BUG: GetEffectiveRightsFromAcl() Does Not Return Standard Access Mask Correctly on Windows SP2 (303449)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows 2000 SP2
This article was previously published under Q303449

SYMPTOMS

On Windows 2000 Service Pack 2 (SP2), for a given discretionary access-control list (DACL), the GetEffectiveRightsFromAcl() function does not return the standard access mask correctly. For example, an attempt to retrieve the effective rights of any trustee that has "full control" access in a DACL of a file or folder will return an access mask of "F80001FF" instead of "1F01FF".

For any trustee with any access, the standard access mask will not be returned correctly in Windows 2000 SP2. However, this API works correctly in Windows 2000 and Windows 2000 with SP1.

RESOLUTION

Without the GetEffectiveRightsFromAcl() function, there is no good way to enumerate a user's access rights for a particular object. However, if you just want to determine whether a user has access to an object and you have the user's access token, you can use the AccessCheck() function.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

The GetEffectiveRightsFromAcl() function cannot reliably report access rights to a secured object, and this API should be used only in highly controlled environments, as explained in the following Microsoft Knowledge Base article:

262278 Limitations of the GetEffectiveRightsFromAcl API

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

171273 HOWTO: Program a Secure Server on Microsoft Windows NT

Modification Type:MajorLast Reviewed:11/3/2003
Keywords:kbACL kbAPI kbbug kbKernBase kbnofix kbSecurity KB303449
©2003 Microsoft Corporation. All rights reserved.