Restricted and Users groups'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
Dim $aPerm[2][3] = [['Restricted',0,$GENERIC_ALL],['Users',0,$GENERIC_ALL]]
$ret = _EditObjectPermissions(@ScriptDir&'test.txt',$aPerm)
$TD = TimerDiff($TI)
MsgBox(0,'','Deny access to the Restricted and Users groups'&@CRLF&@CRLF& _
'_EditObjectPermissions return value: '&$ret&'   Time: '&Round($TD,2)&' miliseconds.'&@CRLF& _
'Check the file permissons before closing the message box.')

$TI = TimerInit()
Local $Hndl = _Permissions_OpenProcess(@AutoItPID)
Local $SDBefore = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
Local $CODRet = _ClearObjectDacl($Hndl,$SE_KERNEL_OBJECT)
Local $DARet = _DenyAllAccess($Hndl,$SE_KERNEL_OBJECT)
Local $SDAfter = _GetObjectStringSecurityDescriptor($Hndl,$SE_KERNEL_OBJECT)
$TD = Round(TimerDiff($TI),2)
MsgBox(0,'', 'Deny everyone access to the current process:'&@CRLF&@CRLF& _
'@AutoItPID original security descriptor: '&@CRLF&$SDBefore&@CRLF&@CRLF& _
'_ClearObjectDacl return value: '&$CODRet&@CRLF&@CRLF& _
'_DenyAllAccess_ return value: '&$DARet&@CRLF&@CRLF& _
'New @AutoItPID security descriptor: '&@CRLF& _
$SDAfter&@CRLF&@CRLF& 'Time taken: '&$TD&' miliseconds.')
_Permissions_CloseHandle($Hndl)

FileDelete(@ScriptDir&'test.txt')
_ClosePermissionResources()

I'm planning to add functions to deal with the Sacl in the future, even though I don't think it's very important.

Edit: Let me know if you need an example for the registry.

Updated: Fixed a bug in the _ClearObjectDacl function. I thought that adding a null DACL would work fine, but it causes problems later when adding a new DACL.
Those who have downloaded, please update.
Shoot! Now it wasn't clearing the DACL at all. Updated again. I think it's fixed now.

Updated 9/11/2011 - Added the security descriptor functions and removed unnecessary constants.

Updated 10/11/2011 - There were some functions missing in the index, and some parameters in the comments. Also removed the "MustDeclareVars" option. (About 50 total downloads before)

Update 12/12/2011 - Added more functions:

Spoiler

• _SetDefaultFileAccess
  
  
• _EditObjectPermissions
  
  
• _MergeDaclToArray
  
  
• _CreateDaclFromArray

• Added more error handle and fixed a few bugs
• Added the option to recurse only subfolders, only files or both.</li><li>
• Added more strings for universal SIDs : 'Authenticated Users', 'Users', 'Guests', 'Local Authority', 'Creator Owner', 'NT Authority', 'Restricted' and 'TrustedInstaller'
• The new _EditObjectPermissions function allows to set the desired permissions from an array just like _SetObjectPermissions but it will keep non inherited aces.
• Inherited aces are not deleted by any of the two functions, unless you set $ClearDacl to 1.
• The new _EditObjectPermissions function does not delete non inherited aces even if you set $ClearDacl to 1.
• If you want to clear the full Dacl you should use _SetObjectPermissions or call _ClearObjectDacl before calling _EditObjectPermissions

New Update 12/12/2011 - Missing declaration keywords in 3 constants. Sorry

Update 16/12/2011 - Added support for all object types, including window and process handles. Added more functions, modified most of them, and removed one.

