<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns5="http://schemas.microsoft.com/office/2004/12/omml">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="Street"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="address"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
p
{mso-style-priority:99;}
p.DEFAULT
{mso-style-priority:99;}
li.DEFAULT
{mso-style-priority:99;}
div.DEFAULT
{mso-style-priority:99;}
p.DEFAULT0
{mso-style-priority:99;}
li.DEFAULT0
{mso-style-priority:99;}
div.DEFAULT0
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.default, li.default, div.default
{margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:Verdana;
color:black;}
p.default0, li.default0, div.default0
{margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:Verdana;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:Arial;
color:navy;}
span.EmailStyle24
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-1270745994;
mso-list-type:hybrid;
mso-list-template-ids:-728253145 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l0:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1
{mso-list-id:-858251549;
mso-list-type:hybrid;
mso-list-template-ids:-956588191 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l1:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2
{mso-list-id:1860509040;
mso-list-type:hybrid;
mso-list-template-ids:1104515017 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l2:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Obaid,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>We will need some time to make some tests
and see if there is still behavior we do not understand. If you prefer, we can
consider this issue closed, and if there is something more I will raise a new
issue. Thank you for your assistance!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Best Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Nadezhda Ivanova<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi
[mailto:obaidf@microsoft.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, August 20, 2009
6:27 <st1:PersonName w:st="on">PM</st1:PersonName><br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Nadezhda
Ivanova</st1:PersonName><br>
<b><span style='font-weight:bold'>Cc:</span></b> '<st1:PersonName w:st="on">pfif@tridgell.net</st1:PersonName>';
'<st1:PersonName w:st="on">cifs-protocol@samba.org</st1:PersonName>'<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Please let me know
if I answered your question. As mentioned before, if you have any further
questions on ACE inheritance, please feel free to contact us.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Sr. Support
Escalation Engineer | Microsoft<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi <br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, August 13, 2009
5:36 <st1:PersonName w:st="on">PM</st1:PersonName><br>
<b><span style='font-weight:bold'>To:</span></b> '<st1:PersonName w:st="on">Nadezhda
Ivanova</st1:PersonName>'<br>
<b><span style='font-weight:bold'>Cc:</span></b> '<st1:PersonName w:st="on">pfif@tridgell.net</st1:PersonName>';
'<st1:PersonName w:st="on">cifs-protocol@samba.org</st1:PersonName>'<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>The same information
that I sent you will appear in a future version of the document MS-DTYP. The
format may be different but content will be more or less same.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>If you still have
questions about ACE inheritance, please let me know. The intention of the reply
is to allow you to move ahead with your implementation and not wait for the
documentation. </span></font><font size=2 color="#403152" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#403152'>We don’t have a
publically available date that I can provide you for the next documentation
refresh at this time. However, we refresh the MSDN documentation routinely.</span></font><font
size=2 color="#1f497d" face=Calibri><span style='font-size:11.0pt;font-family:
Calibri;color:#1F497D'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Sr. Support
Escalation Engineer | Microsoft<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> <st1:PersonName
w:st="on">Nadezhda Ivanova</st1:PersonName>
[mailto:nadezhda.ivanova@postpath.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, August 12, 2009
3:10 AM<br>
<b><span style='font-weight:bold'>To:</span></b> Obaid Farooqi<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Obaid,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Thank you for the information. It confirms
our current knowledge about how ACE’s are being inherited and we will adjust
our implementation accordingly while waiting for the new version of MS-DTYP. Do
you know whe we can expect that?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><st1:PersonName w:st="on"><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>Nadezhda
Ivanova</span></font></st1:PersonName><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi
[mailto:obaidf@microsoft.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, August 11, 2009
6:32 <st1:PersonName w:st="on">PM</st1:PersonName><br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Nadezhda
Ivanova</st1:PersonName><br>
<b><span style='font-weight:bold'>Cc:</span></b> '<st1:PersonName w:st="on">pfif@tridgell.net</st1:PersonName>';
'<st1:PersonName w:st="on">cifs-protocol@samba.org</st1:PersonName>'<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>I just realized that
the table in my previous email may not appear correctly. So, I am attaching a
