RE: GetEffectiveRightsFromACL returns ERROR_INVALID_ACL

Hi,

The behavior you explained is a known issue. GetEffectiveRightsFromAcl()
should not return ERROR_INVALID_ACL if it sees a deny ACE with the
inherited flag.
The ACL below is a valid ACL and follows the preferred DACL order.
http://msdn.microsoft.com/library/en-us/secauthz/security/order_of_aces_in_a
_dacl.asp?frame=true

But, GetEffectiveRightsFromAcl() implementation is NOT designed to handle
deny ACE with the inherited flag.

Additionally, there are many limitations with the usage of this API itself.

GetEffectiveRightsFromAcl() Win32 API cannot honor "Pseudo Groups" that
gets applied only when the "given" user logs in. You can use this API only
in highly controlled environments as explained in the following Knowledge
Base article.
Q262278 - INFO: Limitations of the GetEffectiveRightsFromAcl API
http://support.microsoft.com/support/kb/articles/Q262/2/78.asp

As stated in the article, access information for a given user and securable
object can only be retrieved through the AccessCheck function(), which
requires an access token for the user logon.

In practise, the only recommended and reliable way to know if the caller
has access is to directly access the object and let the Windows to perform
the check for you.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • RE: PrintPreviewControl
    ... Any code may invoke DrawText/TextOut win32 GDI APIs to draw text ... type of screen word translation software will use low-level Win32 API ... this type of requirement has gone out of .Net Framework support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework)
  • RE: PrintPreviewControl
    ... The displayed texts on the from are drawn by different controls on the ... type of screen word translation software will use low-level Win32 API ... this type of requirement has gone out of .Net Framework support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework)
  • RE: Select * from win_32_process for all users
    ... The WMI objects use the OpenProcess API to open handle to each process ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.win32.programmer.wmi)
  • NetUserGetGroups() omitting groups
    ... For part of our application we need to check user's access rights to ... For some time, we used GetEffectiveRightsFromAcl() for that, ... MSDN suggest that it can happen even if the API returns no error. ... The group omitted is a global group, itself member of another global ...
    (microsoft.public.win32.programmer.networks)