Re: GetEffectiveRightsFromAcl

From: Ray Hayes (RayHayes_at_discussions.microsoft.com)
Date: 05/24/05


Date: Mon, 23 May 2005 15:31:02 -0700


Thanks for your reply. I have an explicit Full Control before an inherited
deny which seems to fit the model correctly that explicit ACE's come before
Inherited ACE's. Am I missing some caveat?

Ray

-- 
Ray Hayes
http://www.rhbe.net
"Hao Zhuang [MSFT]" wrote:
> you have an allowed ACE preceding a denied ACE, which is not in the 
> canonical order. try to revise your ACEs in the canonical order. see:
> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp
> 
> - hao
> 
> -- 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> 
> 
> "Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message 
> news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com...
> >
> > I have a security descriptor, SDDL format is
> >
> > "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
> >
> > which I think is correct. The first ACE grants full control. The 2nd is a
> > deny inherited from the parent item and the 3rd is a grant of full control
> > inherited from the parent.
> >
> > When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> > which is "The access control list (ACL) structure is invalid." but I can't
> > see how. If I remove the deny ace it works fine.
> >
> > What am I missing? Thanks.
> > -- 
> > Ray Hayes
> > http://www.rhbe.net 
> 
> 
>