> way that’s not understandable to the user or software. For instance
if conflicting ACEs are present which both grant and deny access to
a particular SID for a particular action, the access denied ACE will
win and have the last word.
IIRC this is not true. For optimization reasons, when windows
parse the ACE list, then the first entry containing the required
access bit wins, be it allowed or denied. That’s why denied ACES
need to be placed before allowed ACEs.
L.
Sorry about that, looking this up it appears that you are right. The last time I went into this was in the time of NT4. "For Windows
NT versions 4.0 and earlier, the preferred order of ACEs is simple. In a DACL, all access-denied ACEs should precede any
access-allowed ACEs. For Windows 2000 or later, the proper order of ACEs is more complicated because of the introduction of
object-specific ACEs and automatic inheritance. "
(from http://support.microsoft.com/default.aspx/kb/102102 )
//Daniel
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
>IIRC this is not true. For optimization reasons, when windows
>parse the ACE list, then the first entry containing the required
>access bit wins, be it allowed or denied. That’s why denied ACES
>need to be placed before allowed ACEs.
L.