Windows 2000 Security Descriptors 
by Marcelo Calbucci

Example 1: 
(a) CSid Sid1(pSid); // pointer to a SID struct
(b) CSid Sid2, Sid3;
(c) Sid2.SetSidFromString(L"S-1-5-1234-1234");
(d) Sid3.SetSidFromName(L"MyDomain\Administrator");
(e) CSid Sid4(WKS_AuthenticatedUsers);

Listing One
typedef struct _ACL { 
  BYTE AclRevision; 
  BYTE Sbz1; 
  WORD AclSize; 
  WORD AceCount; 
  WORD Sbz2; 
} ACL;
typedef struct _ACCESS_ALLOWED_OBJECT_ACE {
  ACE_HEADER Header;
  ACCESS_MASK Mask;
  DWORD Flags;
  GUID ObjectType;
  GUID InheritedObjectType;
  DWORD SidStart;
} ACCESS_ALLOWED_OBJECT_ACE;    
typedef struct _ACE_HEADER { 
  BYTE AceType; 
  BYTE AceFlags; 
  WORD AceSize; 
} ACE_HEADER;
typedef DWORD ACCESS_MASK;


Listing Two
BOOL SetMySecurityW32(LPCTSTR lpszFileName)
{
    // Create the SD structure
    SECURITY_DESCRIPTOR sd;
    if(!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
        return FALSE;
    SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest = 
                                              ALL_CONTROL_BITS_OF_INTEREST;
    SECURITY_DESCRIPTOR_CONTROL Control = 
                          SE_DACL_AUTO_INHERITED | SE_DACL_AUTO_INHERIT_REQ;
    if(!SetSecurityDescriptorControl(&sd, ControlBitsOfInterest, Control)) {
        return FALSE;
    }
    // Create the DACL
    PACL pAcl = NULL;
    SID_NAME_USE snu;
    wchar_t szBuffDomain[256];
    UCHAR   BuffSid[256];
    PSID pSid = (PSID)BuffSid;
    DWORD dwSidSize, dwBuffDomainSize;

    UCHAR   BuffSid1[64];
    UCHAR   BuffSid2[64];
    PSID pCreatorOwnerSid = (PSID)BuffSid1;
    PSID pAdministratorsSid = (PSID)BuffSid2;

    try {
        pAcl = (PACL)new UCHAR[2048]; // should be enough
        if(!pAcl)
            return FALSE;
        if(!InitializeAcl(pAcl, 2048, ACL_REVISION_DS)) {
            goto fail;
        }
        // Add the ACE for "MyAppAdmins" full control
        dwSidSize = dwBuffDomainSize = 256;
        if(LookupAccountName(NULL, L"MyAppAdmins", pSid, &dwSidSize, 
                               szBuffDomain, &dwBuffDomainSize, &snu)) {
            AddAccessAllowedAce(pAcl, ACL_REVISION_DS, FILE_ALL_ACCESS, pSid);
        }       
        // Create the Well-Known SID for "Builtin\Administrators"
        SID_IDENTIFIER_AUTHORITY siaNTAuth = SECURITY_NT_AUTHORITY;
        InitializeSid(pAdministratorsSid, &siaNTAuth, 2);
        *(GetSidSubAuthority(pAdministratorsSid, 0)) = 
                                           SECURITY_BUILTIN_DOMAIN_RID;
        *(GetSidSubAuthority(pAdministratorsSid, 1)) = 
                                           DOMAIN_ALIAS_RID_ADMINS;
        // Add the ACE for "BUILTIN\Administrators"
        AddAccessAllowedAce(pAcl, ACL_REVISION_DS, 
                                     FILE_ALL_ACCESS, pAdministratorsSid);
        // Add the ACE for "Accountants" Read/Write
        dwSidSize = dwBuffDomainSize = 256;
        if(LookupAccountName(NULL, L"Accountants", pSid, &dwSidSize, 
                                 szBuffDomain, &dwBuffDomainSize, &snu)) {
            AddAccessAllowedAce(pAcl, ACL_REVISION_DS, GENERIC_READ | 
                                                     GENERIC_WRITE, pSid);
        }       
        // Add the ACE for "Managers" Read-only
        dwSidSize = dwBuffDomainSize = 256;
        if(LookupAccountName(NULL, L"Managers", pSid, &dwSidSize, 
                                   szBuffDomain, &dwBuffDomainSize, &snu)) {
            AddAccessAllowedAce(pAcl, ACL_REVISION_DS, GENERIC_READ, pSid);
        }
        // Apply the DACL to the SD
        if(!SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE))
            goto fail;
        if(!SetFileSecurity(lpszFileName, DACL_SECURITY_INFORMATION, &sd))
            goto fail;
        delete pAcl;
    } catch(...) {
        delete pAcl;
        throw;
    }
    return TRUE;
fail:
    delete pAcl;
    return FALSE;
}

Listing Three
CSid Sid;
CSD sd;
sd.SetControl(SE_DACL_AUTO_INHERITED | SE_DACL_AUTO_INHERIT_REQ);
sd.AddAccessAllowed(CSid(WKS_Administrators), FILE_ALL_ACCESS);

Sid.SetSidFromName(L"MyAppAdmins");
sd.AddAccessAllowed(Sid, FILE_ALL_ACCESS);

Sid.SetSidFromName(L"Accountants");
sd.AddAccessAllowed(Sid, GENERIC_READ | GENERIC_WRITE);

Sid.SetSidFromName(L"Managers");
sd.AddAccessAllowed(Sid, GENERIC_READ);

if(sd.SetFileSecurity(lpszFileName, DACL_SECURITY_INFORMATION))
    return TRUE;










3


