ACL / SDs
John E. Malmberg
wb8tyw at qsl.net
Thu Feb 24 02:09:56 GMT 2000
Bob Mastors <bob.mastors at crosstor.com> wrote:
> > AFAIK:
> >
> > No, for actual access-checking, _all_ ACEs are checked.
> >
> > If you have this:
> > ALLOW all
> > DENY all
> > you end up effectively with
> > DENY all
> >
> > the order isn't important and there is no "short-circuit".
> This does not appear to be a true statement for NT.
> >From the MSDN Library (Jan 2000):
> When a process tries to access a securable object,
> the system steps through the ACEs in the object's DACL
> until it finds ACEs that allow or deny the requested access.
> The access rights that a DACL allows a user could vary depending
> on the order of ACEs in the DACL.
That is very interesting, because unless my memory is very faulty:
Windows NT does not allow you to specify the order of the ACEs in a DACL
from any GUI or command line utility.
It always seems to present them as a sorted list.
-John
wb8tyw at qsl.net
More information about the samba-technical
mailing list