The Win32 API provides functions for getting and setting the security information in an object's security descriptor.
Windows NT version 5.0 introduces a set of access-control functions that support object-specific ACEs, automatic propagation of inheritable ACEs, and provider-independent access rights. These functions enable you to get and set the security information on a variety of securable objects as well as securable objects on other operating systems.
The SetSecurityInfoEx and SetNamedSecurityInfoEx functions can specify the security information for the DACL, SACL, owner SID, and group SID in an object's security descriptor. The GetSecurityInfoEx and GetNamedSecurityInfoEx functions can retrieve buffers containing the DACL, SACL, owner, and group information. For directory service objects, you can use these functions to get and set object-specific ACEs that apply only to a property set or property on the object, or that can be inherited only by a specified type of child object.
The GetSecurityInfoEx and SetSecurityInfoEx functions use handles to identify objects. You can use these functions with the following types of objects:
The GetNamedSecurityInfoEx and SetNamedSecurityInfoEx functions use names to identify objects. You can use these functions with the following types of objects:
Note that these functions do not work explicitly with pointers to security descriptors, ACLs, or SIDs. Instead, they use ACTRL_ACCESS structures to describe DACLs, ACTRL_AUDITstructures to describe SACLs, and strings to identify owners and groups. You can use the ConvertAccessToSecurityDescriptor function to convert these structures and strings to a self-relative security descriptor. You can use the ConvertSecurityDescriptorToAccess and ConvertSecurityDescriptorToAccessNamed functions to extract the security information from a security descriptor and store it in these structures and strings.