39758: How do I configure Acronis Files Connect to use Macintosh-style group permissions?


How do I configure Acronis Files Connect (formerly ExtremeZ-IP) to use Macintosh-style group permissions?



One significant difference between the Windows and Macintosh security models is their use of groups. In Windows, multiple groups can have distinct permissions to a folder, while Macintosh-style permissions permit only a single group to have permissions to a folder. Windows has the notion of a "primary group", but in the Windows security model, this group is treated identically to other, non-primary groups.

This difference can cause confusion and problems when adjusting permissions from the Macintosh side. For example, take the following Windows permissions:

Owner: John
Group (primary): Teachers
Access-Control List:
John: Full Control
Teachers: Full Control
Users: Full Control
Everyone: Read

Two groups (Teachers and Users) have Full Control to this folder. (The Everyone group is a special case, and is separate from other groups - in this case, that group has Read permission to this folder.) When viewing permissions from the Macintosh (OS X), an administrator would see:

Owner: Administrator
Access: Read and Write

Group: Teachers
Access: Read and Write

Others: Read only

Since the Macintosh does not have a concept of multiple group permissions, the permissions for the Users group are not listed. If the Administrator changed the permissions for the Teachers group from "Read and Write" to "Read only", they might assume that members of the Teachers group would now have read access only. However, with default Acronis Files Connect behavior, this would not be the case. The new Windows Access Control List would be:

John: Full Control
Teachers: Read
Users: Full Control
Everyone: Read

Since the permissions of the Users group were not adjusted, and since all members of the Teachers group are also members of the Users group, Teachers would retain Full Control over this folder. This is not something that can be detected from the Macintosh.

There are two solutions for this problem:

1. Insure (from Windows) that the folders in question do not contain permissions for multiple groups (aside from the Everyone group). This will avoid the potential issue stated above.

2. Enable an optional Acronis Files Connect feature via a registry key. This key, UseMacStylePermissions, will change the default Acronis Files Connect behavior. By default, this setting is disabled. It may be enabled by setting a DWORD value of 1. A DWORD value of 0 (zero) will disable this functionality. This key must be created from the following registry location:


When permissions are adjusted from the Macintosh, the permissions for all non-primary groups (other than Everyone) are removed from the Windows Access Control List. So for the example above, the Access Control List (after the permissions are adjusted) would be:

John: Full Control
Teachers: Read
Everyone: Read

Note that the Users group no longer has any listed permissions for this folder.

This optional feature is not suited for all environments, and should only be enabled to avoid the listed problem above. For many users, it would not desirable to have non-primary groups lose all permissions to a folder.

(!) When this feature is enabled, and the owner is given "Read only" or "Write only" access, that user loses the ability to change permissions on the folder in question. In general, owners will not have their permissions adjusted, so this should not be a problem for most users. To re-enable the ability of the owner to change permissions, the owner would need to have its "Change permissions" ability re-enabled from the Windows side. 


You are reporting a typo in the following text:
Simply click the "Send typo report" button to complete the report. You can also include a comment.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
3 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.