Object-specific ACEs

Object-specific ACEs are supported for directory service (DS) objects. An object-specific ACE contains a pair of GUIDs that expand the ways in which the ACE can protect an object.

GUIDDescription
ObjectTypeIdentifies one of the following:
  • A type of child object. The ACE controls the right to create a specified type of child object. For more information, see Controlling Child Object Creation in C++.
  • A property set or property. The ACE controls the right to read or write the property or property set. For more information, see ACEs to Control Access to an Object's Properties.
  • An extended right. The ACE controls the right to perform the operation associated with the extended right.
  • A validated write. The ACE controls the right to perform certain write operations. These validated write permissions, defined and exposed in the ACL Editor, provide permissions for validated writes of properties rather than unchecked low-level writes of any value to a property that is granted with a "write property" permission.
InheritedObjectTypeIndicates the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. For more information, see ACE Inheritance.

 

Three types of object-specific ACEs are supported.

Note  System-alarm object ACEs are not currently supported.

TypeDescription
Access-denied object ACEUsed in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACEUsed in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACEUsed in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure.

 

Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.

 

 

Community Additions

ADD
Show:
© 2014 Microsoft