To create a security descriptor, a protected server can use the same procedure that an application would use to create a security descriptor for a securable object. For sample code, see Creating a Security Descriptor for a New Object.
In addition, the Win32 API provides a set of functions for merging client security information with information inherited from the security descriptor for a parent object or from a default security descriptor. The CreatePrivateObjectSecurity, GetPrivateObjectSecurity, SetPrivateObjectSecurity, and DestroyPrivateObjectSecurity functions provide the ability to retrieve default information from an access token, support inheritance, and manipulate specific parts of the security descriptor. This can be useful when a client creates a private object in a hierarchy of secured objects. For example, you could use the CreatePrivateObjectSecurity function to create a security descriptor that contained ACEs specified by the client, ACEs inherited from a parent object, and the default owner from the creating client's access token.