AddAccessDeniedAceEx function (Win32 API)

AddAccessDeniedAceEx function

Adds a new access‑denied access‑control entry (ACE) to an access control list (ACL).

Syntax

BOOL AddAccessDeniedAceEx(
    PACL   pAcl,
    DWORD  dwAceRevision,
    DWORD  AceFlags,
    ACCESS_MASK AccessMask,
    PSID   pSid
);

Parameters

Parameter	Type	Description
pAcl	PACL	Pointer to an `ACL` structure that receives the new ACE.
dwAceRevision	DWORD	Revision level of the ACE. Use `ACL_REVISION` or `ACL_REVISION_DS`.
AceFlags	DWORD	ACE inheritance flags (e.g., `OBJECT_INHERIT_ACE`, `CONTAINER_INHERIT_ACE`).
AccessMask	ACCESS_MASK	Mask that specifies the denied permissions.
pSid	PSID	Pointer to a security identifier (SID) for the trustee.

Return value

Returns TRUE if the function succeeds; otherwise, FALSE. Call GetLastError for extended error information.

Remarks

The ACL pointed to by pAcl

 must already be initialized with InitializeAcl or SetSecurityDescriptorDacl.
            Use AceFlags to control inheritance and inheritance propagation.
            When using ACL_REVISION_DS, additional ACE types are supported.



        Requirements
        Header: Aclapi.h
Library: Advapi32.lib

        Example
        
            
            #include <windows.h>
#include <aclapi.h>

int main() {
    PSID pSid = NULL;
    PACL pAcl = NULL;
    EXPLICIT_ACCESS ea = {0};

    // Create a SID for the built‑in Guests group.
    SID_IDENTIFIER_AUTHORITY NT_AUTHORITY = SECURITY_NT_AUTHORITY;
    if (!AllocateAndInitializeSid(&NT_AUTHORITY,
        2, SECURITY_BUILTIN_DOMAIN_RID,
        DOMAIN_ALIAS_RID_GUESTS, 0,0,0,0,0,0, &pSid)) {
        return 1;
    }

    // Initialize an empty ACL.
    DWORD dwAclSize = sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(pSid) - sizeof(DWORD);
    pAcl = (PACL)LocalAlloc(LPTR, dwAclSize);
    InitializeAcl(pAcl, dwAclSize, ACL_REVISION);

    // Add a denied ACE for the Guests group.
    AddAccessDeniedAceEx(pAcl, ACL_REVISION,
        OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
        GENERIC_ALL, pSid);

    // Apply the ACL to a file (example.txt).
    SetNamedSecurityInfo(L"example.txt", SE_FILE_OBJECT,
        DACL_SECURITY_INFORMATION, NULL, NULL, pAcl, NULL);

    FreeSid(pSid);
    LocalFree(pAcl);
    return 0;
}

        

        
            Note: Modifying ACLs requires appropriate privileges. Ensure the calling process has the SE_SECURITY_NAME privilege or runs as an administrator.