Here's the new function list:

Spoiler

_InitiatePermissionResources
_ClosePermissionResources
_CopyFullDacl
_InheritParentPermissions
_SetDefaultFileAccess
_DenyAllAccess
_GrantAllAccess
_GrantReadAccess
_GrantReadDenyWrite
_SetObjectPermissions
_EditObjectPermissions
_MergeDaclToArray
_CreateDaclFromArray
_SetObjectSecurity
_SetObjectSecurityDescriptor
_TreeResetPermissions
_Permissions_OpenProcess
_Permissions_KillProcess
_Permissions_CloseHandle
_SetFileObjectSecurity
_SetRegObjectSecurity
_ClearObjectDacl
_GetObjectDacl
_GetObjectOwner
_SetObjectOwner
_GetSecurityDescriptorOwner
_GetSecurityDescriptorGroup
_GetSecurityDescriptorDacl
_GetSecurityDescriptorSacl
_GetObjectSecurityDescriptor
_GetObjectStringSecurityDescriptor
_SetObjectStringSecurityDescriptor
_ConvertSecurityDescriptorToStringSecurityDescriptor
_ConvertStringSecurityDescriptorToSecurityDescriptor
_GetSidStruct
_Security_RegKeyName

Updated 22/2/2012.. This time I'm including SecurityConstants.au3 and FileConstants.au3 to prevent constants conflicts. Added a few more functions and fixed a few bugs.

Also added the ability to include the inherited aces in the _EditObjectPermissions function.

Now the permissions array can have four elements (optional). It will still work with three elements arrays though. The fourth element is intended to have the inheritance flag for the corresponding ace.

Here's the new list of functions:

Spoiler

_InitiatePermissionResources
_ClosePermissionResources
_CopyFullDacl
_InheritParentPermissions
_SetDefaultFileAccess
_DenyAllAccess
_GrantAllAccess
_GrantReadAccess
_GrantReadDenyWrite
_SetObjectPermissions
_EditObjectPermissions
_MergeDaclToArray
_GetDaclSizeInformation
_GetAce
_CreateDaclFromArray
_SetObjectSecurity
_IsValidAcl
_SetObjectSecurityDescriptor
_TreeResetPermissions
_Permissions_OpenProcess
_Permissions_KillProcess
_Permissions_CloseHandle
_SetFileObjectSecurity
_SetRegObjectSecurity
_ClearObjectDacl
_GetObjectDacl
_GetObjectOwner
_SetObjectOwner
_GetSecurityDescriptorOwner
_GetSecurityDescriptorGroup
_GetSecurityDescriptorDacl
_GetSecurityDescriptorSacl
_GetObjectSecurityDescriptor
_GetObjectStringSecurityDescriptor
_SetObjectStringSecurityDescriptor
_ConvertSecurityDescriptorToStringSecurityDescriptor
_ConvertStringSecurityDescriptorToSecurityDescriptor
_GetSidStruct
_Security_RegKeyName

400 previous downloads

Attached Files

•  Permissions.au3   97.05K   1055 downloads

Edited by FredAI, 23 February 2012 - 10:31 PM.

[DXRW4E]

Thank You, very useful

Thanks Again

Ciao.

[KaFu]

Definitely looks good , thanks a lot!

[FredAI]

You're welcome guys! It was my contribution to the community, after taking so much
Works much faster than SetAcl, and you can set the owner, clear the DACL and define all the desired permissions with one function call.

[BrewManNH]

I really like the look of this UDF, I was looking for something exactly like this earlier today for an automation script I was creating. This will finish it off exactly as I need to.

Thank you for this.

[FredAI]

You're welcome, BrewManNH.

If any of you find any bugs, please tell.

[DXRW4E]

Hi FredAI, sorry for my english

it is possible to add these function http://msdn.microsoft.com/en-us/library/aa379570%28v=VS.85%29.aspx ConvertSecurityDescriptorToStringSecurityDescriptor and ConvertStringSecurityDescriptorToSecurityDescriptor

Ciao.

[IRON]

Not yet tested, but it looks good.
Thanks a lot

[FredAI]

I fixed a bug and updated the file. Check the first post.

it is possible to add these function ...

