Platform SDK: Access Control |
The AddAccessDeniedAce function adds an access-denied ACE to an ACL. The access is denied to a specified SID.
To control whether the new ACE can be inherited by child objects, use the AddAccessDeniedAceEx function.
BOOL AddAccessDeniedAce( PACL pAcl, // access control list DWORD dwAceRevision, // ACL revision level DWORD AccessMask, // access mask PSID pSid // security identifier );
Windows NT 4.0 and earlier: This value must be ACL_REVISION.
Windows 2000: This value can be ACL_REVISION or ACL_REVISION_DS. Use ACL_REVISION_DS if the ACL contains object-specific ACEs.
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError. The following are possible error values.
Error value | Description |
---|---|
ERROR_ALLOTTED_SPACE_EXCEEDED | The new ACE does not fit into the ACL. A larger ACL buffer is required. |
ERROR_INVALID_ACL | The specified ACL is not properly formed. |
ERROR_INVALID_SID | The specified SID is not structurally valid. |
ERROR_REVISION_MISMATCH | The specified revision is not known or is incompatible with that of the ACL. |
ERROR_SUCCESS | The ACE was successfully added. |
An ACE is an access-control entry. An ACL is an access-control list. A SID is a security identifier.
The AddAccessAllowedAce and AddAccessDeniedAce functions add a new ACE to the end of the list of ACEs for the ACL. These functions do not automatically place the new ACE in the proper canonical order. It is the caller's responsibility to ensure that the ACL is in canonical order by adding ACEs in the proper sequence. For Windows NT versions 4.0 and earlier, the canonical order for a DACL places all access-denied ACEs before any access-allowed ACEs.
The ACE_HEADER structure placed in the ACE by the AddAccessDeniedAce function specifies a type and size, but provides no ACE flags.
Windows NT/2000: Requires Windows NT 3.1 or later.
Header: Declared in Winbase.h; include Windows.h.
Library: Use Advapi32.lib.
Low-Level Access-Control Overview, Low-Level Access Control Functions, ACCESS_DENIED_ACE, ACE_HEADER, ACL, AddAccessAllowedAce, AddAccessDeniedAceEx, AddAce, AddAuditAccessAce, DeleteAce, GetAce