Platform SDK: Access Control

Trustees

A trustee is the user account, group account, or logon session to which an ACE applies. Each ACE in an ACL has one SID that identifies a trustee. User accounts include accounts that human users or programs such as Win32 services use to log on to the local computer. Group accounts cannot be used to log on to a computer, but are useful in ACEs to allow or deny a set of access rights to one or more user accounts. A logon SID that identifies the current logon session is useful to allow or deny access rights only until the user logs off.

The access-control functions for Windows NT version 4.0 and later use the TRUSTEE structure to identify a trustee. This structure enables you to use a name string or a SID to identify a trustee. If you use a name, the Win32 functions that create an ACE from the TRUSTEE structure perform the task of allocating the SID buffers and looking up the SID that corresponds to the account name. There are two helper functions, BuildTrusteeWithSid and BuildTrusteeWithName, that initialize a TRUSTEE structure with a specified SID or name. BuildTrusteeWithObjectsAndSid and BuildTrusteeWithObjectsAndName allow you to initialize a TRUSTEE structure with object-specific ACE information. Three other helper functions, GetTrusteeForm, GetTrusteeName, and GetTrusteeType, retrieve the values of the various members of a TRUSTEE structure.

Windows 2000: The ptstrName member of the TRUSTEE structure can be a pointer to an OBJECTS_AND_NAME or OBJECTS_AND_SID structure. These structures specify information about an object-specific ACE in addition to a trustee name or SID. This enables functions such as SetEntriesInAcl and GetExplicitEntriesFromAcl to store object-specific ACE information in the Trustee member of the EXPLICIT_ACCESS structure.