Well, here they are:

Plain Text        expandcollapse  popup

 
#include 'Permissions.au3'
_InitiatePermissionResources()
FileWrite(@ScriptDir&'\test.txt','test')
Local $TI = TimerInit()
;************************************************************************************************
Local $ret = _GetObjectStringSecurityDescriptor(@ScriptDir&'\test.txt'); Put here the function to test
Local $ret2 = _ConvertStringSecurityDescriptorToSecurityDescriptor($ret)
;************************************************************************************************
Local $TD = TimerDiff($TI)
MsgBox(0,'','String security descriptor: '&$ret&@CRLF&'Stecurty descriptor pointer: '&$ret2&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
FileDelete(@ScriptDir&'\test.txt')
 _ClosePermissionResources()
 
 Func  _GetObjectStringSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
Local $pSecDescriptor = _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE)
Local $strSecDescriptor = _ConvertSecurityDescriptorToStringSecurityDescriptor($pSecDescriptor)
DllCall($h__Kernel32Dll,'handle','LocalFree','handle',$pSecDescriptor)
Return $strSecDescriptor
EndFunc ;==>_GetObjectStringSecurityDescriptor
 
Func  _ConvertSecurityDescriptorToStringSecurityDescriptor(ByRef $pSecDescriptor)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertSecurityDescriptorToStringSecurityDescriptor', _
'ptr',$pSecDescriptor,'DWORD',1,'DWORD',$SECURITY_INFORMATION,'str*',0,'ptr',0)
If @error Then Return SetError(1,0,'')
Return $aRet[4]
EndFunc ;==>_ConvertSecurityDescriptorToStringSecurityDescriptor
 
Func  _ConvertStringSecurityDescriptorToSecurityDescriptor(ByRef $strSecDescriptor)
Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertStringSecurityDescriptorToSecurityDescriptor', _
'str',$strSecDescriptor,'DWORD',1,'ptr*',0,'ptr',0)
If @error Then Return SetError(1,0,0)
Return $aRet[3]
EndFunc ;==>_ConvertStringSecurityDescriptorToSecurityDescriptor
 
Func _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
If $ResourcesState = 0 Then _InitiatePermissionResources()
If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = _Security_RegKeyName($oName)
Local $aRet = DllCall($h__Advapi32Dll,'DWORD','GetNamedSecurityInfo','str',$oName,'int',$_SE_OBJECT_TYPE,'DWORD',$SECURITY_INFORMATION,'ptr',0,'ptr',0,'ptr',0,'ptr',0,'ptr*',0)
If @error Then Return SetError(@error,0,0)
Return SetError($aRet[0],0,$aRet[8])
EndFunc ;==>_GetObjectSecurityDescriptor
 

I don't know why you need these functions, but if you're planning on using them to set the DACL permissions, let me tell you you don't need them.
You can easily edit the DACL by calling the _SetObjectPermissions function.

Imagine you want to give yourself all granted access to a file, but give everyone else only read and execute access. This can be very useful if you have kids, and you want them to be able to read and execute your files, but you don't want them to edit or delete them.

Take a look at this code:

#include 'Permissions.au3'
_InitiatePermissionResources()
Local $File = @ScriptDir&'\test.txt'
FileWrite($File,'test')
Local $TI = TimerInit()
 
Local $aPerm[2][3]
$aPerm[0][0] = @UserName
$aPerm[0][1] = 1
$aPerm[0][2] = $GENERIC_ALL
$aPerm[1][0] = 'Everyone'
$aPerm[1][1] = 1
$aPerm[1][2] = $GENERIC_READ+$GENERIC_EXECUTE
Local $ret = _SetObjectPermissions($File,$aPerm,$SE_FILE_OBJECT,@UserName,1,1)
Local $TD = TimerDiff($TI)
MsgBox(0,'','Function return value: '&$ret&@CRLF&'   Time: '&Round($TD,2)&' miliseconds.')
_ClosePermissionResources()
 

You just have to create an array with the permissions you want to set:
$array[0][0] - First ace user name or Sid string
$array[0][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[0][2])
$array[0][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

$array[1][0] - Second ace user name or Sid string
$array[1][1] - 1 or 0,whether to grant or deny the permissions defined in the access mask. ($array[1][2])
$array[1][2] - One or more access mask values. e.g. $GENERIC_READ+$GENERIC_EXECUTE

And so on. You can add how many aces you want. The access denied aces have priority over the allowed ones.
Then you can set the owner, clear the DACL and recurse containers and objects (for folders and registry keys), When recursing, the child objects will automatically inherit the permissions from the parent one.

