Re: GetEffectiveRightsFromAcl

From: Hao Zhuang [MSFT] (
Date: 05/21/05

Date: Fri, 20 May 2005 18:45:13 -0700

you have an allowed ACE preceding a denied ACE, which is not in the
canonical order. try to revise your ACEs in the canonical order. see:

- hao

This posting is provided "AS IS" with no warranties, and confers no rights.
"Ray Hayes" <> wrote in message
> I have a security descriptor, SDDL format is
> "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
> which I think is correct. The first ACE grants full control. The 2nd is a
> deny inherited from the parent item and the 3rd is a grant of full control
> inherited from the parent.
> When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> which is "The access control list (ACL) structure is invalid." but I can't
> see how. If I remove the deny ace it works fine.
> What am I missing? Thanks.
> -- 
> Ray Hayes