[This is preliminary documentation and subject to change.]
The SetSecurityInfoEx function sets the specified security information for an object identified by a handle.
SetSecurityInfoEx differs from the SetSecurityInfo function in that it allows you to set access-control information for the properties on an object, as well as for the object itself. In addition, SetSecurityInfoEx uses provider-independent access flags, but SetSecurityInfo uses Windows NT-specific access flags.
DWORD SetSecurityInfoEx(
HANDLE hObject, // handle to the object
SE_OBJECT_TYPE ObjectType, // type of object
SECURITY_INFORMATION SecurityInfo,
// type of security information to set
LPCTSTR lpProvider, // name of provider to handle request
PACTRL_ACCESS pAccessList, // pointer to access-control
// information
PACTRL_AUDIT pAuditList, // pointer to audit-control information
LPTSTR lpOwner, // name of the object's owner
LPTSTR lpGroup, // name of the object's primary group
PACTRL_OVERLAPPED pOverlapped
// pointer to a structure for
// asynchronous operation
);
| Value | Meaning |
|---|---|
| OWNER_SECURITY_INFORMATION | |
| Sets the object's owner security identifier (SID). The lpOwner parameter points to the new name of the object's owner. The hObject handle must have WRITE_OWNER access, or the calling process must be the object's owner or have the SE_TAKE_OWNERSHIP_NAME privilege enabled. | |
| GROUP_SECURITY_INFORMATION | |
| Sets the object's primary group SID. The lpGroup parameter points to the new name of the object's primary group. The hObject handle must have WRITE_OWNER access, or the calling process must be the object's owner. | |
| DACL_SECURITY_INFORMATION | |
| Sets the object's discretionary access control list (DACL). The pAccessList parameter points to a structure containing new access-control information for the object. For DS objects, the pAccessList buffer can also contain access-control information for any properties on the object. The hObject handle must have WRITE_DAC access, or the calling process must be the object's owner. |
|
| SACL_SECURITY_INFORMATION | |
| Sets the object's system access control list (SACL). The pAuditList parameter points to a structure containing new audit-control information for the object. For DS objects, the pAuditList buffer can also contain audit-control information for any properties on the object. The hObject handle must have ACCESS_SYSTEM_SECURITY access. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege. | |
The function uses a NULL owner for objects on systems other than Windows NT that do not support object owners.
The function uses a NULL primary group for objects on systems other than Windows NT that do not support object groups.
If this parameter is NULL, the function is performed synchronously and does not return until the operation has been completed. Note that a synchronous operation can take an extended period of time and cannot be cancelled.
If the function succeeds, the return value is ERROR_SUCCESS. If the pOverlapped parameter was NULL, the function successfully set the specified security information. If pOverlapped was not NULL, the function started the asynchronous operation.
If the function fails, the return value can be one of the following error codes.
| Value | Meaning |
|---|---|
| ERROR_NOT_ENOUGH_MEMORY | A memory allocation failed |
| ERROR_INVALID_PARAMETER | An invalid parameter was specified. |
| ERROR_BAD_PROVIDER | The lpProvider parameter specified an invalid provider name. |
If the pOverlapped parameter points to a valid ACTRL_OVERLAPPED structure, SetSecurityInfoEx returns immediately and returns a handle to an event object in the hEvent member of the ACTRL_OVERLAPPED structure. The system sets this event object to the signaled state when the operation has been completed. You can call the GetOverlappedAccessResults function to wait for the operation to be completed and retrieve the results of the asynchronous operation. Alternatively, you can call one of the wait functions, such as WaitForSingleObject, to wait for the event object to be signaled, and then call GetOverlappedAccessResults to determine the results of the operation. The wait functions also allow you to specify a time-out interval; if the interval elapses before the event is signaled, you can call the CancelOverlappedAccess function to cancel the asynchronous operation. If the pOverlapped parameter is NULL, the operation is performed synchronously.
To set the security information for a DS object and all its properties, specify SE_DS_OBJECT in the ObjectType parameter and use the pAccessList and pAuditList parameters to specify the security information. Set the pPropertyAccessList member of the ACTRL_ACCESS or ACTRL_AUDIT structure to point to an array of ACTRL_PROPERTY_ENTRY structures. Use one ACTRL_PROPERTY_ENTRY structure to specify access-control information for the object, and additional structures to specify information for each property that requires explicit security. Properties that are not explicitly identified in the array of ACTRL_PROPERTY_ENTRY structures are protected only by the object's access control.
For file, registry, and DS objects, the SetSecurityInfoEx function can propagate access-control information to the child objects of the specified object. This can occur when the child objects inherit ACEs from their parent object. This propagation can be time consuming, so you might want to perform it as an asynchronous operation.
Windows NT: Requires version 5.0 or later.
Windows: Unsupported.
Windows CE: Unsupported.
Header: Declared in aclapi.h.
Import Library: Use advapi32.lib.
Unicode: Implemented as Unicode and ANSI versions on Windows NT.
Access Control Overview, Access Control Functions, ACTRL_ACCESS, ACTRL_AUDIT, ACTRL_PROPERTY_ENTRY, GetNamedSecurityInfoEx, GetSecurityInfoEx, SE_OBJECT_TYPE, SECURITY_INFORMATION, SetNamedSecurityInfoEx