Luke Kenneth Casson Leighton lkcl at
Thu Feb 24 03:26:29 GMT 2000

hmmmm.... seems like some tests would be in order (create a series of SDs,
test access perms.  the registry would do.  i have working reggetsec and
regsetsec commands in regedit / rpcclient)

 On Thu, 24 Feb 2000, Bob Mastors wrote:

> > AFAIK:
> > 
> > No, for actual access-checking, _all_ ACEs are checked.
> > 
> > If you have this:
> > ALLOW all
> > DENY  all
> > you end up effectively with
> > DENY  all
> > 
> > the order isn't important and there is no "short-circuit".
> This does not appear to be a true statement for NT.
> >From the MSDN Library (Jan 2000):
>     When a process tries to access a securable object, 
>     the system steps through the ACEs in the object's DACL 
>     until it finds ACEs that allow or deny the requested access. 
>     The access rights that a DACL allows a user could vary depending 
>     on the order of ACEs in the DACL. 
> > 
> > I don't know about the MAXIMUM_ALLOWED thing.
> I don't either.
> Bob

<a href=" mailto:lkcl at" > Luke Kenneth Casson Leighton    </a>
<a href=""  > Samba and Network Development   </a>
<a href=""      > Samba Web site                  </a>
<a href=""    > Internet Security Systems, Inc. </a>
<a href=""        > Macmillan Technical Publishing  </a>
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-technical mailing list