Windows NT versions 4.0 and later support a set of functions for building a security descriptor. Applications designed for Windows NT version 5.0 and later should use the functions described in Creating a Security Descriptor for a New Object.
The BuildSecurityDescriptor function allocates and initializes a new self-relative security descriptor. BuildSecurityDescriptor uses the EXPLICIT_ACCESS structure to specify information for the DACL and SACL; and it uses the TRUSTEE structure to specify the owner and primary group. BuildSecurityDescriptor can initialize the new security descriptor solely from the specified security information; or it can merge the specified security information with the information in an existing self-relative security descriptor.
The LookupSecurityDescriptorParts function retrieves information from an existing self-relative security descriptor. Like BuildSecurityDescriptor, the LookupSecurityDescriptorParts function uses the TRUSTEE and EXPLICIT_ACCESS structures. This makes it easy to call LookupSecurityDescriptorParts to extract security information from one security descriptor, and then call BuildSecurityDescriptor to use the extracted information in building another security descriptor.