The meaning of a DENY ACE for BUILTIN\Administrators against WRITE_DAC | READ_CONTROL

Sun Mar 4 17:38:38 MST 2012

2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> Hi,
>
> What would it mean if there was a deny ACE in an ACL on a file that
> denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?

Hmmm, what I really meant was DENY WRITE OWNER ...

> That is, what does Windows do?
>
> The next question is: Is the code that handles DENY entries in
> se_access_check in the Samba master branch correct? It does:
>
>        bits_remaining |= explicitly_denied_bits;
>
> done:
>        if (bits_remaining != 0) {
>                *access_granted = bits_remaining;
>                return NT_STATUS_ACCESS_DENIED;
>        }
>
> This code would seem to override privileges, and I am not sure that
> that is the intent, especially given that Microsoft introduced Owner
> Rights in Server 2008.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)