Elrond Elrond at
Thu Feb 24 20:18:03 GMT 2000

On Thu, Feb 24, 2000 at 10:25:27PM +1100, John E. Malmberg wrote:
> Bob Mastors <bob.mastors at> wrote:
> > > AFAIK:
> > >
> > > No, for actual access-checking, _all_ ACEs are checked.
> > >
> > > If you have this:
> > > ALLOW all
> > > DENY  all
> > > you end up effectively with
> > > DENY  all
> > >
> > > the order isn't important and there is no "short-circuit".
> > This does not appear to be a true statement for NT.
> > >From the MSDN Library (Jan 2000):
> >     When a process tries to access a securable object,
> >     the system steps through the ACEs in the object's DACL
> >     until it finds ACEs that allow or deny the requested access.
> >     The access rights that a DACL allows a user could vary depending
> >     on the order of ACEs in the DACL.
> That is very interesting, because unless my memory is very faulty:
> Windows NT does not allow you to specify the order of the ACEs in a DACL
> from any GUI or command line utility.


> It always seems to present them as a sorted list.

Yes and no. The gui-tools mostly sort them. cacls shows
them in the right order.

So it realy looks like, we need testing here... Luke
already said so in another mail.
I tried to test this with cacls on the commandline... but:
*arg* It always appended normal ACEs, and always prepended
those "DENY all"-ACEs... So I couldn't generate the
interesting case.

Off Topic: Does anyone know free nice tools to show and
change SDs unter NT? One that can even handle the order
would be interesting.

BTW: How is that all on VMS? (They keep telling, it's
derived from VMS.) I'm only a bit curious, so you don't
need to get into details, some two/three general lines
would be great.

> -John
> wb8tyw at


More information about the samba-technical mailing list