Article ID: 303449
Article Last Modified on 11/21/2006
APPLIES TO
- Microsoft Win32 Application Programming Interface, when used with:
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q303449
SYMPTOMS
On Windows 2000 Service Pack 2 (SP2), for a given discretionary access-control list (DACL), the GetEffectiveRightsFromAcl() function does not return the standard access mask correctly. For example, an attempt to retrieve the effective rights of any trustee that has "full control" access in a DACL of a file or folder will return an access mask of "F80001FF" instead of "1F01FF".
For any trustee with any access, the standard access mask will not be returned correctly in Windows 2000 SP2. However, this API works correctly in Windows 2000 and Windows 2000 with SP1.
RESOLUTION
Without the GetEffectiveRightsFromAcl() function, there is no good way to enumerate a user's access rights for a particular object. However, if you just want to determine whether a user has access to an object and you have the user's access token, you can use the AccessCheck() function.
STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
The GetEffectiveRightsFromAcl() function cannot reliably report access rights to a secured object, and this API should be used only in highly controlled environments, as explained in the following Microsoft Knowledge Base article:
262278 Limitations of the GetEffectiveRightsFromAcl API
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
171273 HOWTO: Program a Secure Server on Microsoft Windows NT
Keywords: kbacl kbapi kbbug kbkernbase kbnofix kbsecurity KB303449
