Windows Access Control List (ACL) Example 17





An Empty DACL Program Example


The following program example demonstrates creating an empty DACL.

Create a new empty Win32 console application project. Give a suitable project name and change the project location if needed.


An Empty DACL Program Example: Creating a new VC++ project


Then, add the source file and give it a suitable name.


An Empty DACL Program Example: Adding the C++ source file


Next, add the following source code.


// An empty DACL program example

// #define _WIN32_WINNT 0x0500

#include <windows.h>

#include <sddl.h>

#include <stdio.h>


// Prototype



int main(int argc, WCHAR **argv)



     // The SECURITY_ATTRIBUTE structure size

     sa.nLength = sizeof(SECURITY_ATTRIBUTES);

     // The return handle not inherited

     sa.bInheritHandle = FALSE;

       // Directory that will be assigned the empty DACL

       WCHAR DirName[] = L\\\\?\\C:\\MyEmptyDACLDir;


     // Call CreateMyDACL() function to set the DACL. The DACL

     // is set in the SECURITY_ATTRIBUTES

     // lpSecurityDescriptor member



         //Error encountered; generate message and just exit.

         wprintf(LCreateMyDACL() failed, error %d\n, GetLastError());




         wprintf(LCreateMyDACL() - DACL was created successfully!\n);


     // Use the updated SECURITY_ATTRIBUTES to specify

     // security attributes for securable objects.

     // This example uses security attributes during

     // creation of a new directory.

     if(CreateDirectory(DirName, &sa) == 0)


         // If error encountered; generate message and exit.

         wprintf(Lfailed to create %s directory!, error %u\n, DirName, GetLastError());




         wprintf(LCreateDirectory() - %s was created successfully!\n, DirName);


     // Release the memory allocated for the SECURITY_DESCRIPTOR.

     if(LocalFree(sa.lpSecurityDescriptor) != NULL)


         // Error encountered; generate message and exit.

         wprintf(LLocalFree() failed, error %u.\n, GetLastError());




        wprintf(LLocalFree() - buffer was freed-up.\n);

       return 0;



// Create a security descriptor that contains the DACL you want.



      PULONG nSize = 0;

      // An empty DACL

      WCHAR * szSD = LD:;


      if(pSA == NULL)

            return FALSE;


            wprintf(LSECURITY_ATTRIBUTES was passed properly!\n);


      // Do some verification

      wprintf(LThe ACE strings: %s \n, szSD);

      wprintf(LLength: %u\n, pSA->nLength);


      // Convert the string to the security descriptor binary and return

      return ConvertStringSecurityDescriptorToSecurityDescriptor(

            szSD,                                     // The ACE strings

            SDDL_REVISION_1,                    // Standard revision level

            &(pSA->lpSecurityDescriptor), // Pointer to the converted security descriptor

            nSize);                                         // The size in byte the converted security descriptor



Build and run the project. The following screenshot is a sample output.


An Empty DACL Program Example: Asample console output


In this case, when user Mike spoon (a member of an Administrators group) tries to open (or delete) the C:\\MyEmptyDACLDir directory, the following message was displayed.


An Empty DACL Program Example: The folder cannot be accessed


When we verify through the MyEmptyDACLDir’s property page, there is no ACE at all.  Well, do not create an empty DACL.


An Empty DACL Program Example: There is no user and/or group


An Empty DACL Program Example: The detail permission also don't have any user or group (deny or allow)


By the way, Administrator user (also any user which is a member of Administrators group) still has the permission to modify the permission (use the Add button to add the permission) or he/she can take the ownership of this directory object.




< Windows ACL Example 16 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL Example 18 >