NTSTATUS
RtlNewInstanceSecurityObject(
  IN  BOOLEAN ParentDescriptorChanged,
  IN  BOOLEAN CreatorDescriptorChanged,
  IN  PLUID OldClientTokenModifiedId,
  OUT PLUID NewClientTokenModifiedId,
  IN  PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
  IN  PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
  OUT PSECURITY_DESCRIPTOR * NewDescriptor,
  IN  BOOLEAN IsDirectoryObject,
  IN  HANDLE Token,
  IN  PGENERIC_MAPPING GenericMapping
  );

Routine Description:

    If the return status is STATUS_SUCCESS and the NewSecurity return
    value is NULL, then the security desscriptor of the original
    instance of the object is valid for this instance as well.

Arguments:

    ParentDescriptorChanged - Supplies a flag indicating whether the
        parent security descriptor has changed since the last time
        this set of parameters was used.

    CreatorDescriptorChanged - Supplies a flag indicating whether the
        creator security descriptor has changed since the last time
        this set of parameters was used.

    OldClientTokenModifiedId - Supplies the ModifiedId from the passed
        token that was in effect when this call was last made with
        these parameters.  If the current ModifiedId is different from
        the one passed in here, the security descriptor must be
        rebuilt.

    NewClientTokenModifiedId - Returns the current ModifiedId from the
        passed token.

    ParentDescriptor - Supplies the Security Descriptor for the parent
        directory under which a new object is being created.  If there is
        no parent directory, then this argument is specified as NULL.

    CreatorDescriptor - (Optionally) Points to a security descriptor
        presented by the creator of the object.  If the creator of the
        object did not explicitly pass security information for the new
        object, then a null pointer should be passed.

    NewDescriptor - Points to a pointer that is to be made to point to the
        newly allocated self-relative security descriptor.

    IsDirectoryObject - Specifies if the new object is going to be a
        directory object.  A value of TRUE indicates the object is a
        container of other objects.

    Token - Supplies the token for the client on whose behalf the
        object is being created.  If it is an impersonation token,
        then it must be at SecurityIdentification level or higher.  If
        it is not an impersonation token, the operation proceeds
        normally.

        A client token is used to retrieve default security
        information for the new object, such as default owner, primary
        group, and discretionary access control.  The token must be
        open for TOKEN_QUERY access.

    GenericMapping - Supplies a pointer to a generic mapping array denoting
        the mapping between each generic right to specific rights.

Return Value:

    return-value - Description of conditions needed to return value. - or -
    None.