INFO: REVOKE_ACCESS May Not Delete the Specified TRUSTEE (254665)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows 2000
This article was previously published under Q254665

SUMMARY

The SetEntriesInAcl function allows you to modify an access control list (ACL). Depending on how grfAccessMode in the EXPLICT_ACCESS structure is initialized, an access control entry (ACE) can be removed. SetEntriesInAcl may still succeed but not remove ACEs corresponding to the TRUSTEE.

MORE INFORMATION

The system uses three criteria to remove an ACE; it will not remove the ACE unless the Trustee, Access Permissions, and Inheritance flags are the same.

SetEntriesInAcl allows you to set the permissions for an ACE based on generic access permissions. When the security is applied to the object, the system uses the specified access permissions for the object. In this situation, if an attempt to remove an ACE is based on generic access permissions, SetEntriesInAcl will not remove the ACE because the actual ACE has permissions that are based on the specific permissions for the object, instead of the generic permissions.
Modification Type:MajorLast Reviewed:10/29/2003
Keywords:kbAPI kbinfo kbKernBase kbSecurity KB254665
©2003 Microsoft Corporation. All rights reserved.