Don't know what else you can do by modifying the security descriptor.

[DXRW4E]

Thank you very much, i needed those functions because I want to have a backup of the security of the registry\file\service (save all the inf file), to give users the possibility to restore the original settings, using Secedit.exe (the way that Microsoft sets everything in windows ect ect)

Sorry again for my English

Ciao

Edited by DXRW4E, 05 November 2011 - 08:59 PM.

[DXRW4E]

I wanted to ask, even for one thing, using the _ConvertSecurityDescriptorToStringSecurityDescriptor, or this line $a = "O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)"
after using the _ConvertStringSecurityDescriptorToSecurityDescriptor($a), how can I use that to set the _WriteDaclToObject, I'm doing wrong or something?, This is interesting because I shall be able to keep all the original settings, and add admin only right, for example "O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)(A;;FA;;;BA)" (This explains all about it http://msdn.microsoft.com/en-us/magazine/cc982153.aspx)

I know from experience that this is not the safest way, because if "TrustedInstaller" and present, even if you have full admin right, sometimes "TrustedInstaller" still does not let you do everything there (for example if you want to work with files in "C:\Windows\WinSxS" and better remove remaining TrustedInstaller), so the best way and _SetObjectPermissions, However i am interested also this other way using the _ConvertStringSecurityDescriptorToSecurityDescriptor

sorry for the trouble

Thanks again, Ciao.

Edited by DXRW4E, 05 November 2011 - 11:51 PM.

[FredAI]

after using the _ConvertStringSecurityDescriptorToSecurityDescriptor($a), how can I use that to set the _WriteDaclToObject,

You have to get the DACL from the security descriptor. I'll take a look at the function and post back in a while.

[FredAI]

Ok Here it is:

Plain Text        expandcollapse  popup

#include 'Permissions.au3'
_InitiatePermissionResources()
FileWrite(@ScriptDir&'\test.txt','test')
Local $TI = TimerInit()
;************************************************************************************************
Local $ret1 = _GetObjectSecurityDescriptor(@ScriptDir&'\test.txt')
Local $ret2 = _ConvertSecurityDescriptorToStringSecurityDescriptor($ret1)
Local $ret3 = _ConvertStringSecurityDescriptorToSecurityDescriptor($ret2)
Local $ret4 = _GetSecurityDescriptorOwner($ret3)
Local $ret5 = _GetSecurityDescriptorDacl($ret3)
;************************************************************************************************
Local $TD = TimerDiff($TI)
MsgBox(0,'','Security descriptor pointer: '&$ret1&@CRLF& _
'Converted to string: '&$ret2&@CRLF& _
'Re-converted to pointer to security descriptor: '&$ret3&@CRLF& _
'Owner SID: '&$ret4&@CRLF& _
'Pointer to the DACL: '&$ret5&@CRLF& _
'   Time: '&Round($TD,2)&' miliseconds.')
FileDelete(@ScriptDir&'\test.txt')
 _ClosePermissionResources()
 
Func _GetSecurityDescriptorOwner(ByRef $pSecDescriptor)
If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0)
Local $aRet = DllCall($h__Advapi32Dll,'bool','GetSecurityDescriptorOwner', _
'ptr',$pSecDescriptor,'ptr*',0,'bool*',0)
If @error Then Return SetError(@error,0,0)
Return _SidToStringSid($aRet[2])
EndFunc ;==>_GetSecurityDescriptorDacl
 
 Func _GetSecurityDescriptorDacl(ByRef $pSecDescriptor)
If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0)
Local $aRet = DllCall($h__Advapi32Dll,'bool','GetSecurityDescriptorDacl', _
'ptr',$pSecDescriptor,'bool*',0,'ptr*',0,'bool*',0)
If @error Then Return SetError(@error,0,0)
If Not $aRet[2] Then Return SetError(1,0,0)
Return $aRet[3]
EndFunc ;==>_GetSecurityDescriptorDacl
 
