| Function | Description |
|---|
| AccessCheck | Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. |
| AccessCheckByType | Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. The function can check the client's access to a hierarchy of objects, such as an object, its property sets, and properties. The function grants or denies access to the hierarchy as a whole. |
| AccessCheckByTypeResultList | Determines whether a security descriptor grants a specified set of access rights to the client identified by an access token. The function can check the client's access to a hierarchy of objects, such as an object, its property sets, and properties. The function reports the access rights granted or denied to each object type in the hierarchy. |
| AdjustTokenGroups | Changes the group information in an access token. |
| AdjustTokenPrivileges | Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones. |
| AllocateAndInitializeSid | Allocates and initializes a security identifier (SID) with up to eight subauthorities. |
| AllocateLocallyUniqueId | Allocates a locally unique identifier (LUID). |
| AuthzAccessCheck | Determines which access bits can be granted to a client for a given set of security descriptors. |
| AuthzAccessCheckCallback | An application-defined function that handles callback access control entries (ACEs) during an access check. AuthzAccessCheckCallback is a placeholder for the application-defined function name. |
| AuthzAddSidsToContext | Creates a copy of an existing context and appends a given set of security identifiers (SIDs) and restricted SIDs. |
| AuthzCachedAccessCheck | Performs a fast access check based on a cached handle containing the static granted bits from a previous
AuthzAccessCheck call. |
| AuthzComputeGroupsCallback | An application-defined function that creates a list of security identifiers (SIDs) that apply to a client. |
| AuthzEnumerateSecurityEventSources | Retrieves the registered security event sources that are not installed by default. |
| AuthzFreeAuditEvent | Frees the structure allocated by the
AuthzInitializeObjectAccessAuditEvent function. |
| AuthzFreeContext | Frees all structures and memory associated with the client context. |
| AuthzFreeGroupsCallback | An application-defined function that frees memory allocated by
the AuthzComputeGroupsCallback function. AuthzFreeGroupsCallback is a placeholder for the application-defined function name. |
| AuthzFreeHandle | Finds and deletes a handle from the handle list. |
| AuthzFreeResourceManager | Frees a resource manager object. |
| AuthzGetInformationFromContext | Returns information about an Authz context. |
| AuthzInitializeContextFromAuthzContext | Creates a new client context based on an existing client context. |
| AuthzInitializeContextFromSid | Creates a user-mode client context from a user security identifier (SID). |
| AuthzInitializeContextFromToken | Initializes a client authorization context from a kernel token. |
| AuthzInitializeObjectAccessAuditEvent | Initializes auditing for an object. |
| AuthzInitializeObjectAccessAuditEvent2 | Allocates and initializes an AUTHZ_AUDIT_EVENT_HANDLE handle for use with the AuthzAccessCheck function. |
| AuthzInitializeResourceManager | Uses Authz to verify that clients have access to various resources. |
| AuthzInstallSecurityEventSource | Installs the specified source as a security event source. |
| AuthzOpenObjectAudit | Opens an object for auditing. |
| AuthzRegisterSecurityEventSource | Registers a security event source with the Local Security Authority (LSA). |
| AuthzReportSecurityEvent | Generates a security audit for a registered security event source. |
| AuthzReportSecurityEventFromParams | Generates a security audit for a registered security event source by using the specified array of audit parameters. |
| AuthzUninstallSecurityEventSource | Removes the specified source from the list of valid security event sources. |
| AuthzUnregisterSecurityEventSource | Unregisters a security event source with the Local Security Authority (LSA). |
| BuildExplicitAccessWithName | Initializes an
EXPLICIT_ACCESS structure with data specified by the caller. The trustee is identified by a name string. |
| BuildImpersonateExplicitAccessWithName | Obsolete. Do not use. |
| BuildImpersonateTrustee | Obsolete. Do not use. |
| BuildTrusteeWithName | Initializes a
TRUSTEE structure. The caller specifies the trustee name. The function sets other members of the structure to default values. |
| BuildTrusteeWithObjectsAndName | Initializes a
TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the name of the trustee. |
| BuildTrusteeWithObjectsAndSid | Initializes a
TRUSTEE structure with the object-specific access control entry (ACE) information and initializes the remaining members of the structure to default values. The caller also specifies the
SID structure that represents the security identifier of the trustee. |
| BuildTrusteeWithSid | Initializes a
TRUSTEE structure. The caller specifies the security identifier (SID) of the trustee. The function sets other members of the structure to default values and does not look up the name associated with the SID. |
| CheckTokenMembership | Determines whether a specified security identifier (SID) is enabled in a specified access token. |
| ConvertSecurityDescriptorToStringSecurityDescriptor | Converts a security descriptor to a string format. |
| ConvertSidToStringSid | Converts a security identifier (SID) to a string format suitable for display, storage, or transmission. |
| ConvertStringSecurityDescriptorToSecurityDescriptor | Converts a string-format security descriptor into a valid, functional security descriptor. |
