Microsoft KB Archive/230252

{|
 * width="100%"|

FIX: GetNamedSecurityInfo and INHERIT_ONLY_ACE AceFlags

 * }

Q230252

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), included with:
 * Microsoft Windows NT Server version 4.0 SP4
 * Microsoft Windows NT Workstation version 4.0 SP4

-

SYMPTOMS
On Microsoft Windows NT 4.0, Service Pack 4 (SP4), when GetNamedSecurityInfo is called to obtain a folder's discretionary access-control list (DACL), the API returns only one Access Control Entry (ACE) for a trustee. This ACE has the INHERIT_ONLY_ACE bit set in the AceFlags member of the ACE header.

STATUS
A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix. The fix for GetNamedSecurityInfo API is included along with the GetEffectiveRightsFromAcl fix, as explained in the knowledge base article below.

For additional information about how to obtain this fix, please see the following article in the Microsoft Knowledge Base:

"Q215367 GetEffectiveRightsFromAcl Returns Incorrect Access Mask Value"

MORE INFORMATION
GetNamedSecurityInfo compresses the ACEs in a DACL based on the same trustee and access mask. The ACE is compressed only in the DACL that is returned to the application and not in the DACL associated with the container object.

On Service Pack 4, GetNamedSecurityInfo compresses both the inheritance and primary object ACEs based on the same trustee and the access mask without turning off the INHERIT_ONLY_ACE bit. This incorrectly indicates to an application that there are no ACEs corresponding to the primary container object. This occurs only for folder container objects. An application can either use the fix as indicated above, or work around this problem by using GetFileSecurity or GetKernelObjectSecurity and GetSecurityDescriptorDacl, the low level access control functions.