Re: GetEffectiveRightsFromAcl

From: Ray Hayes (RayHayes_at_discussions.microsoft.com)
Date: 05/24/05 

Date: Mon, 23 May 2005 15:31:02 -0700

Thanks for your reply. I have an explicit Full Control before an inherited
deny which seems to fit the model correctly that explicit ACE's come before
Inherited ACE's. Am I missing some caveat?

Ray 

-- 
Ray Hayes
http://www.rhbe.net
"Hao Zhuang [MSFT]" wrote:
> you have an allowed ACE preceding a denied ACE, which is not in the 
> canonical order. try to revise your ACEs in the canonical order. see:
> http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp
> 
> - hao
> 
> -- 
> This posting is provided "AS IS" with no warranties, and confers no rights.
> 
> 
> 
> "Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message 
> news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com...
> >
> > I have a security descriptor, SDDL format is
> >
> > "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)"
> >
> > which I think is correct. The first ACE grants full control. The 2nd is a
> > deny inherited from the parent item and the 3rd is a grant of full control
> > inherited from the parent.
> >
> > When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538
> > which is "The access control list (ACL) structure is invalid." but I can't
> > see how. If I remove the deny ace it works fine.
> >
> > What am I missing? Thanks.
> > -- 
> > Ray Hayes
> > http://www.rhbe.net 
> 
> 
>

Relevant Pages

  • Re: DENY ACLs
    ... Each Access Control Entry (ACE) in the ACL consists of: ... * Type (Allow or Deny) ... > POSIX.1e ACL evaluation with subtractive rights of the sort you're ...
    (FreeBSD-Security)
  • Re: Timescale in which newbies should get control
    ... control slows the progression of diabetic retinopathy.2 There are now provocative data to suggest that angiotensin-converting enzyme inhibitors may independently protect against the development or slow the progression of retinopathy,3,4 perhaps through reductions in retinal vascular endothelial growth factor levels.5 ... I'll ask about getting back on an ACE. ... IGF-1 may also be associated with insulin resistance. ... Relatively speaking a ship without a rudder might be an analogy to a insulin dependent diabetic, but the rudder doesn't have to be very large to control the ship. ...
    (alt.support.diabetes)
  • Re: Object cannot be edited using ADSIEdit
    ... Did you add Deny Full Control to everyone or something along these lines? ... Use dsacls /S to restore default security on the object. ... > no longer access the object through exchange. ...
    (microsoft.public.windows.server.active_directory)
  • Re: custom address list?
    ... > Hi Ace. ... > the exchange accounts from the users OU to another OU, ... the OU example they give you is to control who can see the ... they can still see it thru the OWA. ...
    (microsoft.public.exchange2000.admin)
  • Re: folder permissions
    ... groups and something about deny over rides allow. ... groups assigned to this one folder and the same user has diff priv's ... permissions, everyone has full control. ...
    (microsoft.public.windows.server.general)