Re: GetEffectiveRightsFromAcl

From: Hao Zhuang [MSFT] (hzhuang_at_online.microsoft.com)
Date: 05/21/05

• Next message: Arkady Frenkel: "Re: Hash of Public key"
• Previous message: Miroslav Havram: "EFS &custom CSP"
• In reply to: Ray Hayes: "GetEffectiveRightsFromAcl"
• Next in thread: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Reply: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 20 May 2005 18:45:13 -0700

you have an allowed ACE preceding a denied ACE, which is not in the
canonical order. try to revise your ACEs in the canonical order. see:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp

- hao

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message 
news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com...
>
> I have a security descriptor, SDDL format is
>
> "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
>
> which I think is correct. The first ACE grants full control. The 2nd is a
> deny inherited from the parent item and the 3rd is a grant of full control
> inherited from the parent.
>
> When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> which is "The access control list (ACL) structure is invalid." but I can't
> see how. If I remove the deny ace it works fine.
>
> What am I missing? Thanks.
> -- 
> Ray Hayes
> http://www.rhbe.net 

• Next message: Arkady Frenkel: "Re: Hash of Public key"
• Previous message: Miroslav Havram: "EFS &custom CSP"
• In reply to: Ray Hayes: "GetEffectiveRightsFromAcl"
• Next in thread: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Reply: Ray Hayes: "Re: GetEffectiveRightsFromAcl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Timescale in which newbies should get control ... control slows the progression of diabetic retinopathy.2 There are now provocative data to suggest that angiotensin-converting enzyme inhibitors may independently protect against the development or slow the progression of retinopathy,3,4 perhaps through reductions in retinal vascular endothelial growth factor levels.5 ... I'll ask about getting back on an ACE. ... IGF-1 may also be associated with insulin resistance. ... Relatively speaking a ship without a rudder might be an analogy to a insulin dependent diabetic, but the rudder doesn't have to be very large to control the ship. ... (alt.support.diabetes) Re: GetEffectiveRightsFromAcl ... > you have an allowed ACE preceding a denied ACE, ... > "Ray Hayes" wrote in message ... The first ACE grants full control. ... >> deny inherited from the parent item and the 3rd is a grant of full control ... (microsoft.public.platformsdk.security) Re: custom address list? ... > Hi Ace. ... > the exchange accounts from the users OU to another OU, ... the OU example they give you is to control who can see the ... they can still see it thru the OWA. ... (microsoft.public.exchange2000.admin) Re: API to change "Allow inheritable permissions... ... You don't want this ACL to inherit any ... ACEs from the parent, aka. a Protected ACL. ... > What I'm doing at present is constructing a new DACL, with one allowed ACE ... (microsoft.public.win2000.security) Re: Peter Criss 1996 tour contract ... Both Ace and Peter aren't currently doing ... KISS doesn't control their music catalogue. ... (rec.music.artists.kiss)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint