The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

[Richard Sharpe]

Hi,

What would it mean if there was a deny ACE in an ACL on a file that
denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?

That is, what does Windows do?

The next question is: Is the code that handles DENY entries in
se_access_check in the Samba master branch correct? It does:

        bits_remaining |= explicitly_denied_bits;

done:
        if (bits_remaining != 0) {
                *access_granted = bits_remaining;
                return NT_STATUS_ACCESS_DENIED;
        }

This code would seem to override privileges, and I am not sure that
that is the intent, especially given that Microsoft introduced Owner
Rights in Server 2008.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)