The GetEffectiveRightsFromAcl function does not consider the following:Implicitly granted access rights, such as READ_CONTROL and WRITE_DAC, for the owner of an object when determining effective rights.
Privileges held by the trustee when determining effective access rights.
Group rights associated with the logon session, such as interactive, network, authenticated users, and so forth, in determining effective access rights.
Resource manager policy. For example, for file objects, Delete and Read attributes can be provided by the parent even if they have been denied on the object.
The GetEffectiveRightsFromAcl function fails and returns ERROR_INVALID_ACL if the specified ACL contains an inherited access-denied ACE.