Page History

...

For a discussion on crawling, see here. 

Why am I seeing a duplicated ACL for an item when crawling? And why the ACL is not removed even when I deleted the permission from the list?

The web service extensions for SP2007/2010 not only takes into account the permissions on the item, but also the Web App and Zone Policies. When a user or group is part of those policies, info like the SID is not available and so it is not return on the acl. Seeing a duplicate acl, in this case, means that the account is part of the item permissions and also part of the Web App Policies. After deleting the permission on the item, the web app policy is still there, and that is why we still see one of the acl entries.

Why the user ACL is marked as "Deny" even when the user has Limited Access and Full Control permissions?

There's another account that has a similar scenario, as the one shown above, but it has 2 permissions on the item apart from the Web App Policy: Limited Access and Full Control. This is not a normal combination of permissions and because of how we are handling things right now Limited Access has a priority over the Full Control when the "Allow Limited Access" option is false on the connector configuration. This means that the item permission is set as "Deny", which will then remove any "allow" permission given to the same account. If we set the "Allow Limited Access" option to true, the acl turns into an allow and then the acl is duplicated.

General 

...