There are plenty of handy things you can do if you have programmatic access to the permissions set in the NT File System. Learn to employ C++ and Win32 APIs to query the Access Control Lists that hold security settings for files or folders and use that information however you like.
by Yevgeny Menaker
Jul 30, 2003
Page 2 of 5
ACEs are divided into two categories: allowed and denied. But it is not unusual for there to be conflicting ACEs for a given user or group. For example, some users may appear in several groups simultaneously. The NTFS security module should combine specified permissions in different ACEs and decide whether to allow or deny an advanced permission to a user, group, or other security entity (identified by SID). Figure 4 shows the diagram in the form of a state machine, which illustrates the NTFS decision mechanism.