Access Control Reference

The Win32 API provides two sets of functions for working with security descriptors and access-control lists (ACLs).

• Functions for Windows NT version 4.0 and later that provide an interface for working with security descriptors and access-control lists (ACLs). For Windows 2000, these functions have been enhanced to support object-specific ACEs, directory service (DS) objects, and automatic inheritance. These functions are described in this overview.
• Low-level functions for manipulating security descriptors, ACLs, and ACEs. You must use these functions if your application needs to be compatible with Windows NT versions 3.51 and earlier. Windows 2000 provides additional low-level functions for working with object-specific ACEs. For more information, see Low-Level Access Control.

Windows 2000 support both sets. In general, you should use one set of access-control functions throughout your application.

All versions of Windows NT/Windows 2000 support a single set of security functions for working with privileges, access tokens, and SIDs.

The following elements are used with access control.

• Access Control Functions
• Access Control Structures
• Access Control Enumeration Types
• Windows NT Privileges