ACL / SDs
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Feb 24 03:26:29 GMT 2000
hmmmm.... seems like some tests would be in order (create a series of SDs,
test access perms. the registry would do. i have working reggetsec and
regsetsec commands in regedit / rpcclient)
On Thu, 24 Feb 2000, Bob Mastors wrote:
> > AFAIK:
> >
> > No, for actual access-checking, _all_ ACEs are checked.
> >
> > If you have this:
> > ALLOW all
> > DENY all
> > you end up effectively with
> > DENY all
> >
> > the order isn't important and there is no "short-circuit".
> This does not appear to be a true statement for NT.
> >From the MSDN Library (Jan 2000):
> When a process tries to access a securable object,
> the system steps through the ACEs in the object's DACL
> until it finds ACEs that allow or deny the requested access.
> The access rights that a DACL allows a user could vary depending
> on the order of ACEs in the DACL.
>
> >
> > I don't know about the MAXIMUM_ALLOWED thing.
> I don't either.
>
> Bob
>
<a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href=" http://cb1.com/~lkcl" > Samba and Network Development </a>
<a href=" http://samba.org" > Samba Web site </a>
<a href=" http://www.iss.net" > Internet Security Systems, Inc. </a>
<a href=" http://mcp.com" > Macmillan Technical Publishing </a>
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals
More information about the samba-technical
mailing list