Does any MS document clarify the behavior when a parent allows DELETE CHILD on an object but the object has a DENY DELETE
Uri Simchoni
uri at samba.org
Wed Jun 15 19:02:37 UTC 2016
On 06/15/2016 09:29 PM, Richard Sharpe wrote:
> Hi folks,
>
> A quick look at MS-DTYP does not clarify this question for me.
>
> What is the actual behavior when you have a directory, D, with an
> object O in it, and the DACL on D allows DETELE_CHILD for user U but O
> has a DENY DELETE ACE for user U in its DACL?
>
MS-FSA 2.1.5.1.2.1 details this. My interpretation (haven't tested
against a Windows machine) is that delete is granted if either the
file's DACL grants DELETE or the parent grants DELETE_CHILD (by "grants"
I mean "allows and not denies"), i.e. that it will be allowed.
Uri.
More information about the samba-technical
mailing list