Setting Rights to Specific Properties of Specific Types of Objects

Property-specific permissions can be used in combination with object specific inheritance to provide the powerful and detailed delegation of administration. You can set a property-specific object-inheritable ACE to allow a specified user or group to read and/or write a specific attribute on a specified class of child objects in a container. For example, you can set an ACE on an organizational unit (OU) to enable a group to read and write the telephone number attribute of all user objects in the OU.

To set property-specific object-inheritable ACEs

1. Set IADsAccessControlEntry.AceType to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT.
2. Set IADsAccessControlEntry.ObjectType to the schemaIDGUID of the attribute. For example, the schemaIDGUID of the telephoneNumber attribute is {bf967a49-0de6-11d0-a285-00aa003049e2}.
3. Set IADsAccessControlEntry.AceFlags to ADS_ACEFLAG_INHERIT_ACE.
4. Set IADsAccessControlEntry.InheritedObjectType to the schemaIDGUID of the object class that can inherit the ACE. For example, the schemaIDGUID of the user class is {bf967aba-0de6-11d0-a285-00aa003049e2}.
5. Set IADsAccessControlEntry.Flags to ADS_FLAG_OBJECT_TYPE_PRESENT and ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT.

Important

Set ADS_ACEFLAG_INHERIT_ACE to cause the ACE to be inherited. In addition, set ADS_ACEFLAG_INHERIT_ONLY_ACE if the object type this ACE applies to does not match the object type of the container where the ACE is specified. If this is not done, the ACE will also become effective on the container and can grant unexpected rights.

 

For more information and code examples that can be used to set this kind of ACE, see Example Code for Setting an ACE on a Directory Object.