A support function, GetScopedPolicySid, locates the first non-inherit-only scoped policy ACE in the ACL passed in, if one is present, and returns the SID it contains. If one is not present, then NULL is returned.
Only the SID of the first non-inherit-only scoped policy ACE is returned and enforced, but inherit-only scoped policy ACEs are allowed to be present in the ACL, as they may be inherited and applied to child objects.
SID GetScopedPolicySid( ACL Sacl) -- -- On entry -- Sacl is the Sacl from the security descriptor used for Access Check. -- FOR EACH ACE in Sacl DO IF ACE.Type is SYSTEM_SCOPED_POLICY_ID_ACE THEN IF ACE.AceFlags does not contain INHERIT_ONLY_ACE flag THEN Return ACE.Sid END IF END FOR Return NULL END-SUBROUTINE