This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
During my own internal testing I found that any ACEs with types ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and ACCESS_DENIED_CALLBACK_OBJECT_ACE does not count during access control processing. I made different variations of the ACEs: with or without ObjectType GUID, with or without ApplicationData field, with ApplicationData having correct "conditional expression" (as described in [MS-DTYP] 2.4.4.17). In all cases such ACEs had no influence on access checking process. At the same time I was able correctly apply any ACCESS_ALLOWED_OBJECT_ACE and ACCESS_DENIED_OBJECT_ACE. Also I am able to build correct ACEs with types ACCESS_ALLOWED_CALLBACK_ACE and ACCESS_DENIED_CALLBACK_ACE.
So, seems like internally in a callback function like "AuthzAccessCheckCallback" for ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and ACCESS_DENIED_CALLBACK_OBJECT_ACE I got "*pbAceApplicable = FALSE".
Additional details: I am making all the security descriptors using my own library on C++, access checking performed by "AccessCheckByTypeResultListAndAuditAlarmByHandle" function. All was tested on Windows 10 under a process having elevated administrator account (with all related privileges enabled). Plus I tested the same code on fresh installation of Windows Server 2019 having configured ActiveDirectory domain - same result, such ACE types does not count during access control checking.
I would suggest to address your question here: https://learn.microsoft.com/en-us/answers/topics/openspecs-windows.html. That forum dedicated to OpenSpecs and [MS-DTYP] specifically.
Thank you very much, I will post it there tomorrow.
Best regards
Yury Strozhevsky
Made this question with additional "OpenSpecs" tag.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Hi,
Thank you for posting in our forum.
Are all your tests tested by C++ code?
Can you test the things you describe through the graphical user interface?
You can confirm these problems first, which is more convenient for troubleshooting later.
Best wishes
Vicky
Hi,
How are things going? Could you please send me an update so that we can continue to work on this problem and resolve it? Thanks for your help.
Best wishes
Vicky
Hello,
Sorry I missed your first request. No, I can’t check this via UI just because such ACEs don’t display in the UI.
Best regards
Yury Strozhevsky
Hi,
Thank you for your waiting and reply. If you can't check through the UI only, you may need C++team to test it.
Hope this information can help you
Best wishes
Vicky
Thanks for answering. How I can get a support from “c++ team”?
Best regards
Yury Strozhevsky
Hi,
Thank you for your patience and reply.
For the C++ team, you can refer to the link below:
https://www.cplusplus.com/forum/
https://www.cplusplus.com/forum/beginner/
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Hope this information can help you
Best wishes
Vicky
My question is about "why something is not working inside a common Windows API", not about C++ in general. So, in order to solve my question I need to have a person with a direct access to Windows source codes. If you have any such contact then please provide it.
Best regards,
Yury Strozhevsky
