Comparing 2 Security Descriptors

Hello All,
I am trying to compare a "real" SD (Security Descriptor) read from file
(or registry) against SDDL, that was used to create that SD.

I first tried by converting the SD to SDDL but in some cases, the
resulting SDDL do not match (for example if I use GA right on a
directory, I get back 2 separate aces one with GA and the other with
basically FA)

I know Microsoft is doing this in SecEdit (which I cannot employ for
this task, I need to do it programmatically), and even have an
undocumented API SceCompareSecurityDescriptors in scecli.dll.

Do you have any ideas on how to accomplish this task?
Is there any documented, standard way of doing this?

any help will be appreciated.


Relevant Pages

    ... > The SDDL I am currently trying to understand is: ... and fiddle with the security descriptor). ... -> Do not report errors for these programs: ...
  • VB6(URGENT): Coding Secured Named Pipes
    ... (I dont want to use a NULL Security Descriptor, ... usage of the ACL and SDDL in VB6.)And also, ... lpSecurityDescriptor parameter after the creation of a security ... Public Type SECURITY_ATTRIBUTES ...