Microsoft KB Archive/303449

= BUG: GetEffectiveRightsFromAcl Does Not Return Standard Access Mask Correctly on Windows SP2 =

Article ID: 303449

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Win32 Application Programming Interface, when used with:
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q303449



SYMPTOMS
On Windows 2000 Service Pack 2 (SP2), for a given discretionary access-control list (DACL), the GetEffectiveRightsFromAcl function does not return the standard access mask correctly. For example, an attempt to retrieve the effective rights of any trustee that has &quot;full control&quot; access in a DACL of a file or folder will return an access mask of &quot;F80001FF&quot; instead of &quot;1F01FF&quot;.

For any trustee with any access, the standard access mask will not be returned correctly in Windows 2000 SP2. However, this API works correctly in Windows 2000 and Windows 2000 with SP1.



RESOLUTION
Without the GetEffectiveRightsFromAcl function, there is no good way to enumerate a user's access rights for a particular object. However, if you just want to determine whether a user has access to an object and you have the user's access token, you can use the AccessCheck function.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
The GetEffectiveRightsFromAcl function cannot reliably report access rights to a secured object, and this API should be used only in highly controlled environments, as explained in the following Microsoft Knowledge Base article:

262278 Limitations of the GetEffectiveRightsFromAcl API

