Do It Right
Adding multiple ACEs for the same user or group is easier programmatically, but it presents multiple problems. First, it's just plain ugly. Second, there is a limit to the number of ACEs in an ACL, currently 1,820 (see the MSDN article, "Maximum Number of ACEs in an ACL," Q166348). Third, any program that reads the ACEs must combine and decode the combined security rights, either using your own code or GetEffectiveRightsFromACL. There is an API alternative, SetEntriesInAcl, but it works only with NT 4.0/SP3 and later (see MSDN article Q168574). However, it produces occasional undesirable results even if you have SP3. So, the only real alternative is to find the duplicated user/group SID in the DACL, merge the rights in both the current and new ACE, and write the merged security information back into the DACL.