John E. Malmberg wb8tyw at
Thu Feb 24 02:09:56 GMT 2000

Bob Mastors <bob.mastors at> wrote:
> > AFAIK:
> >
> > No, for actual access-checking, _all_ ACEs are checked.
> >
> > If you have this:
> > ALLOW all
> > DENY  all
> > you end up effectively with
> > DENY  all
> >
> > the order isn't important and there is no "short-circuit".
> This does not appear to be a true statement for NT.
> >From the MSDN Library (Jan 2000):
>     When a process tries to access a securable object,
>     the system steps through the ACEs in the object's DACL
>     until it finds ACEs that allow or deny the requested access.
>     The access rights that a DACL allows a user could vary depending
>     on the order of ACEs in the DACL.

That is very interesting, because unless my memory is very faulty:

Windows NT does not allow you to specify the order of the ACEs in a DACL
from any GUI or command line utility.

It always seems to present them as a sorted list.

wb8tyw at

More information about the samba-technical mailing list