Windows NT versions 4.0 and later provide several functions for retrieving access-control information from an ACL. These include functions for determining the access rights that an ACL grants or audits for a specified trustee. Other functions enable you to extract ACE information from an ACL.
The GetEffectiveRightsFromAcl function enables you to determine the effective access rights that a DACL grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. GetEffectiveRightsFromAcl checks all access-allowed and access-denied ACEs in the ACL to determine the effective rights for the trustee.
The GetAuditedPermissionsFromAcl function enables you to check a SACL to determine the audited access rights for a specified trustee or for any groups of which the trustee is a member. The audited rights indicate the types of access attempts that cause the system to generate an audit record in the security event log. The function returns two access masks: one containing the access rights monitored for failed access attempts, and another containing the access rights monitored for successful access. GetAuditedPermissionsFromAcl checks all system-audit ACEs in the ACL.
The GetExplicitEntriesFromAcl function retrieves an array of EXPLICIT_ACCESS structures that describe the ACEs in an ACL. This can be useful when you are copying ACE information from one ACL to another. For example, you can call GetExplicitEntriesFromAcl to get information about the ACEs in one ACL. Then pass the returned EXPLICIT_ACCESS structures in a call to the SetEntriesInAcl function to create equivalent ACEs in the new ACL.