# -
# This test makes sure that DENY_ACCESS ACE has a higher precedence over GRANT_ACCESS ACE
# -
# Initialize a new ACL
Exec InitNewACL

# Set the current trustee to rayland\actest1 and add it to the local access request list
Set TrusteeName rayland\actest1
ToggleAccessPerm COM_RIGHTS_EXECUTE
AddTrustee AccessRequestList

# Call GrantAccessRights
Exec GrantAccessRights

# Chicage client's security context
SwitchClientCtx
actest1
rayland

# Call IsAccessPermitted
Exec IsAccessPermitted

# Call IsAccessPermitted again to see if the caching mechanism works
Exec IsAccessPermitted

# Destroy the old access request list
Destroy AccessRequestList

# Set the current trustee to rayland\actestgroup1 and add it to the local access request list
Set TrusteeName rayland\actestgroup1
Set TrusteeType TRUSTEE_IS_GROUP
AddTrustee AccessRequestList

# Call DenyAccessRights
Exec DenyAccessRights

# Change the current trustee back to rayland\actest1
Set TrusteeName rayland\actest1
Set TrusteeType TRUSTEE_IS_USER

# Call IsAccessPermitted, rayland\actest1 should eb denied access by now
Exec IsAccessPermitted

# Retrieve the ACL fromt he IAccessControl object
Exec GetExplicitAccessRights

# Kill the server
Quit