Security Descriptor Operations

The Windows API provides functions for getting and setting the components of the security descriptor associated with a securable object. Use the GetSecurityInfo and GetNamedSecurityInfo functions to retrieve a pointer to an object's security descriptor. These functions can also retrieve pointers to the individual components of the security descriptor: DACL, SACL, owner SID, and primary group SID. Use the SetSecurityInfo and SetNamedSecurityInfo functions to set the components of an object's security descriptor.

In general, you should use GetSecurityInfo and SetSecurityInfo with objects identified by a handle, and SetNamedSecurityInfo and GetNamedSecurityInfo with objects identified by a name. For more information about the specific functions to use when working with the various types of objects, see Securable Objects.

The Windows API provides additional functions for manipulating the components of a security descriptor. For information about working with access control lists (DACLs or SACLs), see Getting Information from an ACL and Creating or Modifying an ACL. For information about SIDs, see Security Identifiers (SIDs).

To get the control information in a security descriptor, call the GetSecurityDescriptorControl function. To set the control bits that relate to automatic ACE inheritance, call the SetSecurityDescriptorControl function. Other control bits are set by the various functions that set a security descriptor component. For example, if you use SetSecurityInfo to change an object's DACL, the function sets or clears the bits as appropriate to indicate whether the security descriptor has a DACL, whether it is a default DACL, and so on. Another example is the resource manager (RM) control bits contained in the security descriptor. These bits are used according to the implementation of the resource manager, and are accessed through the GetSecurityDescriptorRMControl and SetSecurityDescriptorRMControl functions.