Platform SDK: Access Control

GetUserObjectSecurity

The GetUserObjectSecurity function retrieves security information for the specified user object. 

BOOL GetUserObjectSecurity(
  HANDLE hObj,                        // handle to user object
  PSECURITY_INFORMATION pSIRequested, // request
  PSECURITY_DESCRIPTOR pSD,           // SD
  DWORD nLength,                      // size of SD
  LPDWORD lpnLengthNeeded             // required buffer size
);

Parameters

hObj
[in] Handle to the user object for which to return security information.
pSIRequested
[in] Pointer to a SECURITY_INFORMATION value specifying the security information being requested.
pSD
[in/out] Pointer to a SECURITY_DESCRIPTOR structure in self-relative format that contains the requested information when the function returns.

Windows 2000: This buffer must be aligned on a 4-byte boundary.

nLength
[in] Specifies the length, in bytes, of the buffer pointed to by the pSD parameter.
lpnLengthNeeded
[out] Pointer to a variable receiving the number of bytes required to store the complete security descriptor. If this variable's value is greater than the value of the nLength parameter when the function returns, the function returns FALSE and none of the security descriptor is copied to the buffer. Otherwise, the entire security descriptor is copied.

Return Values

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

To read the owner, group, or DACL from the user object's security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the object or the object's DACL must grant the access.

To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the handle was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.

Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Header: Declared in Winuser.h; include Windows.h.
  Library: Use User32.lib.

See Also

Low-Level Access-Control Overview, Low-Level Access Control Functions, CreatePrivateObjectSecurity, GetKernelObjectSecurity, GetPrivateObjectSecurity, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, SetUserObjectSecurity

Built on Tuesday, February 08, 2000