在例子中:
  1. main函数传递SECURITY_ATTRIBUTES 结构的地址给 CreateMyDACL 函数
  2. CreateMyDACL 函数使用 SDDL 字符串设置以下控制:

          。拒绝guest和匿名登录用户的访问。
          。允许验证用户的读、写、执行访问
          。允许administrators执行所有的控制
  更多SDDL字符串相关的信息,可以参考安全描述字符串格式.
  CreateMyDACL函数调用ConvertStringSecurityDescriptorToSecurityDescriptor函数转换SDDL字符串到安全描述符。安全描述符指向SECURITY_ATTRIBUTES结构的lpSecurityDescriptor成员。
// Creating a DACL(using SDDL)

Windows NT:  SDDL is not supported.

#define _WIN32_WINNT 0x0500

#include <windows.h>
#include <sddl.h>
#include <stdio.h>

BOOL CreateMyDACL(SECURITY_ATTRIBUTES *);

void main()
{
     SECURITY_ATTRIBUTES  sa;
     
     sa.nLength = sizeof(SECURITY_ATTRIBUTES);
     sa.bInheritHandle = FALSE; 

     // Call function to set the DACL. The DACL
     // is set in the SECURITY_ATTRIBUTES
     // lpSecurityDescriptor member.
     if (!CreateMyDACL(&sa))
     {
         // Error encountered; generate message and exit.
         printf("Failed CreateMyDACL\n");
         exit(1);
     }

     // Use the updated SECURITY_ATTRIBUTES to specify
     // security attributes for securable objects.
     // This example uses security attributes during
     // creation of a new directory.
     if (0 == CreateDirectory(TEXT("C:\\MyFolder"), &sa))
     {
         // Error encountered; generate message and exit.
         printf("Failed CreateDirectory\n");
         exit(1);
     }

     // Free the memory allocated for the SECURITY_DESCRIPTOR.
     if (NULL != LocalFree(sa.lpSecurityDescriptor))
     {
         // Error encountered; generate message and exit.
         printf("Failed LocalFree\n");
         exit(1);
     }
}


// CreateMyDACL.
//    Create a security descriptor that contains the DACL you want.
//    This function uses SDDL to make Deny and Allow ACEs.
//
// Parameter:
//    SECURITY_ATTRIBUTES * pSA
//    Pointer to a SECURITY_ATTRIBUTES structure. It is the caller's
//    responsibility to properly initialize the structure and to free
//    the structure's lpSecurityDescriptor member when the caller has
//    finished using it. To free the structure's lpSecurityDescriptor
//    member, call the LocalFree function.
//
// Return value:
//    FALSE if the address to the structure is NULL.
//    Otherwise, this function returns the value from the
//    ConvertStringSecurityDescriptorToSecurityDescriptor function.
BOOL CreateMyDACL(SECURITY_ATTRIBUTES * pSA)
{
     // Define the SDDL for the DACL. This example sets
     // the following access:
     //     Built-in guests are denied all access.
     //     Anonymous logon is denied all access.
     //     Authenticated users are allowed read/write/execute access.
     //     Administrators are allowed full control.
     // Modify these values as needed to generate the proper
     // DACL for your application.
     TCHAR * szSD = TEXT("D:")       // Discretionary ACL
        TEXT("(D;OICI;GA;;;BG)")     // Deny access to built-in guests
        TEXT("(D;OICI;GA;;;AN)")     // Deny access to anonymous logon
        TEXT("(A;OICI;GRGWGX;;;AU)") // Allow read/write/execute to authenticated users
        TEXT("(A;OICI;GA;;;BA)");    // Allow full control to administrators

    if (NULL == pSA)
        return FALSE;

     return ConvertStringSecurityDescriptorToSecurityDescriptor(
                szSD,
                SDDL_REVISION_1,
                &(pSA->lpSecurityDescriptor),
                NULL);
}