| ConvertStringSidToSid | Converts a string-format security identifier (SID) into a valid, functional SID. |
| CopySid | Copies a security identifier (SID) to a buffer. |
| CreateRestrictedToken | Creates a new access token that is a restricted version of an existing access token. The restricted token can have disabled security identifiers (SIDs), deleted privileges, and a list of restricting SIDs. |
| CreateWellKnownSid | Creates a security identifier (SID) for predefined aliases. |
| DuplicateToken | Creates a new impersonation token that duplicates an existing token. |
| DuplicateTokenEx | Creates a new primary token or impersonation token that duplicates an existing token. |
| EqualDomainSid | Determines whether two security identifiers (SIDs) are from the same domain. |
| EqualPrefixSid | Tests two security-identifier (SID) prefix values for equality. |
| EqualSid | Tests two security identifier (SID) values for equality. |
| FreeSid | Frees a security identifier (SID) previously allocated by using the
AllocateAndInitializeSid function. |
| GetAuditedPermissionsFromAcl | Retrieves the audited access rights for a specified trustee. |
| GetEffectiveRightsFromAcl | Retrieves the effective access rights that an
ACL structure grants to a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. |
| GetExplicitEntriesFromAcl | Retrieves an array of structures that describe the access control entries (ACEs) in an access control list (ACL). |
| GetLengthSid | Returns the length, in bytes, of a valid security identifier (SID). |
| GetMultipleTrustee | Obsolete. Do not use. |
| GetMultipleTrusteeOperation | Obsolete. Do not use. |
| GetNamedSecurityInfo | Retrieves a copy of the security descriptor for an object specified by name. |
| GetSecurityDescriptorControl | Retrieves a security descriptor control and revision information. |
| GetSecurityInfo | Retrieves a copy of the security descriptor for an object specified by a handle. |
| GetSidIdentifierAuthority | Returns a pointer to the
SID_IDENTIFIER_AUTHORITY structure in a specified security identifier (SID). |
| GetSidLengthRequired | Returns the length, in bytes, of the buffer required to store a SID with a specified number of subauthorities. |
| GetSidSubAuthority | Returns a pointer to a specified subauthority in a security identifier (SID). |
| GetSidSubAuthorityCount | Returns a pointer to the member in a security identifier (SID) structure that contains the subauthority count. |
| GetTokenInformation | Retrieves information about a token. |
| GetTrusteeForm | Retrieves the trustee name from the specified TRUSTEE structure. |
| GetTrusteeName | Retrieves the trustee name from the specified TRUSTEE structure. |
| GetTrusteeType | Retrieves the trustee type from the specified TRUSTEE structure. |
| GetWindowsAccountDomainSid | Receives a security identifier (SID) and returns a SID that represents the domain of that SID. |
| InitializeSid | Initializes a security identifier (SID). |
| IsTokenRestricted | Indicates whether a token contains a list of restricted security identifiers (SIDs). |
| IsValidSid | Validates a security identifier (SID) by verifying that the revision number is within a known range, and that the number of subauthorities is less than the maximum. |
| IsWellKnownSid | Compares a SID to a well known security identifier (SID) and returns TRUE if they match. |
| LookupAccountName | Accepts the name of a system and an account as input. |
| LookupAccountSid | Accepts a security identifier (SID) as input. |
| LookupPrivilegeDisplayName | Retrieves a display name representing a specified privilege. |
| LookupPrivilegeName | Retrieves the name that corresponds to the privilege represented on a specific system by a specified locally unique identifier (LUID). |
| LookupPrivilegeValue | Retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name. |
| NtCompareTokens | Compares two access tokens and determines whether they are equivalent with respect to a call to the AccessCheck function. |
| OpenProcessToken | Retrieves a handle to the primary access token for a process. |
| OpenThreadToken | Retrieves a handle to the impersonation access token for a thread. |
| QuerySecurityAccessMask | Creates an access mask that represents the access permissions necessary to query the specified object security information. |
| RtlConvertSidToUnicodeString | Converts a security identifier (SID) to its Unicode character representation. |
| RtlSetSaclSecurityDescriptor | Sets the system access control list (SACL) in a specified security descriptor. If the security descriptor already contains a SACL, this function overwrites the existing SACL. |
| SetEntriesInAcl | Creates a new access control list (ACL) by merging new access control or audit control information into an existing
ACL structure. |
| SetNamedSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
| SetSecurityAccessMask | Creates an access mask that represents the access permissions necessary to set the specified object security information. |
| SetSecurityDescriptorControl | Sets the control bits of a security descriptor. |
| SetSecurityInfo | Sets specified security information in the security descriptor of a specified object. |
| SetThreadToken | Assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token. |
| SetTokenInformation | Sets various types of information for a specified access token. |
| TreeResetNamedSecurityInfo | Resets specified security information in the security descriptor for a tree of objects. |
| TreeSetNamedSecurityInfo | Sets specified security information in the security descriptor of a specified tree of objects. |
The following functions are used with the access control editor.
The following functions are used by servers to impersonate clients.
