Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When evaluating standard access rights specified in simple ACEs for an Active Directory object, the security descriptor of the object is used. Let G and D denote the access rights that are granted and denied, respectively, on the object. Set both to a value of 0 initially.
The following rules are used to determine the authorization for the requester's security context:
If the security descriptor has no DACL or its "DACL Present" (DP) bit is not set, then grant the requester all possible access rights on the object.
If the DACL does not have any ACE, then grant the requester no access rights on the object.
If the SID in the Owner field of the object's security descriptor matches any SID in the requester's security context, then add the bits "Read Control" (RC), "Write DACL" (WD) and "Write Owner" (WO) to G.
Evaluate the DACL by examining each ACE in sequence, starting with the first ACE. Perform the following sequence of actions for each ACE in the order as shown. Let the ACCESS_MASK field of the ACE have a value M.
If the "Inherit Only" (IO) flag is set in the ACE, skip the ACE.
If the SID in the ACE does not match any SID in the requester's security context, skip the ACE.
If the ACE type is "Access Denied" and the access rights in M are not in G, then add the rights in M to D.
If the ACE type is "Access Allowed" and the access rights in M are not in D, then add the rights in M to G.
When the end of the DACL is reached, the access rights in G is the maximum standard access available to the requester on the object. Check the requested access mask against the access rights granted in G.