Does any MS document clarify the behavior when a parent allows DELETE CHILD on an object but the object has a DENY DELETE

Richard Sharpe realrichardsharpe at
Wed Jun 15 19:17:08 UTC 2016

On Wed, Jun 15, 2016 at 12:02 PM, Uri Simchoni <uri at> wrote:
> On 06/15/2016 09:29 PM, Richard Sharpe wrote:
>> Hi folks,
>> A quick look at MS-DTYP does not clarify this question for me.
>> What is the actual behavior when you have a directory, D, with an
>> object O in it, and the DACL on D allows DETELE_CHILD for user U but O
>> has a DENY DELETE ACE for user U in its DACL?
> MS-FSA details this. My interpretation (haven't tested
> against a Windows machine) is that delete is granted if either the
> file's DACL grants DELETE or the parent grants DELETE_CHILD (by "grants"
> I mean "allows and not denies"), i.e. that it will be allowed.

Thanks. I guess I should have looked at MS-FSA.

This appears to be the sentence:

If (Open.RemainingDesiredAccess.MAXIMUM_ALLOWED ||
Open.RemainingDesiredAccess.DELETE), the object store MUST set
Open.GrantedAccess.DELETE if AccessCheck(SecurityContext,
Open.Link.ParentFile.SecurityDescriptor, FILE_DELETE_CHILD) returns

Richard Sharpe

More information about the samba-technical mailing list