The following low-level functions are used to manipulate security descriptors.
| Function | Description |
|---|
| AccessCheckAndAuditAlarm | Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. |
| AccessCheckByTypeAndAuditAlarm | Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. The function can check the client's access to a hierarchy of objects, such as an object, its property sets, and properties. The function grants or denies access to the hierarchy as a whole. |
| AccessCheckByTypeResultListAndAuditAlarm | Determines whether a security descriptor grants a specified set of access rights to the client being impersonated by the calling thread. The function can check access to a hierarchy of objects, such as an object, its property sets, and properties. The function reports the access rights granted or denied to each object type in the hierarchy. |
| AccessCheckByTypeResultListAndAuditAlarmByHandle | Determines whether a security descriptor grants a specified set of access rights to the client that the calling thread is impersonating. The difference between this function and
AccessCheckByTypeResultListAndAuditAlarm is that this function allows the calling thread to perform the access check before impersonating the client. |
| AddAccessAllowedAce | Adds an access-allowed access control entry (ACE) to an access control list (ACL). |
| AddAccessAllowedAceEx | Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessAllowedObjectAce | Adds an access-allowed access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can grant access to an object, or to a property set or property on an object. |
| AddAccessDeniedAce | Adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID). |
| AddAccessDeniedAceEx | Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). |
| AddAccessDeniedObjectAce | Adds an access-denied access control entry (ACE) to the end of a discretionary access control list (DACL). The new ACE can deny access to an object or to a property set or property on an object. |
| AddAce | Adds one or more access control entries (ACEs) to a specified access control list (ACL). |
| AddAuditAccessAce | Adds a system-audit access control entry (ACE) to a system access control list (ACL). The access of a specified security identifier (SID) is audited. |
| AddAuditAccessAceEx | Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). |
| AddAuditAccessObjectAce | Adds a system-audit access control entry (ACE) to the end of a system access control list (SACL). The new ACE can audit access to an object or to a property set or property on an object. |
| AddMandatoryAce | Adds a SYSTEM_MANDATORY_LABEL_ACEaccess control entry (ACE) to the specified system access control list (SACL). |
| DeleteAce | Deletes an access control entry (ACE) from an access control list (ACL). |
| FindFirstFreeAce | Retrieves a pointer to the first free byte in an access control list (ACL). |
| FreeInheritedFromArray | Frees memory allocated by the
GetInheritanceSource function. |
| GetAce | Obtains a pointer to an access control entry (ACE) in an access control list (ACL). |
| GetAclInformation | Retrieves information about an access control list (ACL). |
| GetFileSecurity | Obtains specified information about the security of a file or directory. |
| GetInheritanceSource | Returns information about the source of inherited access control entries (ACEs) in an access control list (ACL). |
| GetKernelObjectSecurity | Retrieves a copy of the security descriptor protecting a kernel object. |
| GetSecurityDescriptorDacl | Retrieves a pointer to the discretionary access control list (DACL) in a specified security descriptor. |
| GetSecurityDescriptorGroup | Retrieves the primary group information from a security descriptor. |
| GetSecurityDescriptorLength | Returns the length, in bytes, of a structurally valid security descriptor. |
| GetSecurityDescriptorOwner | Retrieves the owner information from a security descriptor. |
| GetSecurityDescriptorSacl | Retrieves a pointer to the system access control list (SACL) in a specified security descriptor. |
| GetUserObjectSecurity | Retrieves security information for the specified user object. |
| InitializeAcl | Initializes a new ACL structure. |
| InitializeSecurityDescriptor | Initializes a new security descriptor. |
| IsValidAcl | Validates an ACL. |
| IsValidSecurityDescriptor | Determines whether the components of a security descriptor are valid. |
| MakeAbsoluteSD | Creates a security descriptor in absolute format by using a security descriptor in self-relative format as a template. |
| MakeSelfRelativeSD | Creates a security descriptor in self-relative format by using a security descriptor in absolute format as a template. |
| NetShareGetInfo | Retrieves information about a particular shared resource on a server. |
| NetShareSetInfo | Sets the parameters of a shared resource. |
| QueryServiceObjectSecurity | Retrieves a copy of the security descriptor associated with a service object. |
| RegGetKeySecurity | Retrieves a copy of the security descriptor protecting the specified open registry key. |
| RegSetKeySecurity | Sets the security of an open registry key. |
| SetAclInformation | Sets information about an ACL. |
| SetFileSecurity | Sets the security of a file or directory object. |
| SetKernelObjectSecurity | Sets the security of a kernel object. For example, this can be a process, thread, or event. |
| SetSecurityDescriptorDacl | Sets information in a DACL. |
| SetSecurityDescriptorGroup | Sets the primary group information of an absolute-format security descriptor, replacing any primary group information already present in the security descriptor. |
| SetSecurityDescriptorOwner | Sets the owner information of an absolute-format security descriptor. |
| SetSecurityDescriptorSacl | Sets information in a system access control list (SACL). |
| SetServiceObjectSecurity | Sets the security descriptor of a service object. |
| SetUserObjectSecurity | Sets the security of a user object. |