PDF version of my reply. Please let me know if you have any difficulty reading
it.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Sr. Support
Escalation Engineer | Microsoft<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi <br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, August 11, 2009
10:02 AM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Nadezhda
Ivanova</st1:PersonName><br>
<b><span style='font-weight:bold'>Cc:</span></b> <st1:PersonName w:st="on">pfif@tridgell.net</st1:PersonName>;
<st1:PersonName w:st="on">cifs-protocol@samba.org</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>We have finished our investigation on
your question about ComputeInheritedACLfromParent algorithm. The documentation
is in progress for a newer version of the algorithm that will appear in a
future version of MS-DTYP.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>For your implementation, you can use the
following rules to derive inherited ACE’s from the parent object.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>There are seven flags that can appear in
an ACE. Of the seven flags, the following pertains to inheritance:<o:p></o:p></span></font></p>
<p class=default0><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>CI
</span></font><font size=2 face=Calibri><span style='font-size:11.0pt;
font-family:Calibri'>CONTAINER_INHERIT_ACE <o:p></o:p></span></font></p>
<p class=default0><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>OI
</span></font><font size=2 face=Calibri><span style='font-size:11.0pt;
font-family:Calibri'>OBJECT_INHERIT_ACE <o:p></o:p></span></font></p>
<p class=default0><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>NP
</span></font><font size=2 face=Calibri><span style='font-size:11.0pt;
font-family:Calibri'>NO_PROPAGATE_INHERIT_ACE <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>IO</span></font>
INHERIT_ONLY_ACE<font
color="#1f497d"><span style='color:#1F497D'><o:p></o:p></span></font></p>
<p class=default0><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>ID
</span></font><font size=2 face=Calibri><span style='font-size:11.0pt;
font-family:Calibri'>INHERITED_ACE <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>IO and ID do not play a part when it
comes to making decisions about inheritance. ID flag is added to any ACE that
is inherited to mention the fact that it was inherited. IO flag is used to
render an ACE ineffective for the child that inherits the ACE. An ACE that has
IO flag can be inherited but the decision is based on other flags, if present.
As such, the following table mostly ignores ID and IO flags. The
following table outlines what would be the flags of the inherited ACE based on
the flags that parent has.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
style='border-collapse:collapse'>
<tr>
<td width=213 valign=top bgcolor="#DFDFDF" style='width:159.6pt;border:solid black 1.0pt;
border-bottom:double windowtext 1.5pt;background:#DFDFDF;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Parent ACE Flags<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top bgcolor="#DFDFDF" style='width:159.6pt;border-top:
solid black 1.0pt;border-left:none;border-bottom:double windowtext 1.5pt;
border-right:solid black 1.0pt;background:#DFDFDF;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Child Container Object<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top bgcolor="#DFDFDF" style='width:159.6pt;border-top:
solid black 1.0pt;border-left:none;border-bottom:double windowtext 1.5pt;
border-right:solid black 1.0pt;background:#DFDFDF;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Child Leaf Object<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Flags, IO<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Inheritance<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Inheritance<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>OI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>IO,OI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>OI,NP<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Inheritance<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>CI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>CI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Inheritance<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>CI,NP<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>No Inheritance<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>CI,OI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>IO,CI,OI<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td width=213 valign=top style='width:159.6pt;border:solid black 1.0pt;
border-top:none;padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>CI,OI,NP<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
<td width=213 valign=top style='width:159.6pt;border-top:none;border-left:
none;border-bottom:solid black 1.0pt;border-right:solid black 1.0pt;
padding:0in 5.4pt 0in 5.4pt'>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Inherited, No flags<o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>For the cases in which a container
inherits an ACE that is both effective on the container and inheritable by its
descendents, the container may inherit two ACEs. This occurs when inheritable
ACE contains generic information. The container inherits an ACE with an
additional IO flag with generic information and an effective-only ACE in which
the generic information has been mapped.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>The following page at MSDN also has
similar information that you may find helpful:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><a
