Re: GetEffectiveRightsFromAcl

From: Hao Zhuang [MSFT] (hzhuang_at_online.microsoft.com)
Date: 05/21/05


Date: Fri, 20 May 2005 18:45:13 -0700

you have an allowed ACE preceding a denied ACE, which is not in the
canonical order. try to revise your ACEs in the canonical order. see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp

- hao

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message 
news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com...
>
> I have a security descriptor, SDDL format is
>
> "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
>
> which I think is correct. The first ACE grants full control. The 2nd is a
> deny inherited from the parent item and the 3rd is a grant of full control
> inherited from the parent.
>
> When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> which is "The access control list (ACL) structure is invalid." but I can't
> see how. If I remove the deny ace it works fine.
>
> What am I missing? Thanks.
> -- 
> Ray Hayes
> http://www.rhbe.net