Whenever an attempt is being made to access a Windows NT-secured object, NT internally calls a function called AccessCheck, which compares the user’s access token with the access rights contained in the requested object’s SD. This either succeeds or fails. In the case of failure, the function that made the access request returns an ERROR_ACCESS_DENIED error (traditionally called an error #5, but always use the constant).
In the same way, server applications need to call AccessCheck whenever and wherever access to a server-application–protected object is being attempted. If you leave even one place in your code where the server can access an object on behalf of a client without calling AccessCheck (and heeding the results!), your server application’s security can be compromised, so be careful. It greatly simplifies your implementation if you can make all access to a server-application–protected object occur in the same (one) place in your code.
A similar function, called PrivilegeCheck, is useful for checking for required privileges. Also, before calling the checking functions, you may need to create a rights mask containing the appropriate bits set for the requested access rights.