AddAccessDeniedAce function (securitybaseapi.h)

The AddAccessDeniedAce function adds an access-denied access control entry (ACE) to an access control list (ACL). The access is denied to a specified security identifier (SID).

To control whether the new ACE can be inherited by child objects, use the AddAccessDeniedAceEx function.

Syntax

BOOL AddAccessDeniedAce(
  [in, out] PACL  pAcl,
  [in]      DWORD dwAceRevision,
  [in]      DWORD AccessMask,
  [in]      PSID  pSid
);

Parameters

[in, out] pAcl

A pointer to an ACL . This function adds an access-denied ACE to the end of this ACL. The ACE is in the form of an ACCESS_DENIED_ACE structure.

[in] dwAceRevision

Specifies the revision level of the ACL being modified.

This value can be ACL_REVISION or ACL_REVISION_DS. Use ACL_REVISION_DS if the ACL contains object-specific ACEs.

[in] AccessMask

Specifies the mask of access rights being denied to the specified SID.

[in] pSid

A pointer to the SID structure representing the user, group, or logon account being denied access.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError. The following are possible error values.

Return code Description
ERROR_ALLOTTED_SPACE_EXCEEDED
The new ACE does not fit into the ACL. A larger ACL buffer is required.
ERROR_INVALID_ACL
The specified ACL is not properly formed.
ERROR_INVALID_SID
The specified SID is not structurally valid.
ERROR_REVISION_MISMATCH
The specified revision is not known or is incompatible with that of the ACL.
ERROR_SUCCESS
The ACE was successfully added.

Remarks

The AddAccessAllowedAce and AddAccessDeniedAce functions add a new ACE to the end of the list of ACEs for the ACL. These functions do not automatically place the new ACE in the proper canonical order. It is the caller's responsibility to ensure that the ACL is in canonical order by adding ACEs in the proper sequence.

The ACE_HEADER structure placed in the ACE by the AddAccessDeniedAce function specifies a type and size, but provides no ACE flags.

The ACE added by AddAccessDeniedAce is not inheritable.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header securitybaseapi.h (include Windows.h)
Library Advapi32.lib
DLL Advapi32.dll

See also

ACCESS_DENIED_ACE

ACE_HEADER

ACL

AddAccessAllowedAce

AddAccessDeniedAceEx

AddAce

AddAuditAccessAce

DeleteAce

GetAce

Low-level Access Control

Low-level Access Control Functions