NTSTATUS
SeAssignSecurity(
  IN  PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
  IN  PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
  OUT PSECURITY_DESCRIPTOR *NewDescriptor,
  IN  BOOLEAN IsDirectoryObject,
  IN  PSECURITY_SUBJECT_CONTEXT SubjectContext,
  IN  PGENERIC_MAPPING GenericMapping,
  IN  POOL_TYPE PoolType
  );

Routine Description:

    This routine assumes privilege checking HAS NOT yet been performed
    and so will be performed by this routine.

    This procedure is used to build a security descriptor for a new object
    given the security descriptor of its parent directory and any originally
    requested security for the object.  The final security descriptor
    returned to the caller may contain a mix of information, some explicitly
    provided other from the new object's parent.


    See RtlpNewSecurityObject for a descriptor of how the NewDescriptor is
    built.


Arguments:

    ParentDescriptor - Optionally supplies the security descriptor of the
        parent directory under which this new object is being created.

    ExplicitDescriptor - Supplies the address of a pointer to the security
        descriptor as specified by the user that is to be applied to
        the new object.

    NewDescriptor - Returns the actual security descriptor for the new
        object that has been modified according to above rules.

    IsDirectoryObject - Specifies if the new object is itself a directory
        object.  A value of TRUE indicates the object is a container of other
        objects.

    SubjectContext - Supplies the security context of the subject creating the
        object. This is used to retrieve default security information for the
        new object, such as default owner, primary group, and discretionary
        access control.

    GenericMapping - Supplies a pointer to an array of access mask values
        denoting the mapping between each generic right to non-generic rights.

    PoolType - Specifies the pool type to use to when allocating a new
        security descriptor.

Return Value:

    STATUS_SUCCESS - indicates the operation was successful.

    STATUS_INVALID_OWNER - The owner SID provided as the owner of the
        target security descriptor is not one the caller is authorized
        to assign as the owner of an object.

    STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege
        necessary to explicitly assign the specified system ACL.
        SeSecurityPrivilege privilege is needed to explicitly assign
        system ACLs to objects.