| Platform SDK: Access Control |
The following functions are used with access tokens.
| Function | Description |
|---|---|
| AdjustTokenGroups | Changes the group information in an access token. |
| AdjustTokenPrivileges | Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones. |
| CheckTokenMembership | Determines whether a specified SID is enabled in a specified access token. |
| CreateRestrictedToken | Creates a new token that is a restricted version of an existing token. The restricted token can have disabled SIDs, deleted privileges, and a list of restricting SIDs. |
| DuplicateToken | Creates a new impersonation token that duplicates an existing token. |
| DuplicateTokenEx | Creates a new primary token or impersonation token that duplicates an existing token. |
| GetTokenInformation | Retrieves information about a token. |
| IsTokenRestricted | Determines whether a token has a list of restricting SIDs. |
| OpenProcessToken | Retrieves a handle to the primary access token for a process. |
| OpenThreadToken | Retrieves a handle to the impersonation access token for a thread. |
| SetThreadToken | Assigns or removes an impersonation token for a thread. |
| SetTokenInformation | Changes a token's owner, primary group, or default DACL. |
The following functions are used with privileges.
| Function | Description |
|---|---|
| AllocateLocallyUniqueId | Allocates a locally unique identifier (LUID). |
| LookupPrivilegeDisplayName | Retrieves a displayable name representing a specified privilege. |
| LookupPrivilegeName | Retrieves the name corresponding to the privilege represented on a specific system by a specified LUID. |
| LookupPrivilegeValue | Retrieves the LUID used on a specified system to locally represent the specified privilege name. |
The following functions are used with security identifiers (SIDs).
| Function | Description |
|---|---|
| AllocateAndInitializeSid | Allocates and initializes a SID with the specified number of subauthorities. |
| ConvertSidToStringSid | Converts a SID to a string format suitable for display, storage, or transport. |
| ConvertStringSidToSid | Converts a string-format SID to a valid, functional SID. |
| CopySid | Copies a source SID to a buffer. |
| EqualPrefixSid | Tests two SID prefix values for equality. A SID prefix is the entire SID except for the last subauthority value. |
| EqualSid | Tests two SIDs for equality. They must match exactly to be considered equal. |
| FreeSid | Frees a SID previously allocated by using the AllocateAndInitializeSid function. |
| GetLengthSid | Retrieves the length of a SID. |
| GetSidIdentifierAuthority | Retrieves a pointer to a SID's identifier authority. |
| GetSidLengthRequired | Retrieves the size of the buffer required to store a SID with a specified number of subauthorities. |
| GetSidSubAuthority | Retrieves a pointer to a specified subauthority in a SID. |
| GetSidSubAuthorityCount | Retrieves the number of subauthorities in a SID. |
| InitializeSid | Initializes a SID structure. |
| IsValidSid | Tests the validity of a SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum. |
| LookupAccountName | Retrieves the SID corresponding to a specified account name. |
| LookupAccountSid | Retrieves the account name corresponding to a specified SID. |
The following functions are used with security descriptors.
| Function | Description |
|---|---|
| ConvertSecurityDescriptorToStringSecurityDescriptor | Converts a security descriptor to a string format. |
| ConvertStringSecurityDescriptorToSecurityDescriptor | Converts a string-format security descriptor into a valid, functional security descriptor. |
| GetNamedSecurityInfo | Retrieves a copy of the security descriptor for an object specified by name. |
| GetSecurityDescriptorControl | Retrieves a security descriptor's control and revision information. |
| GetSecurityDescriptorRMControl | Retrieves the resource manager control bits. |
| GetSecurityInfo | Retrieves a copy of the security descriptor for an object specified by a handle. |
| SetNamedSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
| SetSecurityDescriptorControl | Sets the control bits of a security descriptor. |
| SetSecurityDescriptorRMControl | Sets the resource manager control bits. |
| SetSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
The following functions are used to manipulate access-control lists.
| Function | Description |
|---|---|
| BuildExplicitAccessWithName | Initializes an EXPLICIT_ACCESS structure. |
| BuildTrusteeWithName | Initializes a TRUSTEE structure. The caller specifies the trustee name. |
| BuildTrusteeWithObjectsAndName | Initializes a TRUSTEE structure with the specified object-specific ACE information. |
| BuildTrusteeWithObjectsAndSid | Initializes a TRUSTEE structure with the specified object-specific ACE information. |
| BuildTrusteeWithSid | initializes a TRUSTEE structure. The caller specifies the security identifier of the trustee. |
| GetAuditedPermissionsFromAcl | Retrieves the audited access rights for a specified trustee. |
| GetEffectiveRightsFromAcl | Retrieves the effective access rights that an ACL grants to a specified trustee. |
| GetExplicitEntriesFromAcl | Retrieves an array of structures that describe the ACEs in an ACL. |
| GetTrusteeForm | Retrieves the trustee form from a TRUSTEE structure. |
| GetTrusteeName | Retrieves the trustee name from a TRUSTEE structure. |
| GetTrusteeType | Retrieves the trustee type from a TRUSTEE structure. |
| SetEntriesInAcl | Creates a new ACL by merging new access-control or audit-control information into an existing ACL. |
The following access-control functions are obsolete. Do not use them.
BuildImpersonateExplicitAccessWithName
BuildImpersonateTrustee
GetMultipleTrustee
GetMultipleTrusteeOperation