Low-Level Security Descriptor Creation

Low-level access-control provides a set of functions for creating a security descriptor and getting and setting the components of a security descriptor. The low-level functions for initializing and setting the components of a security descriptor work only with absolute-format security descriptors. The low-level functions for getting the components of a security descriptor work with both absolute and self-relative security descriptors.

The InitializeSecurityDescriptor function initializes a SECURITY_DESCRIPTOR buffer. The initialized security descriptor is in absolute format and has no owner, primary group, discretionary access-control list (DACL), or system access-control list (SACL). You can use the following low-level functions to get or set specific components of a specified security descriptor.

Function Description
GetSecurityDescriptorControl Retrieves revision and control information from a security descriptor.
GetSecurityDescriptorDacl Gets the DACL from a security descriptor.
GetSecurityDescriptorGroup Retrieves the primary group security identifier (SID) from a security descriptor.
GetSecurityDescriptorLength Returns the length of a security descriptor.
GetSecurityDescriptorOwner Retrieves the owner SID from a security descriptor.
GetSecurityDescriptorSacl Gets the SACL from a security descriptor.
SetSecurityDescriptorDacl Puts a DACL into a security descriptor, superseding any existing DACL.
SetSecurityDescriptorGroup Sets the primary group SID of a security descriptor.
SetSecurityDescriptorOwner Sets the owner SID of a security descriptor.
SetSecurityDescriptorSacl Puts a SACL into a security descriptor, superseding any existing SACL.

To check the revision level and structural integrity of a security descriptor, call the IsValidSecurityDescriptor function.