A protected server application must check a client's access rights before allowing the client to access a protected private object. To do this, the server passes an impersonation token, a security descriptor, and a set of requested access rights to the AccessCheck function. The ACEs in the security descriptor's DACL specify the access rights allowed or denied for various trustees. AccessCheck compares the trustee in each ACE to the trustees identified in the impersonation token. For a description of the algorithm used to grant or deny access, see Checking a Thread's Access to an Object.
The AccessCheckAndAuditAlarm function performs a similar access check. In addition, it generates audit records in the security event log depending on the SACL in the security descriptor.
The AccessCheckByType and AccessCheckByTypeAndAuditAlarm functions are similar to AccessCheck and AccessCheckAndAuditAlarm except that they allow you to check access to the subobjects of an object, such as property sets or properties. The AccessCheckByTypeResultList and AccessCheckByTypeResultListAndAuditAlarm functions are also similar except that they provide the access check results for each subobject in a hierarchy of the object's properties and property sets. These functions use the OBJECT_TYPE_LIST structure to describe the hierarchy of objects for which access is checked. The functions that generate an audit message use the AUDIT_EVENT_TYPE enumeration type to indicate whether the object being checked is a directory service object. For more information about the hierarchy of an object and its subobjects, see Controlling Access to an Object's Properties.
The requested access rights passed to the AccessCheck and AccessCheckAndAuditAlarm functions must not include any generic access rights. The server can use the MapGenericMask function to convert any generic access rights to the corresponding specific and standard rights according to the mapping specified in the GENERIC_MAPPING structure.
The AreAllAccessesGranted and AreAnyAccessesGranted functions compare a requested access mask with a granted access mask.
For sample code that uses the AccessCheck function, see Checking A Client's Access.