Security Descriptor Components
Having used the IADs.Get method to retrieve an IADsSecurityDescriptor interface pointer, you can use the IADsSecurityDescriptor properties to read or write the components of a directory object's security descriptor. For example, to get or set the object's DACL, use the DiscretionaryAcl property.
A security descriptor can store the following data:
- A security identifier (SID) that identifies the owner of the object: The owner of an object has the implicit right to modify the DACL and owner data in the object's security descriptor.
- A discretionary access-control list (DACL) that identifies the users and groups who can perform various operations on the object: A DACL contains a list of access-control entries (ACEs). Each ACE allows or denies a specified set of access rights to a specified user account, group account, or other trustee. For more information, see Retrieving an Object's DACL.
- A system access-control list (SACL) that controls how the system audits attempts to access the object: Each ACE in a SACL specifies the types of access attempts that generate an audit log entry for a specified user account, group account, or other trustee. For more information, see Retrieving an Object's SACL.
- A set of SECURITY_DESCRIPTOR_CONTROL control flags that qualify the meaning of a security descriptor or its components: For example, the SE_DACL_PROTECTED flag protects the security descriptor's DACL from inheriting ACEs from its parent object.
- A security identifier (SID) that identifies the primary group of the object: Active Directory Domain Services do not use this component.
For more information and a code example that can be used to read and display the data in an object security descriptor and DACL, see Reading an Object's Security Descriptor.