SetSecurityInfoEx

[This is preliminary documentation and subject to change.]

The SetSecurityInfoEx function sets the specified security information for an object identified by a handle.

SetSecurityInfoEx differs from the SetSecurityInfo function in that it allows you to set access-control information for the properties on an object, as well as for the object itself. In addition, SetSecurityInfoEx uses provider-independent access flags, but SetSecurityInfo uses Windows NT-specific access flags.

DWORD SetSecurityInfoEx(
  HANDLE hObject,           // handle to the object
  SE_OBJECT_TYPE ObjectType,  // type of object
  SECURITY_INFORMATION SecurityInfo,
                            // type of security information to set
  LPCTSTR lpProvider,       // name of provider to handle request
  PACTRL_ACCESS pAccessList,  // pointer to access-control 
                              // information
  PACTRL_AUDIT pAuditList,  // pointer to audit-control information
  LPTSTR lpOwner,           // name of the object's owner
  LPTSTR lpGroup,           // name of the object's primary group
  PACTRL_OVERLAPPED pOverlapped
                            // pointer to a structure for 
                            // asynchronous operation
);
 

Parameters

hObject
A handle to the object for which to set security information.
ObjectType
Specifies a value from the SE_OBJECT_TYPE enumeration that indicates the type of object identified by the hObject parameter.
SecurityInfo
Specifies the components of the security descriptor to set. This parameter can be a combination of the following values.
Value Meaning
OWNER_SECURITY_INFORMATION
Sets the object's owner security identifier (SID). The lpOwner parameter points to the new name of the object's owner. The hObject handle must have WRITE_OWNER access, or the calling process must be the object's owner or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.
GROUP_SECURITY_INFORMATION
Sets the object's primary group SID. The lpGroup parameter points to the new name of the object's primary group. The hObject handle must have WRITE_OWNER access, or the calling process must be the object's owner.
DACL_SECURITY_INFORMATION
Sets the object's discretionary access control list (DACL). The pAccessList parameter points to a structure containing new access-control information for the object. For DS objects, the pAccessList buffer can also contain access-control information for any properties on the object.

The hObject handle must have WRITE_DAC access, or the calling process must be the object's owner.

SACL_SECURITY_INFORMATION
Sets the object's system access control list (SACL). The pAuditList parameter points to a structure containing new audit-control information for the object. For DS objects, the pAuditList buffer can also contain audit-control information for any properties on the object. The hObject handle must have ACCESS_SYSTEM_SECURITY access. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

lpProvider
Pointer to a null-terminated string that specifies the name of the provider to handle the request. If this parameter is NULL, the system determines the proper provider to handle the request.
pAccessList
Pointer to an ACTRL_ACCESS structure containing the new access-control information for the object's DACL. For DS objects, the structure can also contain access-control information for the object's properties. The SecurityInfo parameter must include the DACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the DACL.
pAuditList
Pointer to an ACTRL_AUDIT structure containing the new audit-control information for the object's SACL. For DS objects, the structure can also contain audit-control information for the object's properties. The SecurityInfo parameter must include the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the SACL.
lpOwner
Pointer to a null-terminated string containing the new name of the object's owner. The function attempts to convert the name to an SID. The SecurityInfo parameter must include the OWNER_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the owner SID.

The function uses a NULL owner for objects on systems other than Windows NT that do not support object owners.

lpGroup
Pointer to a null-terminated string containing the name of the object's primary group. The SecurityInfo parameter must include the GROUP_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the primary group SID.

The function uses a NULL primary group for objects on systems other than Windows NT that do not support object groups.

pOverlapped
Pointer to an ACTRL_OVERLAPPED structure. If this parameter is non-NULL, the function returns immediately and the set operation is performed asynchronously. SetSecurityInfoEx returns a handle to an event object in the hEvent member of this structure. The system sets this event object to the signaled state when the operation has been completed.

If this parameter is NULL, the function is performed synchronously and does not return until the operation has been completed. Note that a synchronous operation can take an extended period of time and cannot be cancelled.

Return Values

If the function succeeds, the return value is ERROR_SUCCESS. If the pOverlapped parameter was NULL, the function successfully set the specified security information. If pOverlapped was not NULL, the function started the asynchronous operation.

If the function fails, the return value can be one of the following error codes.

Value Meaning
ERROR_NOT_ENOUGH_MEMORY A memory allocation failed
ERROR_INVALID_PARAMETER An invalid parameter was specified.
ERROR_BAD_PROVIDER The lpProvider parameter specified an invalid provider name.

Remarks

If the pOverlapped parameter points to a valid ACTRL_OVERLAPPED structure, SetSecurityInfoEx returns immediately and returns a handle to an event object in the hEvent member of the ACTRL_OVERLAPPED structure. The system sets this event object to the signaled state when the operation has been completed. You can call the GetOverlappedAccessResults function to wait for the operation to be completed and retrieve the results of the asynchronous operation. Alternatively, you can call one of the wait functions, such as WaitForSingleObject, to wait for the event object to be signaled, and then call GetOverlappedAccessResults to determine the results of the operation. The wait functions also allow you to specify a time-out interval; if the interval elapses before the event is signaled, you can call the CancelOverlappedAccess function to cancel the asynchronous operation. If the pOverlapped parameter is NULL, the operation is performed synchronously.

To set the security information for a DS object and all its properties, specify SE_DS_OBJECT in the ObjectType parameter and use the pAccessList and pAuditList parameters to specify the security information. Set the pPropertyAccessList member of the ACTRL_ACCESS or ACTRL_AUDIT structure to point to an array of ACTRL_PROPERTY_ENTRY structures. Use one ACTRL_PROPERTY_ENTRY structure to specify access-control information for the object, and additional structures to specify information for each property that requires explicit security. Properties that are not explicitly identified in the array of ACTRL_PROPERTY_ENTRY structures are protected only by the object's access control.

For file, registry, and DS objects, the SetSecurityInfoEx function can propagate access-control information to the child objects of the specified object. This can occur when the child objects inherit ACEs from their parent object. This propagation can be time consuming, so you might want to perform it as an asynchronous operation.

QuickInfo

  Windows NT: Requires version 5.0 or later.
  Windows: Unsupported.
  Windows CE: Unsupported.
  Header: Declared in aclapi.h.
  Import Library: Use advapi32.lib.
  Unicode: Implemented as Unicode and ANSI versions on Windows NT.

See Also

Access Control Overview, Access Control Functions, ACTRL_ACCESS, ACTRL_AUDIT, ACTRL_PROPERTY_ENTRY, GetNamedSecurityInfoEx, GetSecurityInfoEx, SE_OBJECT_TYPE, SECURITY_INFORMATION, SetNamedSecurityInfoEx