a Control Access Right in an Object's ACL
To check a control access right on an object's ACL, use the
AccessCheckByTypeResultList function. To use this function,
an application requires a pointer to the SECURITY_DESCRIPTOR for
the object instead of an IADsSecurityDescriptor
interface to an ADSI security descriptor COM object.
If using ADSI, use the following steps to check access for an
controlled access right on an object:
Use the IDirectoryObject::Get method to get the security
descriptor of the object. The name of the property containing the
security descriptor is nTSecurityDescriptor. The property is
returned as a VARIANT that contains an IDispatch
pointer. The vt member is VT_DISPATCH. Call
QueryInterface on that IDispatch pointer to get an
IADsSecurityDescriptor interface to use the methods on that
interface to access the security descriptor ACL.