[cifs-protocol] [REG:110041557300829] RE: Questions regarding ACE Ordering Rules

Hongwei Sun hongweis at microsoft.com
Thu Apr 15 09:57:21 MDT 2010

Hi, Nadya,

  I will take the ownership of this request.  I will let you know when I am done with my investigation.



-----Original Message-----
From: cifs-protocol-bounces at cifs.org [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Nadezhda Ivanova
Sent: Thursday, April 15, 2010 8:22 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: [cifs-protocol] Questions regarding ACE Ordering Rules

I was running some test against a Windows 2008 server, forest functional level and domain functional level are both 2008.  I created a group via LDAP and provided a security descriptor with ACE's deliberately scrambled - e.g Deny before Allow, Object Specific before Regular. I did not get an LDAP error, the group was successfully created, but the SD looked the way I provided it, that is, not according to the rules described in this section. Can you explain why this happens? What behavior should I expect, is Windows supposed to sort them, return an error, or sort them later, or when a recalculate hierarchy request is sent?

In addition:
What is ACE canonical form?
In the sentence:  "The nest rule is only applied if the previous rule(s) give inconclusive results" - what would constitute an inconclusive result? 

Best Regards,
cifs-protocol mailing list
cifs-protocol at cifs.org

More information about the cifs-protocol mailing list