GetEffectiveRightsFromAcl

The GetEffectiveRightsFromAcl function retrieves the effective access rights that an ACL grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member.

Windows NT: This function does not currently return group rights. This will be fixed in a later Windows NT Service Pack release.

DWORD GetEffectiveRightsFromAcl(
  PACL pacl,                   // source ACL
  PTRUSTEE pTrustee,           // trustee
  PACCESS_MASK pAccessRights   // trustee's access rights
);

Parameters

pacl

[in] Pointer to an ACL structure from which to get the trustee's effective access rights.

pTrustee

[in] Pointer to a TRUSTEE structure that identifies the trustee. A trustee can be a user, group, or program (such as a Win32 service). You can use a name or a security identifier (SID) to identify a trustee.

pAccessRights

[out] Pointer to an ACCESS_MASK variable that receives the effective access rights of the trustee.

Return Values

If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is a nonzero error code defined in Winerror.h.

Remarks

GetEffectiveRightsFromAcl checks all access-allowed and access-denied ACEs in the ACL to determine the effective rights for the trustee. For all ACEs that allow or deny rights to a group, GetEffectiveRightsFromAcl enumerates the members of the group to determine whether the trustee is a member. The function returns an error if it cannot enumerate the members of a group.

A trustee's group rights are enumerated by GetEffectiveRightsFromAcl on the local machine, even if the trustee is accessing objects on a remote machine. This function does not evaluate group rights on remote machines.

GetEffectiveRightsFromAcl does not take into account implicitly granted access rights, namely READ_CONTROL and WRITE_DAC, for the owner of an object when determining effective rights.

GetEffectiveRightsFromAcl does not take privileges held by the trustee into account when determining effective access rights.

GetEffectiveRightsFromAcl does not take into account group rights associated with the logon session, such as interactive, network, authenticated users, etc., in determining effective access rights.

GetEffectiveRightsFromAcl does not take into account resource manager policy when determining effective access rights. For example, for file objects, Delete and Read attributes can be provided by the parent even if they have been denied on the object.

Requirements

  Windows NT/2000: Requires Windows NT 4.0 or later.
  Header: Declared in Aclapi.h.
  Library: Use Advapi32.lib.
  Unicode: Implemented as Unicode and ANSI versions on Windows NT/2000.

See Also

Access Control Overview, Access Control Functions, ACCESS_ALLOWED_ACE, ACCESS_DENIED_ACE, ACCESS_MASK, ACE, ACL, GetAuditedPermissionsFromAcl, SID, TRUSTEE