RtlSetGroupSecurityDescriptor function (ntifs.h)

The RtlSetGroupSecurityDescriptor routine sets the primary group information of an absolute-format security descriptor. It replaces any primary group information that is already present in the security descriptor.


NTSYSAPI NTSTATUS RtlSetGroupSecurityDescriptor(
  [in, out]      PSECURITY_DESCRIPTOR SecurityDescriptor,
  [in, optional] PSID                 Group,
  [in, optional] BOOLEAN              GroupDefaulted


[in, out] SecurityDescriptor

Pointer to the SECURITY_DESCRIPTOR structure whose primary group is to be set. RtlSetGroupSecurityDescriptor replaces any existing primary group with the new primary group.

[in, optional] Group

Pointer to a security identifier (SID) structure for the security descriptor's new primary owner. This pointer, not the SID structure itself, is copied into the security descriptor. If Group is NULL, RtlSetGroupSecurityDescriptor clears the security descriptor's primary group information. This marks the security descriptor as having no primary group.

[in, optional] GroupDefaulted

Set this Boolean variable to TRUE if the primary group information is derived from a default mechanism. If this parameter is TRUE, RtlSetGroupSecurityDescriptor sets the SE_GROUP_DEFAULTED flag in the security descriptor's SECURITY_DESCRIPTOR_CONTROL field. If this parameter is FALSE, RtlSetGroupSecurityDescriptor clears the SE_GROUP_DEFAULTED flag.

Return value

RtlSetGroupSecurityDescriptor returns STATUS_SUCCESS if the primary group was successfully set or reset. Otherwise, it returns an appropriate NTSTATUS value such as one of the following:

Return code Description
The given security descriptor is not a valid absolute security descriptor. STATUS_INVALID_SECURITY_DESCR is an error code.
The given security descriptor's revision is not recognized by this routine. STATUS_UNKNOWN_REVISION is an error code.


To retrieve the primary group information for a security descriptor, use RtlGetGroupSecurityDescriptor.

To set the owner information for a security descriptor, use RtlSetOwnerSecurityDescriptor.

For more information about security and access control, see the Microsoft Windows SDK documentation.


Requirement Value
Minimum supported client Windows Server 2003 SP1
Target Platform Universal
Header ntifs.h (include Ntifs.h)
Library NtosKrnl.lib
DLL NtosKrnl.exe (kernel mode); Ntdll.dll (user mode)

See also