The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Richard Sharpe realrichardsharpe at
Sun Mar 4 17:30:50 MST 2012


What would it mean if there was a deny ACE in an ACL on a file that
denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?

That is, what does Windows do?

The next question is: Is the code that handles DENY entries in
se_access_check in the Samba master branch correct? It does:

        bits_remaining |= explicitly_denied_bits;

        if (bits_remaining != 0) {
                *access_granted = bits_remaining;
                return NT_STATUS_ACCESS_DENIED;

This code would seem to override privileges, and I am not sure that
that is the intent, especially given that Microsoft introduced Owner
Rights in Server 2008.

Richard Sharpe

More information about the samba-technical mailing list