Denying Access Using Windows NT 4.0 Functions

These examples use the SetEntriesInAcl function to create an ACL. Then they use the SetNamedSecurityInfo function to attach the ACL as the DACL of an object. Note that these examples can work with a variety of named securable objects, such as files, registry keys, and synchronization objects.

The first example shows how to add an empty DACL to an object's security descriptor. The effect is to deny all access to the object.

DWORD SetEmptyDACL(LPTSTR lpObjectName, SE_OBJECT_TYPE ObjectType) 
{
DWORD dwRes;
PACL pDacl;

if (NULL == lpObjectName) 
    return ERROR_INVALID_PARAMETER;

// create an ACL with no ACEs

dwRes = SetEntriesInAcl(0, NULL, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes) 
    return dwRes;

// attach the emtpy ACL as the object's DACL

dwRes = SetNamedSecurityInfo(lpObjectName, ObjectType, 
      DACL_SECURITY_INFORMATION,  
      NULL, NULL, pDacl, NULL);

// free the buffer returned by SetEntriesInAcl

LocalFree(pDacl);

return dwRes;
}
 

You can modify this example to deny access to a specified trustee. The following variation uses the BuildExplicitAccessWithName function to initialize an EXPLICIT_ACCESS structure with the data for an access-denied ACE. Then it uses the SetEntriesInAcl and SetNamedSecurityInfo functions to create the ACL and attach it to the object.

#include <aclapi.h>

DWORD dwRes;
PACL pDacl;
EXPLICIT_ACCESS ea;

// initialize an EXPLICIT_ACCESS structure to deny access

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea, 
    "ludwig",          // name of trustee
    GENERIC_ALL,       // type of access
    DENY_ACCESS,       // access mode
    NO_INHERITANCE);   // inheritance mode

// create an ACL with one access-denied ACE

dwRes = SetEntriesInAcl(1, &ea, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes) 
    return dwRes;

// attach the ACL as the object's DACL

dwRes = SetNamedSecurityInfo(TEXT("myfile"), SE_FILE_OBJECT, 
      DACL_SECURITY_INFORMATION,  
      NULL, NULL, pDacl, NULL);

// free the buffer returned by SetEntriesInAcl

LocalFree(pDacl);