Platform SDK: Access Control |
The AddAccessDeniedObjectAce function adds an access-denied ACE to the end of a DACL. The new ACE can deny access to an object, or to a property set or property on an object. You can also use AddAccessDeniedObjectAce to add an ACE that only a specified type of child object can inherit.
BOOL AddAccessDeniedObjectAce( PACL pAcl, // ACL DWORD dwAceRevision, // ACL revision level DWORD AceFlags, // ACE inheritance flags DWORD AccessMask, // access mask for new ACE GUID *ObjectTypeGuid, // object protected by ACE GUID *InheritedObjectTypeGuid, // objects inheriting ACE PSID pSid // trustee SID for ACE );
Value | Meaning |
---|---|
CONTAINER_INHERIT_ACE | The ACE is inherited by container objects. |
INHERIT_ONLY_ACE | The ACE does not apply to the object to which the ACL is assigned, but it can be inherited by child objects. |
INHERITED_ACE | Indicates an inherited ACE. This flag allows operations that change the security on a tree of objects to modify inherited ACEs, while not changing ACEs that were directly applied to the object. |
NO_PROPAGATE_INHERIT_ACE | The OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE bits are not propagated to an inherited ACE. |
OBJECT_INHERIT_ACE | The ACE is inherited by noncontainer objects. |
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError. The following are possible error values.
Error value | Description |
---|---|
ERROR_ALLOTTED_SPACE_EXCEEDED | The new ACE does not fit into the ACL. A larger ACL buffer is required. |
ERROR_INVALID_ACL | The specified ACL is not properly formed. |
ERROR_INVALID_FLAGS | The AceFlags parameter is invalid. |
ERROR_INVALID_SID | The specified SID is not structurally valid. |
ERROR_REVISION_MISMATCH | The specified revision is not known or is incompatible with that of the ACL. |
ERROR_SUCCESS | The ACE was successfully added. |
If both ObjectTypeGuid and InheritedObjectTypeGuid are NULL, use the AddAccessDeniedAceEx function rather than AddAccessDeniedObjectAce. This is suggested because an ACCESS_DENIED_ACE is smaller and more efficient than an ACCESS_DENIED_OBJECT_ACE.
Although the AddAccessDeniedObjectAce function adds the new ACE to the end of the ACL, access-denied ACEs should appear at the beginning of an ACL. The caller must ensure that ACEs are added to the DACL in the correct order. For more information, see Order of ACEs in a DACL.
Windows NT/2000: Requires Windows 2000.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Advapi32.lib.
Low-Level Access-Control Overview, Low-Level Access Control Functions, ACCESS_DENIED_ACE, ACCESS_DENIED_OBJECT_ACE, ACE_HEADER, ACL, AddAccessAllowedObjectAce, AddAccessDeniedAceEx, AddAuditAccessObjectAce