Re: GetEffectiveRightsFromAcl

From: Hao Zhuang [MSFT] (hzhuang_at_online.microsoft.com)
Date: 05/21/05


Date: Fri, 20 May 2005 18:45:13 -0700

you have an allowed ACE preceding a denied ACE, which is not in the
canonical order. try to revise your ACEs in the canonical order. see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp

- hao

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message 
news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com...
>
> I have a security descriptor, SDDL format is
>
> "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
>
> which I think is correct. The first ACE grants full control. The 2nd is a
> deny inherited from the parent item and the 3rd is a grant of full control
> inherited from the parent.
>
> When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> which is "The access control list (ACL) structure is invalid." but I can't
> see how. If I remove the deny ace it works fine.
>
> What am I missing? Thanks.
> -- 
> Ray Hayes
> http://www.rhbe.net 


Relevant Pages

  • Re: Timescale in which newbies should get control
    ... control slows the progression of diabetic retinopathy.2 There are now provocative data to suggest that angiotensin-converting enzyme inhibitors may independently protect against the development or slow the progression of retinopathy,3,4 perhaps through reductions in retinal vascular endothelial growth factor levels.5 ... I'll ask about getting back on an ACE. ... IGF-1 may also be associated with insulin resistance. ... Relatively speaking a ship without a rudder might be an analogy to a insulin dependent diabetic, but the rudder doesn't have to be very large to control the ship. ...
    (alt.support.diabetes)
  • Re: GetEffectiveRightsFromAcl
    ... > you have an allowed ACE preceding a denied ACE, ... > "Ray Hayes" wrote in message ... The first ACE grants full control. ... >> deny inherited from the parent item and the 3rd is a grant of full control ...
    (microsoft.public.platformsdk.security)
  • Re: custom address list?
    ... > Hi Ace. ... > the exchange accounts from the users OU to another OU, ... the OU example they give you is to control who can see the ... they can still see it thru the OWA. ...
    (microsoft.public.exchange2000.admin)
  • Re: What went wrong with our slam bidding?
    ... besides, we might have a 4-4 major fit, so I bid 3H. ... denying 1st or 2nd round control in diamonds. ... Suppose you had agreed that 2C 2NT showed an ace or king in two ...
    (rec.games.bridge)
  • Re: API to change "Allow inheritable permissions...
    ... You don't want this ACL to inherit any ... ACEs from the parent, aka. a Protected ACL. ... > What I'm doing at present is constructing a new DACL, with one allowed ACE ...
    (microsoft.public.win2000.security)