Platform SDK: Access Control

AddAccessDeniedAceEx

The AddAccessDeniedAceEx function adds an access-denied ACE to the end of a DACL. 

BOOL AddAccessDeniedAceEx(
  PACL pAcl,            // ACL
  DWORD dwAceRevision,  // ACL revision level
  DWORD AceFlags,       // ACE inheritance flags
  DWORD AccessMask,     // access mask for new ACE
  PSID pSid             // trustee SID for new ACE
);

Parameters

pAcl
[in/out] Pointer to a DACL. The AddAccessDeniedAceEx function adds an access-denied ACE to the end of this DACL. The ACE is in the form of an ACCESS_DENIED_ACE structure.
dwAceRevision
[in] Specifies the revision level of the DACL being modified. This value can be ACL_REVISION or ACL_REVISION_DS. Use ACL_REVISION_DS if the DACL contains object-specific ACEs.
AceFlags
[in] A set of bit flags that control ACE inheritance. The function sets these flags in the AceFlags member of the ACE_HEADER structure of the new ACE. This parameter can be a combination of the following values.
Value Meaning
CONTAINER_INHERIT_ACE The ACE is inherited by container objects.
INHERIT_ONLY_ACE The ACE does not apply to the object to which the ACL is assigned, but it can be inherited by child objects.
INHERITED_ACE Indicates an inherited ACE. This flag allows operations that change the security on a tree of objects to modify inherited ACEs, while not changing ACEs that were directly applied to the object.
NO_PROPAGATE_INHERIT_ACE The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE bits are not propagated to an inherited ACE.
OBJECT_INHERIT_ACE The ACE is inherited by noncontainer objects.

AccessMask
[in] A set of bit flags that use the ACCESS_MASK format to specify the access rights that the new ACE denies to the specified SID.
pSid
[in] Pointer to a SID structure that identifies the user, group, or logon session to which the new ACE denies access.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError. The following are possible error values.

Error value Description
ERROR_ALLOTTED_SPACE_EXCEEDED The new ACE does not fit into the ACL. A larger ACL buffer is required.
ERROR_INVALID_ACL The specified ACL is not properly formed.
ERROR_INVALID_FLAGS The AceFlags parameter is invalid.
ERROR_INVALID_SID The specified SID is not structurally valid.
ERROR_REVISION_MISMATCH The specified revision is not known or is incompatible with that of the ACL.
ERROR_SUCCESS The ACE was successfully added.

Remarks

Although the AddAccessDeniedAceEx function adds the new ACE to the end of the DACL, access-denied ACEs should appear at the beginning of a DACL. The caller must ensure that ACEs are added to the DACL in the correct order. For more information, see Order of ACEs in a DACL.

Requirements

  Windows NT/2000: Requires Windows 2000.
  Header: Declared in Winbase.h; include Windows.h.
  Library: Use Advapi32.lib.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Functions, ACCESS_DENIED_ACE, ACE_HEADER, ACL, AddAccessAllowedAceEx, AddAuditAccessAceEx

Built on Tuesday, February 08, 2000