AD Permissions Reporter – Matching Rules

The Matching Rules define the logic that will be used to determine if an ACE matches the selection criteria.  The Matching Rules are used in the Permissions dialog and the Advanced Filter for the SD Control, ACE Header Flags, Permissions. Inheriting Objects has a specific matching rules.

The Matching Rules appear as these four options at the top of each section

Matching Rules

All - All of the selected items must be set for the ACE to match the search criteria, the items that are not selected will not have an affect on the search criteria.  With the All Matching Rule selected, the checkbox of the items will have three states, blank, grayed, and checked.  This allows for Not logic to be used. i.e. if Delete is checked and Delete subtree is grayed, then only if the delete is set and delete sub is not set will the ACE match the search criteria.  Any combination of the checked and grayed can be used, but only the ACE that match the selection will match the search criteria.

Any - With this option set, if any of the items that are selected are set in the ACE will match the search criteria.

Exact - With this option set, only ACE that have the same options set will match the search criteria.

Not - The Not option will match items that don't include the selected items.

The Inheriting Objects in the Advanced Filter has an additional Matching Rule.

Matching Rule - Not

As the name implies this is a Not matching rule, see the Permissions for more details on this option.