After adding an ACE to a file ACL, I checked the permissions on the object using Explorer. It is giving me an error about the DACL not being in canonical format and asks me if I would like it reordered. Is there any sort of documentation anywhere that provides the canonical ordering of the DACL so I don't have to rely on explorer to reorder it every time? Or (even better) an API function to do it for me?
If you use the SetEntriesInAcl function (as opposed to low-level functions such as AddAce) the ACL will be put in canonical order automatically.