MORE INFORMATION

The Visual Basic code samples from the Microsoft Download Center link in this article use the User1, User2, and User3 user accounts, and the Group1 group account to demonstrate how local or domain accounts can be specified by the caller to add them to a new or existing DACL of any securable object.

The CreateObjectSecurityDescriptor function in the sample code is used to create a new security descriptor that can be used for the SECURITY_ATTRIBUTES parameter when you create any securable object.

The UpdatePermissionsOfKernelObject function in the sample code uses the GetKernelObjectSecurity() and SetKernelObjectSecurity() functions to modify an existing DACL of any kernel object. UpdatePermissionsOfFolder is used to call this helper function to modify permissions on an NTFS file or folder (c:\temp\test).

The UpdatePermissionsOfRegistryKey function in the sample code uses the RegGetKeySecurity() and RegSetKeySecurity() functions to modify an existing DACL of a registry key. UpdatePermissionsOfHKLM is used to call this helper function to modify permissions on a SOFTWARE\TEST registry key under HKEY_LOCAL_MACHINE.

The UpdatePermissionsOfShare function in the sample code uses NetShareGetInfo() and NetShareSetInfo() functions at level 502 to modify an existing DACL of a shared resource. UpdatePermissionsOfTestShare is used to call this helper function to modify permissions on a "TestShare" shared printer or shared folder resource.

The UpdatePermissionsOfUserObject function in the sample code uses the GetUserObjectSecurity() and SetUserObjectSecurity() functions to modify an existing DACL of any user object. UpdatePermissionsOfDesktop is used to call this helper function to modify permissions of the "Default" desktop in the current window station.

The UpdatePermissionsOfPrinter function in the sample code uses the GetPrinter() and SetPrinter() functions at level 3 to modify an existing DACL of a printer. UpdatePermissionsOfTestPrinter is used to call this helper function to modify permissions of the "TestPrinter" printer.

The following file is available for download from the Microsoft Download Center:

Release Date: June-11-2002

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. The Visual Basic sample code from the preceding Download Center link uses the following generic structure to represent the permissions for a user or group account

Public Type AccountPerm
    AccountName As String
    AccessMask As Long
    AceFlags As Byte
    AceType As Byte
    pSid As Long
    SidPassedByCaller As Boolean
End Type
                

where AccountName is any user or group account name, and AccessMask is any of the generic or object-specific access masks. All the access mask constants for any securable object are defined in the sample code. AceFlags and AceType structure members have the same values as documented in the ACE_HEADER data structure in the Microsoft Platform SDK.

As demonstrated in some of the code samples available through the preceding link, the caller can specify an array of AccountPerm structures to either construct a new security descriptor or add to an existing security descriptor of any securable object. If the caller wants to pass a well known SID, the caller can allocate the SID by using the AllocateAndInitializeSid() function and then specify it in the pSid structure member, with SidPassedByCaller set to True.

For more information about well known SIDs, click the following article number to view the article in the Microsoft Knowledge Base: