ACL / SDs
Bob Mastors
bob.mastors at crosstor.com
Wed Feb 23 20:33:05 GMT 2000
> AFAIK:
>
> No, for actual access-checking, _all_ ACEs are checked.
>
> If you have this:
> ALLOW all
> DENY all
> you end up effectively with
> DENY all
>
> the order isn't important and there is no "short-circuit".
This does not appear to be a true statement for NT.
>From the MSDN Library (Jan 2000):
When a process tries to access a securable object,
the system steps through the ACEs in the object's DACL
until it finds ACEs that allow or deny the requested access.
The access rights that a DACL allows a user could vary depending
on the order of ACEs in the DACL.
>
> I don't know about the MAXIMUM_ALLOWED thing.
I don't either.
Bob
More information about the samba-technical
mailing list