RE: GetEffectiveRightsFromAcl on WinXP x64
From: Ari Moradi (AriMoradi_at_discussions.microsoft.com)
Date: 05/13/05
- Next message: rudy_at_guardmydata.com: "Default Container"
- Previous message: Lubomir: "Unknown Publisher"
- In reply to: Ari Moradi: "GetEffectiveRightsFromAcl on WinXP x64"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 May 2005 17:11:07 -0700
It looks like whenever the ACEs in the ACL we're looking at have SIDs that
identify users or groups that are not local to the machine we are getting
this error -- GetEffectiveRightsFromAcl returns 5 (access denied). However,
if I am logged in to the PC as a user that has access to the domain to which
the SIDs belong, the function works as expected. Only if I am logged in with
a local user account does this problem happen.
To be specific -- If I create a reg key with an ACL that has 3 aces:
Administrators -- Full Access
SYSTEM -- Full Access
Users -- Read Access
The Users group includes "Domain Users" from the domain the machine belongs
to.
If I try to use GetEffectiveRightsFromAcl, it returns error 5 if I am logged
in as the local Administrator. If I log in with an account on the domain, it
returns error 0, and gives the correct access mask. If I remove Domain Users
from the Users group (and Domain Administrators from Administrators), the
function succeeds regardless who is logged into the PC.
However, this isn't how the function behaved on WinXP 32 bit edition, it
would always return ERROR_SUCCESS and return the correct access mask for the
user in question.
We have found the same behavior on Win2K3 server -- the API returns 0 on the
32 bit version and 5 on the 64 bit version in the same scenario.
Looks like we will have to workaround this problem now and use a different
method of getting the info we're after, but I thought I should post this in
case anyone else runs into a similar problem.
"Ari Moradi" wrote:
> We have some code that checks permissions on keys we create in the registry
> during installation. To do this, we are going through a list of SIDs and for
> each one, calling GetEffectiveRightsFromAcl() and ensuring the access mask
> has the permissions required.
>
> We're now running through tests to make sure that the code still works on
> x64 Edition of WinXP, but GetEffectiveRightsFromAcl() returns 5 ("Access is
> denied.") every time we call it. It works fine on x86 WinXP and Win2K.
>
> I thought there might be a privilege necessary to make this call, but I
> can't find anything that works.
>
> Does anyone know what's wrong?
>
> Thanks
- Next message: rudy_at_guardmydata.com: "Default Container"
- Previous message: Lubomir: "Unknown Publisher"
- In reply to: Ari Moradi: "GetEffectiveRightsFromAcl on WinXP x64"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
