Duplicate ACE return by Get-ACL

[itpro-tips]

Hello,
In the template CSV, I found several ACE with the same information. For example for adminsdholder : BUILTIN\Pre-Windows 2000 Compatible Access has the same permission (Generic Read - All)

I get the same information with get-ACL.
Any idea why many ACE are duplicated with Get-ACL (and in the templates too, but I suppose is is related to Get-ACL output command used to generate your templates).

Thanks

[canix1]

Hello

Short answer: The ACE's set at initial build of Active Directory is set in the wrong manner.

When the Active Directory is built these ACE's is set from an LDF-file. When this is done it bypasses the normal SetEntriesACL function, which would have done filtering and merging of incorrect/duplicate ACE's.

The first "edit" of the ACL will trigger the SetEntriesACL function and it will correct incorrect ACE's (if it can) and you will see a different ACL even though you just add a new entry.

The CSV file is a export of a pristine installation that's way it has the same duplicate, but since the "get" function does not understand some of the incorrect ACE's it will export a modified version of them.