Checking
a Control Access Right in an Object's ACL
To check a control access right on an object's ACL, use the
AccessCheckByTypeResultList function. To use this function,
an application requires a pointer to the SECURITY_DESCRIPTOR for
the object instead of an IADsSecurityDescriptor
interface to an ADSI security descriptor COM object.
If using ADSI, use the following steps to check access for an
controlled access right on an object:
Use the IDirectoryObject::Get method to get the security
descriptor of the object. The name of the property containing the
security descriptor is nTSecurityDescriptor. The property is
returned as a VARIANT that contains an IDispatch
pointer. The vt member is VT_DISPATCH. Call
QueryInterface on that IDispatch pointer to get an
IADsSecurityDescriptor interface to use the methods on that
interface to access the security descriptor ACL.
Use the IADsSecurityDescriptor::get_DiscretionaryAcl
method to get the ACL. The method returns an IDispatch
pointer. Call QueryInterface on that IDispatch
pointer to get an IADsAccessControlList
interface to use the methods on that interface to access the
individual ACEs in the ACL.
Get the client token that the access check is performed
for.
Use the AccessCheckByTypeResultList function to check
the permissions for the specified control access right for the
specified client.