6.1.3.1 ACE Ordering Rules

ACE ordering rules apply only to ACLs in canonical form (see [MS-DTYP] section 2.4.5), and only when the forest functional level is DS_BEHAVIOR_WIN2003 or above. The following rules are applied, in the following order:

1. Explicit ACEs come before inherited ACEs.

2. Deny ACEs come before Allow ACEs.

3. Regular ACEs come before object ACEs.

4. Within each group, the ACEs are ordered lexicographically (that is, based on octet string comparison rules).

Rules 3 and 4 above are enforced only when the forest functional level is DS_BEHAVIOR_WIN2003 or above. Otherwise, the order of ACEs within each group defined by rules 1 and 2 is retained as supplied by the user or replication partner.