 Func  _GetObjectStringSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
Local $pSecDescriptor = _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE)
Local $strSecDescriptor = _ConvertSecurityDescriptorToStringSecurityDescriptor($pSecDescriptor)
DllCall($h__Kernel32Dll,'handle','LocalFree','handle',$pSecDescriptor)
Return $strSecDescriptor
EndFunc ;==>_GetObjectStringSecurityDescriptor
 
Func  _ConvertSecurityDescriptorToStringSecurityDescriptor(ByRef $pSecDescriptor)
If Not IsPtr($pSecDescriptor) Then Return SetError(1,0,0)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertSecurityDescriptorToStringSecurityDescriptor', _
'ptr',$pSecDescriptor,'DWORD',1,'DWORD',$SECURITY_INFORMATION,'str*',0,'ptr',0)
If @error Then Return SetError(1,0,'')
Return $aRet[4]
EndFunc ;==>_ConvertSecurityDescriptorToStringSecurityDescriptor
 
Func  _ConvertStringSecurityDescriptorToSecurityDescriptor(ByRef $strSecDescriptor)
If Not IsString($strSecDescriptor) Then Return SetError(1,0,0)
Local $aRet = DllCall($h__Advapi32Dll,'bool','ConvertStringSecurityDescriptorToSecurityDescriptor', _
'str',$strSecDescriptor,'DWORD',1,'ptr*',0,'ptr',0)
If @error Then Return SetError(1,0,0)
Return $aRet[3]
EndFunc ;==>_ConvertStringSecurityDescriptorToSecurityDescriptor
 
Func _GetObjectSecurityDescriptor($oName, $_SE_OBJECT_TYPE = $SE_FILE_OBJECT)
Local $SECURITY_INFORMATION = BitOR($DACL_SECURITY_INFORMATION,$OWNER_SECURITY_INFORMATION)
If $ResourcesState = 0 Then _InitiatePermissionResources()
If $_SE_OBJECT_TYPE = $SE_REGISTRY_KEY Then $oName = _Security_RegKeyName($oName)
Local $aRet = DllCall($h__Advapi32Dll,'DWORD','GetNamedSecurityInfo','str',$oName,'int',$_SE_OBJECT_TYPE, _
'DWORD',$SECURITY_INFORMATION,'ptr',0,'ptr',0,'ptr',0,'ptr',0,'ptr*',0)
If @error Then Return SetError(@error,0,0)
Return SetError($aRet[0],0,$aRet[8])
EndFunc ;==>_GetObjectSecurityDescriptor

Now that I know why you need the functions, I'm finding this very interesting, because it allows to make a full backup of the security descriptor, and restore it later. No need for secedit.

When I have more time, I'll document the functions and add them to the UDF.

[DXRW4E]

Thanks so much for all the support

When you add function to UDF,better if you add a direct fuction as the _GetObjectStringSecurityDescriptor (ScriptDir @ & '\ test.txt'), for example add _SetObjectStringSecurityDescriptor(ScriptDir @ & '\ test.txt,',"O:BUD:PAI(A;;FA;;;BU)(A;;0x1200a9;;;WD)(A;;FA;;;BA)"), I do not know, see for yourself how and best

Ciao.

Edited by DXRW4E, 06 November 2011 - 10:42 AM.

[JScript]

Very complex, perfect!
Thanks for sharing...

João Carlos.

[Spiff59]

I've always found calling icacls.exe very simple for changing permissions. Is the main difference between the UDF and icacls that icacls is restricted to modifying only files and folders?

[FredAI]

No, this is also much faster, and makes your script independent from external exes, which can be disabled or infected.

Also AFAIK you can't set ownership using icacls.

[FredAI]

I added the security descriptor functions to the UDF and updated. see the first post.

[DXRW4E]

Thank You

[FredAI]

I updated again. This time I didn't change the code, just some faults in the comments.

The _SetObjectPermissions function now supports setting the inheritance too, but remember you cannot create an ace with the flag $INHERIT_ONLY_ACE. This type of aces are automatically added from the parent upon the object's creation.

Better use the flags $OBJECT_INHERIT_ACE (1), $CONTAINER_INHERIT_ACE ( 2), $SUB_CONTAINERS_AND_OBJECTS_INHERIT (3) and $NO_PROPAGATE_INHERIT_ACE (4)