Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The ACCESS_DENIED_OBJECT_ACE structure defines an access control entry (ACE) that controls denied access to an object, a property set, or property. The ACE contains a set of access rights, a GUID that identifies the type of object, and a security identifier (SID) that identifies the trustee to whom the system will deny access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
typedef struct _ACCESS_DENIED_OBJECT_ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
DWORD Flags;
GUID ObjectType;
GUID InheritedObjectType;
DWORD SidStart;
} ACCESS_DENIED_OBJECT_ACE, *PACCESS_DENIED_OBJECT_ACE;
Header
ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects. The AceType member of the ACE_HEADER structure should be set to ACCESS_DENIED_OBJECT_ACE_TYPE, and the AceSize member should be set to the total number of bytes allocated for the ACCESS_DENIED_OBJECT_ACE structure.
Mask
An ACCESS_MASK that specifies the access rights the system will deny to the trustee.
Flags
A set of bit flags that indicate whether the ObjectType and InheritedObjectType members are present. This parameter can be one or more of the following values.
ObjectType
This member exists only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType member follows immediately after the Flags member.
If this member exists, it is a GUID structure that identifies a property set, property, extended right, or type of child object. The purpose of this GUID depends on the access rights specified in the Mask member.
InheritedObjectType
This member exists only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member.
If this member exists, it is a GUID structure that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects.
The offset of this member can vary. If the Flags member does not contain the ACE_OBJECT_TYPE_PRESENT flag, the InheritedObjectType member starts at the offset specified by the ObjectType member.
SidStart
Specifies the first DWORD of a SID that identifies the trustee for whom the access rights are denied. The remaining bytes of the SID are stored in contiguous memory after the SidStart member. This SID can be appended with application data.
The offset of this member can vary. If the Flags member is zero, the SidStart member starts at the offset specified by the ObjectType member. If Flags contains only one flag (either ACE_OBJECT_TYPE_PRESENT or ACE_INHERITED_OBJECT_TYPE_PRESENT), the SidStart member starts at the offset specified by the InheritedObjectType member.
If neither the ObjectType nor InheritedObjectType GUID is specified, the ACCESS_DENIED_OBJECT_ACE structure has the same semantics as those used by the ACCESS_DENIED_ACE structure. In that case, use the ACCESS_DENIED_ACE structure because it is smaller and more efficient.
An ACL that contains an ACCESS_DENIED_OBJECT_ACE must specify the ACL_REVISION_DS revision number in its ACL header.
The access rights specified by the Mask member are denied to any trustee that possesses an enabled SID that matches the SID stored in the SidStart member.
An ACCESS_DENIED_OBJECT_ACE structure can be created in an access control list (ACL) by a call to the AddAccessDeniedObjectAce function. When this function is used, the correct amount of memory needed to accommodate the GUID structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to accommodate the trustee's SID is automatically allocated. In addition, the values of the Header.AceType and Header.AceSize members are set automatically. When an ACCESS_DENIED_OBJECT_ACE structure is created outside an ACL, sufficient memory must be allocated to accommodate the GUID structures in the ObjectType and InheritedObjectType members, if one or both of them exists, as well as to accommodate the complete SID of the trustee in the SidStart member and the contiguous memory following it. In addition, the values of the Header.AceType and Header.AceSize members must be set explicitly by the application.
Requirement | Value |
---|---|
Minimum supported client | Windows XP [desktop apps only] |
Minimum supported server | Windows Server 2003 [desktop apps only] |
Header | winnt.h (include Windows.h) |
Events
Nov 19, 11 PM - Nov 21, 11 PM
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register now