RtlAddAccessAllowedAce construction how to specify group accounts?

Brian_Peterson · March 31, 2010, 6:49pm

For the construction of a DACL to use with ZwSetSecurityObject I would like to define the SIDs for the Administrators group and the users group. However, I have not seen any examples that show just for the groups. In the example below SeExports->SeAliasUsersSid is the SID that matches built-in user accounts.

status = RtlAddAccessAllowedAce(pAclReadOnly,
ACL_REVISION,
GENERIC_READ,
SeExports->SeAliasUsersSid );

Can I just use the SIDs for Administrators group (S-1-5-32-544), and Users group (S-1-5-32-545) instead? I am using RtlCreateAcl, RtlAddAccessAllowedAce, RtlCreateSecurityDescriptor, & RtlSetDaclSecurityDescriptor before calling ZwSetSecurityObject.

OSR_Community_User · March 31, 2010, 7:21pm

The specific use of the SID is not important - just the SID matters. For example, the documentation for RtlAddAccessAllowedAceEx says:

"Sid - A pointer to the SID structure that represents a user, group, or logon account that is being granted access. "

Thus, the answer to your question is “yes, you can just use the SID for the group you wish to allow.”

Tony
OSR

Brian_Peterson · March 31, 2010, 7:27pm

Tony,

Just for clarification…
status = RtlAddAccessAllowedAce(pAclReadOnly,
ACL_REVISION,
GENERIC_READ,
S-1-5-32-544);

Is valid?