Protecting Objects from the Effects of Inherited Rights

Protecting Objects from the Effects of Inherited Rights

As discussed in the topic Inheritance and Delegation of Administration, ACEs can be set on a container object, such as an organizationalUnit, domainDNS, container, and so on, and propagated to child objects based on the ACE flags set on those ACEs.

If you have a secure object or an object whose ACEs you want to explicitly control, such as a private OU or a special user, you can prevent ACEs from being propagated to the object by its parent container or its parent container's predecessors.

Use the IADsSecurityDescriptor.Control property to control whether DACLs and SACLs are inherited by the object from its parent container.

The IADsSecurityDescriptor.Control property can be used to protect an object from the effects of inherited ACEs. The following flags force access control to be set explicitly on the object and prevent a user from modifying access control to the object by setting inheritable ACEs on the object's parent container, or its parent container's predecessors.

FlagDescription

SE_DACL_PROTECTED

Prevents ACEs set on the DACL of the parent container, and any objects above the parent container in the directory hierarchy, from being applied to the object DACL.

SE_SACL_PROTECTED

Prevents ACEs set on the SACL of the parent container, and any objects above the parent container in the directory hierarchy, from being applied to the object SACL.

 

Be aware that the SE_DACL_PRESENT flag must be present to set SE_DACL_PROTECTED and SE_SACL_PRESENT must be present to set SE_SACL_PROTECTED.

 

 

Show:
© 2016 Microsoft