Article 4477 of microsoft.public.win32.programmer.kernel:
NT 4.0 (SP3), VC++ 5.0 (SP2)

Hello,

I am using

GetEffectiveRightsFromAcl(pACL,      // DACL from dir's security descriptor
                                        &trustee,  // trustee (NAME, USER)
                                        &AccessRights); // ASSESS_MASK

to check trustee's access rights to certain directory (the user is not
logged in).

From Microsoft Docs:
"The GetEffectiveRightsFromAcl function checks all access-allowed and
access-denied ACEs in the ACL to determine the effective rights for the
trustee. For all ACEs that allow or deny rights to a group,
GetEffectiveRightsFromAcl enumerates the members of the group to determine
whether the trustee is a member."

The problem: The "groups" part doesn't work for me. The
function returns correct rights if I explicitly assign them to the *user*,
but if the user is a member of the group that has the rights to the
directory -I get no rights at all.

It looks like either the documentation is wrong, I am not setting some flag
somewhere or I need some kind of special privilege to enumerate the groups.

Does anybody have any ideas?

Thank you in advance,

Dmitry Eresov