private RawSecurityDescriptor CreateSecurityDescriptor(IEnumerable<IdentityRights> allowRights,
                IEnumerable<IdentityRights> denyRights = null)
            {
                var security = new DirectorySecurity();
                security.SetOwner(CurrentIdentity);
                security.SetGroup(Group);

                if (allowRights == null)
                    allowRights = Enumerable.Empty<IdentityRights>();

                if (denyRights == null)
                    denyRights = Enumerable.Empty<IdentityRights>();

                foreach (var right in allowRights)
                {
                    security.AddAccessRule(new FileSystemAccessRule(right.Identity, right.Rights,
                        AccessControlType.Allow));
                }

                foreach (var right in denyRights)
                {
                    security.AddAccessRule(new FileSystemAccessRule(right.Identity, right.Rights, AccessControlType.Deny));
                }

                var binaryDescriptor = security.GetSecurityDescriptorBinaryForm();
                return new RawSecurityDescriptor(binaryDescriptor, 0);
            }