href="http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx">http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx</a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Please let me know if this answers your
question. If yes, then I’ll consider this issue resolved.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color="#1f497d" face="Times New Roman"><span
style='font-size:12.0pt;color:#1F497D'>Sr. Support Escalation Engineer |
Microsoft</span></font><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> <st1:PersonName
w:st="on">Nadezhda Ivanova</st1:PersonName>
[mailto:nadezhda.ivanova@postpath.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, July 10, 2009 6:09
AM<br>
<b><span style='font-weight:bold'>To:</span></b> Interoperability Documentation
Help<br>
<b><span style='font-weight:bold'>Cc:</span></b> <st1:PersonName w:st="on">pfif@tridgell.net</st1:PersonName>;
<st1:PersonName w:st="on">cifs-protocol@samba.org</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Hi,<o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>I have been working on
implementing correct nTSecurityDeascriptor creation in the directory service of
Samba 4, and have come upon a problem in the <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>subroutine described in MS-DTYP 2.5.2.6. The way the algorithm
is described, the purpose of this algorithm is to determine which ACE’s from an
object’s parent are to be inherited by the new object actively, and which are
to be inherited only. The <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>as described, walks the parent ACL twice. The first time it
determines the active inherited ACE’s, the second time the ones that are
inherited but inactive. <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>I have been testing our
implementation with the CN=Schema partition, as the attributes and objects by
default are not given a security descriptor during creation, and the
defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL.<o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>So, they inherit all
their DACL ACE’s from their parent, CN=Schema. <o:p></o:p></span></font></p>
<p class=default><font size=2 color=black face=Verdana><span style='font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=default><font size=2 color=black face=Verdana><span style='font-size:
10.0pt'>In a Win2008R2, CN=Schema has three inheritable DACL ACE’s: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPLCLORC;;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>ComputeInheritedACLfromParent has the
following arguments:</span></font></b><o:p></o:p></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>ACL</span></i>:
<b><span style='font-weight:bold'>ACL </span></b>that contains the parent's
ACEs from which to compute the inherited <b><span style='font-weight:bold'>ACL</span></b>.
<o:p></o:p></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>IsContainerObject</span></i>:
TRUE if the object is a container, FALSE otherwise. <o:p></o:p></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>ObjectTypes</span></i>:
Array of GUIDs for the object type being created. <o:p></o:p></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So if we invoke the <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>with the above DACL,and isConatinerObject = true (According to
MS-ADTS 7.1.3, true is always the value), the first walk of the input <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>Initialize ExplicitACL to Empty ACL <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>FOR each ACE in ACL DO <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>IF ACE.Flags contains INHERIT_ONLY <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level2 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'>CONTINUE <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>
<o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>IF(((ACE.Flags contains
CONTAINER_INHERIT) AND <o:p></o:p></span></font></p>
<p class=default style='margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level2 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'>(IsContainerObject = TRUE))OR <o:p></o:p></span></font></p>
<p class=default style='margin-left:0in;text-indent:0in;mso-list:l1 level4 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'> ((ACE.Flags
contains OBJECT_INHERIT) AND (IsContainerObject = FALSE))) <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>CASE
ACE.Type OF <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ALLOW: <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>DENY: <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE to ACE <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE.Flags to INHERITED <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Append
NewACE to ExplicitACL <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>OBJECT_ALLOW:
<o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>OBJECT_DENY:
<o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>IF
(ObjectTypes contains ACE.ObjectGUID) THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE to ACE <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE.Flags to INHERITED <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Append
NewACE to ExplicitACL <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=default style='margin-left:.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ENDCASE
<o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 face=Arial><span
style='font-size:12.0pt;font-family:Arial'>END FOR<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1
