2 files changed, 22 insertions, 13 deletions

diff --git a/spec/functional/file_content_management/deploy_strategies_spec.rb b/spec/functional/file_content_management/deploy_strategies_spec.rb
index 3a9c011019..dd1ef6228f 100644
--- a/spec/functional/file_content_management/deploy_strategies_spec.rb
+++ b/spec/functional/file_content_management/deploy_strategies_spec.rb
@@ -87,11 +87,7 @@ shared_examples_for "a content deploy strategy" do
       end
     end
 
-    # Win2003 has annoying differences in ACL inheritance behavior that make
-    # the default ACLs substantially different from those created on subsequent
-    # windows versions. The behaviors here are also covered by resource-level
-    # tests so we'll skip win2k3 here to keep the tests simple.
-    it "touches the file to create it (Windows)", :windows_only, :not_supported_on_win2k3 do
+    it "touches the file to create it (Windows)", :windows_only do
       content_deployer.create(target_file_path)
       File.should exist(target_file_path)
       file_info = File.stat(target_file_path)
@@ -102,11 +98,16 @@ shared_examples_for "a content deploy strategy" do
       security_obj = Chef::ReservedNames::Win32::Security::SecurableObject.new(target_file_path)
 
       security_descriptor = security_obj.security_descriptor(true)
-      security_descriptor.dacl.each_with_index do |ace, index|
-        ace.inherited?.should be_true
-        ace.mask.should == parent_aces[index].mask
+      # On certain windows systems like 2003 and Azure VMs there are some default
+      # ACEs that are not inherited from parents. So filter out the parents before
+      # comparing the aces
+      self_aces = security_descriptor.dacl.select do |ace|
+        ace_inherits?(ace)
       end
 
+      self_aces.each_with_index do |ace, index|
+        ace.mask.should == parent_aces[index].mask
+      end
     end
   end
 
diff --git a/spec/support/shared/functional/securable_resource.rb b/spec/support/shared/functional/securable_resource.rb
index 4efe7a69a1..9999146dee 100644
--- a/spec/support/shared/functional/securable_resource.rb
+++ b/spec/support/shared/functional/securable_resource.rb
@@ -525,16 +525,24 @@ shared_examples_for "a securable resource without existing target" do
     it "has the inheritable acls of parent directory if no acl is specified" do
       File.exist?(path).should == false
 
+      # Collect the inheritable acls form the parent by creating a file without
+      # any specific ACLs
       parent_acls = parent_inheritable_acls
 
+      # On certain flavors of Windows the default list of ACLs sometimes includes
+      # non-inherited ACLs. Filter them out here.
+      parent_inherited_acls = parent_acls.dacl.collect do |ace|
+        ace.inherited?
+      end
+
       resource.run_action(:create)
 
-      descriptor.dacl.each_with_index do |ace, index|
-        # On Windows Server 2003 OS creates a default non-inheritable
-        # ACL during file creation unless otherwise specified.
-        ace.inherited?.should == true unless windows_win2k3?
-        ace.should == parent_acls.dacl[index]
+      # Similarly filter out the non-inherited ACLs
+      resource_inherited_acls = descriptor.dacl.collect do |ace|
+        ace.inherited?
       end
+
+      resource_inherited_acls.should == parent_inherited_acls
     end
 
   end