GetEffectiveRightsFromAcl has problems with Language Packs and Universal Groups

When you are using the GetEffectiveRightsFromAcl API in your application you may encounter multiple problems:

1. If users are members of various universal groups across multiple domains the results of the call may be incorrect, or the call may take a long time and result in high processor utilization. You may also notice substantial network traffic.
   
   
2. If the computers executing the application are using Multilingual User Interface (MUI) (on Windows XP or Windows Server 2003), or have language packs installed (on Windows Vista and newer versions of Windows), and the user language differs from the system language, calls to the API may fail with return code 1355 which equates to error "The specified domain either does not exist or could not be contacted."

The API was introduced in Windows NT 4.0 to help transition those who have used similar facilities in Novell NetWare. This API, however, was not revised for new features affecting the execution of the API in later versions of the operating system. The problems listed above are caused by:

1. The API uses Windows NT 4.0-style system calls to retrieve information about the groups the user is member of. These APIs do not support universal groups properly and potentially use global groups in the user domain instead of the correct universal groups, and generate incorrect results due to that. It may also happen that this problem creates group membership loops where none exist. The API has a loop termination that has significant processor and domain controller communication before the membership retrieval is terminated.
   
   
2. The API uses resource strings to identify generic accounts from the "BUILTIN" and "NT AUTHORITY" domains. When the languages of user and system do not match, it is possible that it tries to find actual domains on the network by those names (or the localized counterparts). These domains will not be found, and thus the error 1355 is returned.

Microsoft plans to phase out this API, because a better approach is available using AuthZ APIs.

The documentation about GetEffectiveRightsFromAcl on MSDN spells out a warning now, and it refers to better approaches about retrieving effective permissions using AuthZ APIs:

GetEffectiveRightsFromAcl Function
http://msdn.microsoft.com/en-us/library/aa446637(VS.85).aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.