face="Times New Roman"><span style='font-size:8.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Will give:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Which is as
expected, as this is the DACL of all attributes and classes in Win 2008.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>However, the
algorithm then walks the input a second time:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>Initialize
InheritableACL to Empty ACL <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>IF
(IsContainerObject = TRUE) THEN //<b><i><span style='font-weight:bold;
font-style:italic'>In our case this is always true<o:p></o:p></span></i></b></span></font></p>
<p class=MsoNormal style='text-indent:.5in;text-autospace:none'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:black'>FOR each ACE in ACL DO <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>IF ACE.Flags contains NO_PROPAGATE THEN
//This flag is not set<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>CONTINUE <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>
<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>IF((ACE.Flags contains CONTAINER_INHERIT) OR <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>(ACE.Flags contains OBJECT_INHERIT)) <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>THEN <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Set NewACE to ACE <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Add INHERITED to NewACE.Flags <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Add INHERIT_ONLY to NewACE.Flags <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Append NewACE to InheritableACL <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l0 level1 lfo6;
text-autospace:none'><![if !supportLists]><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:black'><span style='mso-list:
Ignore'><font size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black face=Arial><span
style='font-family:Arial;color:black'>END FOR <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>ENDIF</span></font><font
size=1 color=black face="Courier New"><span style='font-size:8.0pt;font-family:
"Courier New";color:black'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>This second
loop yields:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Which after:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>RETURN concatenation
of ExplicitACL and InheritableACL <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Makes the final DACL look like: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So ACE’s are duplicated.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>However, an attribute’s DACL in Win2008 does not have these last three
ACE’s, so I am obviously missing something. How should the flow actually go
with this same example in order to avoid this duplication? Or am I providing
the wrong argument?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Best Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><st1:PersonName w:st="on"><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Nadezhda Ivanova</span></font></st1:PersonName><o:p></o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=543
style='width:407.25pt'>
<tr>
<td colspan=3 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><img border=0 width=110 height=73 id="_x0000_i1025"
src="cid:image001.gif@01CA2250.791F4160"><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td nowrap valign=top style='padding:0in 0in 11.25pt .25in'>
<p><st1:PersonName w:st="on"><strong><b><font size=1 color="#666666"
face=Arial><span style='font-size:8.5pt;font-family:Arial;color:#666666'>Nadezhda
Ivanova</span></font></b></strong></st1:PersonName><font size=1
color="#666666" face=Arial><span style='font-size:8.5pt;font-family:Arial;
color:#666666'><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software Engineer</span></font></b></strong><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software
Development</span></font></b></strong><b><span style='font-weight:bold'><br>
</span></b><br>
<a href="mailto:nadezhda.ivanova@postpath.com"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>nadezhda.ivanova@postpath.com</span></font></a><o:p></o:p></span></font></p>
</td>
<td nowrap valign=top style='padding:0in 0in 7.5pt 15.0pt'>
<p style='margin-bottom:12.0pt'><strong><b><font size=1 color="#666666"
face=Arial><span style='font-size:8.5pt;font-family:Arial;color:#666666'>CISCO
SYSTEMS <st1:country-region w:st="on"><st1:place w:st="on">BULGARIA</st1:place></st1:country-region>
EOOD</span></font></b></strong><font size=1 color="#666666" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#666666'><br>
<st1:address w:st="on"><st1:Street w:st="on">18 Macedonia Blvd.</st1:Street> <st1:City
w:st="on">Sofia</st1:City></st1:address> 1606<br>
<st1:country-region w:st="on"><st1:place w:st="on">Bulgaria</st1:place></st1:country-region><br>
<a href="http://www.cisco.com/global/BG/"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>Cisco
home page</span></font></a><o:p></o:p></span></font></p>
</td>
<td width=200 style='width:150.0pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0in .25in 0in .25in'>
<p class=MsoNormal><font size=1 color="#009900" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#009900'><img border=0
width=18 height=19 id="_x0000_i1026" src="cid:image002.gif@01CA2250.791F4160"
alt="Think before you print.">Think before you print.<o:p></o:p></span></font></p>
</td>
<td width=232 colspan=2 style='width:174.0pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>