From: Ray Hayes (RayHayes_at_discussions.microsoft.com)
Date: Mon, 23 May 2005 15:31:02 -0700
Thanks for your reply. I have an explicit Full Control before an inherited
deny which seems to fit the model correctly that explicit ACE's come before
Inherited ACE's. Am I missing some caveat?
-- Ray Hayes http://www.rhbe.net "Hao Zhuang [MSFT]" wrote: > you have an allowed ACE preceding a denied ACE, which is not in the > canonical order. try to revise your ACEs in the canonical order. see: > http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsce_ctl_hziq.asp > > - hao > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > "Ray Hayes" <RayHayes@discussions.microsoft.com> wrote in message > news:AF3646B3-2165-4201-913F-FD3C303D96B4@microsoft.com... > > > > I have a security descriptor, SDDL format is > > > > "O:S-1-5-21-987712285-351545167-142223018-1446D:(A;OICI;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)(D;OICIID;0x200;;;S-1-5-21-987712285-351545167-142223018-1446)(A;OICIID;0x3f0;;;S-1-5-21-987712285-351545167-142223018-1446)" > > > > which I think is correct. The first ACE grants full control. The 2nd is a > > deny inherited from the parent item and the 3rd is a grant of full control > > inherited from the parent. > > > > When I call GetEffectiveRightsFromAcl, I get a return code of 0x00000538 > > which is "The access control list (ACL) structure is invalid." but I can't > > see how. If I remove the deny ace it works fine. > > > > What am I missing? Thanks. > > -- > > Ray Hayes > > http://www.rhbe.net > > >