The Subinacl Utility Arranges Access Control Entries Incorrectly (296865)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

This article was previously published under Q296865
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

After you grant new access rights to a folder by using the Subinacl.exe utility and you view the Security permission, you may receive the following error message:
The permissions on xxxx are incorrectly ordered, which may cause some entries to be ineffective. Click OK to continue and sort the permission correctly, or press CANCEL to reset the permissions.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For example, you can run the subinacl /subkeyreg command to grant permission in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Alerter /grant=everyone=F

When you view the Security permission on the Alerter service, you may receive the following error message:
The permissions on Alerter are incorrectly ordered, which may cause some entries to be ineffective. Click OK to continue and sort the permission correctly, or press CANCEL to reset the permissions.

CAUSE

This problem can occur because Windows 2000 has introduced a new inheritance model in which directly applied access control entries (ACEs) have precedence over inherited ACEs. The computer implements this precedence by placing directly applied ACEs ahead of inherited ACEs in a discretionary access control list (DACL). Earlier versions of Microsoft Windows NT did not distinguish between inherited and directly applied ACEs.

When you use Subinacl to set the permission to grant full permission, the ACE is put at the end of the access control list (ACL). Because the ACE is directly applied, when you view the permission in Registry Editor, you can receive an error message as the ACE must be placed ahead of the other inherited ACEs. Subinacl does not arrange the ACEs properly.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Modification Type:MinorLast Reviewed:1/27/2006
Keywords:kbACL kberrmsg kbprb KB296865