These examples use the SetEntriesInAcl function to create an ACL. Then they use the SetNamedSecurityInfo function to attach the ACL as the DACL of an object. Note that these examples can work with a variety of named securable objects, such as files, registry keys, and synchronization objects.
The first example shows how to add an empty DACL to an object's security descriptor. The effect is to deny all access to the object.
DWORD SetEmptyDACL(LPTSTR lpObjectName, SE_OBJECT_TYPE ObjectType)
{
DWORD dwRes;
PACL pDacl;
if (NULL == lpObjectName)
return ERROR_INVALID_PARAMETER;
// create an ACL with no ACEs
dwRes = SetEntriesInAcl(0, NULL, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes)
return dwRes;
// attach the emtpy ACL as the object's DACL
dwRes = SetNamedSecurityInfo(lpObjectName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pDacl, NULL);
// free the buffer returned by SetEntriesInAcl
LocalFree(pDacl);
return dwRes;
}
You can modify this example to deny access to a specified trustee. The following variation uses the BuildExplicitAccessWithName function to initialize an EXPLICIT_ACCESS structure with the data for an access-denied ACE. Then it uses the SetEntriesInAcl and SetNamedSecurityInfo functions to create the ACL and attach it to the object.
#include <aclapi.h>
DWORD dwRes;
PACL pDacl;
EXPLICIT_ACCESS ea;
// initialize an EXPLICIT_ACCESS structure to deny access
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea,
"ludwig", // name of trustee
GENERIC_ALL, // type of access
DENY_ACCESS, // access mode
NO_INHERITANCE); // inheritance mode
// create an ACL with one access-denied ACE
dwRes = SetEntriesInAcl(1, &ea, NULL, &pDacl);
if (ERROR_SUCCESS != dwRes)
return dwRes;
// attach the ACL as the object's DACL
dwRes = SetNamedSecurityInfo(TEXT("myfile"), SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL, NULL, pDacl, NULL);
// free the buffer returned by SetEntriesInAcl
LocalFree(pDacl);