Yes. There are a set of rules you need to follow with regard to the ordering of ACEs in a DACL. A simplified version of the rules is: First, all explicit ACEs should be ordered before all inherited ACEs, and second, ACEs that deny access should come before ACEs that allow access.
What's probably happening is that $UserDir is inheriting permissions from its parent. When you add your explicit permissions you're adding them to the end of the DACL -- after the inherited ACEs. It's up to you to create a DACL with properly ordered ACEs. Windows won't prevent you from setting a DACL with the ACEs ordered any way you like, and it will interpret those ACEs exactly as you have them ordered. Although, as you've seen, explorer will complain about, and try to fix, any DACLs it comes across. More on ACE order in a DACL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se curity/order_of_aces_in_a_dacl.asp -Shawn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Allen, Matthew (c) Sent: Wednesday, November 19, 2003 6:35 PM To: '[EMAIL PROTECTED]' Subject: Win32::Perms - The Sequel Anyone ever see this error when using Win32::Perms? After you grant new access rights to a folder by using Win32::Perms, then open Windows Explorer to view the Security properties: "The Permissions on Folder are incorrectly ordered, which may cause some entries to be ineffective." Code follows: $UserDir = "\\\\dnwfs001\\n\$\\data\\ctxtest01\\"; $login = "northamerica\\ctxtest01"; $homePerm = new Win32::Perms ($UserDir) || die "Error creating Perm object : $UserDir"; $homePerm->Allow($login, CHANGE, CONTAINER_INHERIT_ACE ) || die "Error Add"; $homePerm->Allow($login, CHANGE, OBJECT_INHERIT_ACE ) || die "Error Add"; $homePerm->Set() || die "Error Set"; $homePerm->Close(); Matthew Allen _______________________________________________ Perl-Win32-Admin mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs _______________________________________________ Perl-Win32-Admin mailing list [EMAIL PROTECTED] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
