ACCESS_DENIED_OBJECT_ACE

[This is preliminary documentation and subject to change.]

The ACCESS_DENIED_OBJECT_ACE structure defines an access-control entry (ACE). The ACE can control access to an object, or to a subobject of an object, such as a property set or property. The ACE contains a set of access rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee to whom the system will deny access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.

typedef struct _ACCESS_DENIED_OBJECT_ACE {
    ACE_HEADER Header;
    ACCESS_MASK Mask;
    DWORD Flags;
    GUID ObjectType;
    GUID InheritedObjectType;
    DWORD SidStart;
} ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE;
 

Members

Header

An ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects.

Mask

An ACCESS_MASK that specifies the access rights the system will deny to the trustee. This mask must use the Windows NT access mask format, not the provider-independent access-mask format.

Flags

A set of bit flags that indicate whether the ObjectType and InheritedObjectType members contain GUIDs. This parameter can be a combination of the following values. Set all undefined bits to zero.

Value	Meaning
ACE_OBJECT_TYPE_PRESENT
	The ObjectType member contains a GUID.
ACE_INHERITED_OBJECT_TYPE_PRESENT
	The InheritedObjectType member contains a GUID.

ObjectType

A GUID structure that identifies the type of object, property set, or property protected by the ACE. If this ACE is inherited, the GUID identifies the type of object, property set, or property protected by the inherited ACE.

If the ACE_OBJECT_TYPE_PRESENT bit is not set in the Flags member, the ObjectType member is ignored and the ACE protects the object to which the ACL is assigned.

InheritedObjectType

A GUID structure that identifies the type of object that can inherit the ACE.

If the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is not set in the Flags member, the InheritedObjectType member is ignored and all types of child objects can inherit the ACE. Otherwise, only the specified object type can inherit the ACE. In either case, inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects.

SidStart

Specifies the first DWORD of a SID that identifies the trustee for whom the access rights are denied.

Remarks

If neither the ObjectType nor InheritedObjectType GUID is specified, the ACCESS_DENIED_OBJECT_ACE structure has the same semantics as those used by the ACCESS_DENIED_ACE structure. In that case, use the ACCESS_DENIED_ACE structure because it is smaller and more efficient.

An ACL that contains an ACCESS_DENIED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACE_HEADER structure.

QuickInfo

  Windows NT: Requires version 5.0 or later.
  Windows: Unsupported.
  Windows CE: Unsupported.
  Header: Declared in winnt.h.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Structures, ACCESS_ALLOWED_OBJECT_ACE, ACCESS_DENIED_ACE, ACCESS_MASK, ACE_HEADER, ACL, AddAccessAllowedObjectAce, GUID, SID, SYSTEM_AUDIT_OBJECT_ACE