Expand Minimize

CreatePrivateObjectSecurity function

The CreatePrivateObjectSecurity function allocates and initializes a self-relative security descriptor for a new private object. A protected server calls this function when it creates a new private object.

To specify the object type GUID of the new object or control how access control entries (ACEs) are inherited, use the CreatePrivateObjectSecurityEx function.

Syntax


BOOL WINAPI CreatePrivateObjectSecurity(
  _In_opt_  PSECURITY_DESCRIPTOR ParentDescriptor,
  _In_opt_  PSECURITY_DESCRIPTOR CreatorDescriptor,
  _Out_     PSECURITY_DESCRIPTOR *NewDescriptor,
  _In_      BOOL IsDirectoryObject,
  _In_opt_  HANDLE Token,
  _In_      PGENERIC_MAPPING GenericMapping
);

Parameters

ParentDescriptor [in, optional]

A pointer to the security descriptor for the parent directory in which a new object is being created. If there is no parent directory, this parameter can be NULL.

CreatorDescriptor [in, optional]

A pointer to a security descriptor provided by the creator of the object. If the object's creator does not explicitly pass security information for the new object, this parameter is intended to be NULL.

NewDescriptor [out]

A pointer to a variable that receives a pointer to the newly allocated self-relative security descriptor. The caller must call the DestroyPrivateObjectSecurity function to free this security descriptor.

IsDirectoryObject [in]

Specifies whether the new object is a container. A value of TRUE indicates the object contains other objects, such as a directory.

Token [in, optional]

A handle to the access token for the client process on whose behalf the object is being created. If this is an impersonation token, it must be at SecurityIdentification level or higher. For a full description of the SecurityIdentification impersonation level, see the SECURITY_IMPERSONATION_LEVEL enumerated type.

A client token is used to retrieve default security information for the new object, such as its default owner, primary group, and discretionary access control list. The token must be open for TOKEN_QUERY access.

If all of the following conditions are true, then the handle must be opened for TOKEN_DUPLICATE access in addition to TOKEN_QUERY access.

  • The token handle refers to a primary token.
  • The security descriptor of the token contains one or more ACEs with the OwnerRights SID.
  • A security descriptor is specified for the CreatorDescriptor parameter.
  • The caller of this function does not set the SEF_AVOID_OWNER_RESTRICTION flag in the AutoInheritFlags parameter.
GenericMapping [in]

A pointer to a GENERIC_MAPPING structure that specifies the mapping from each generic right to specific rights for the object.

Return value

If the function succeeds, the function returns nonzero.

If the function fails, it returns zero. To get extended error information, call GetLastError.

Remarks

If a system access control list (SACL) is specified in the SECURITY_DESCRIPTOR specified by the CreatorDescriptor parameter, the Token parameter must have the SE_SECURITY_NAME privilege enabled. The CreatePrivateObjectSecurity function checks this privilege and may generate audits during the process.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winbase.h (include Windows.h)

Library

Advapi32.lib

DLL

Advapi32.dll

See also

Client/Server Access Control Overview
Client/Server Access Control Functions
CreatePrivateObjectSecurityEx
DestroyPrivateObjectSecurity
GENERIC_MAPPING
GetPrivateObjectSecurity
GetTokenInformation
OpenProcessToken
SECURITY_DESCRIPTOR
SECURITY_IMPERSONATION_LEVEL
SetPrivateObjectSecurity

 

 

Community Additions

ADD
Show:
© 2014 Microsoft