GetPrivateObjectSecurity function (securitybaseapi.h)

The GetPrivateObjectSecurity function retrieves information from a private object's security descriptor.


BOOL GetPrivateObjectSecurity(
  [in]            PSECURITY_DESCRIPTOR ObjectDescriptor,
  [in]            SECURITY_INFORMATION SecurityInformation,
  [out, optional] PSECURITY_DESCRIPTOR ResultantDescriptor,
  [in]            DWORD                DescriptorLength,
  [out]           PDWORD               ReturnLength


[in] ObjectDescriptor

A pointer to a SECURITY_DESCRIPTOR structure. This is the security descriptor to be queried.

[in] SecurityInformation

A set of bit flags that indicate the parts of the security descriptor to retrieve. This parameter can be a combination of the SECURITY_INFORMATION bit flags.

[out, optional] ResultantDescriptor

A pointer to a buffer that receives a copy of the requested information from the specified security descriptor. The SECURITY_DESCRIPTOR structure is returned in self-relative format.

[in] DescriptorLength

Specifies the size, in bytes, of the buffer pointed to by the ResultantDescriptor parameter.

[out] ReturnLength

A pointer to a variable the function sets to zero if the descriptor is copied successfully. If the buffer is too small for the security descriptor, this variable receives the number of bytes required. If this variable's value is greater than the value of the DescriptorLength parameter when the function returns, the function returns FALSE and none of the security descriptor is copied to the buffer.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.


This function is intended for use by resource managers only. To implement the standard access control semantics for updating security descriptors, a resource manager should verify that the following conditions are met before calling GetPrivateObjectSecurity:

  • If the object's owner is being set, the calling process must have either WRITE_OWNER permission or be the object's owner.
  • If the object's discretionary access control list is being set, the calling process must have either WRITE_DAC permission or be the object's owner.
  • If the object's system access control list is being set, the SE_SECURITY_NAME privilege must be enabled for the calling process.
If the preceding conditions are not met, a call to this function does not fail, however, standard access policy is not enforced.


Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header securitybaseapi.h (include Windows.h)
Library Advapi32.lib
DLL Advapi32.dll

See also

Client/Server Access Control Functions

Client/Server Access Control Overview