Setting a Control Access Right ACE in an Object's ACL

Using ADSI, you set a control access right ACE just as you would a property-specific ACE, except that the IADsAccessControlEntry.ObjectType property is the rightsGUID of the control access right. Be aware that you can also use the Win32 security APIs to set ACLs on directory objects.

The following table lists the IADsAccessControlEntry properties for control access rights that can be used to set properties for an ACE.

AccessMask For control access rights that control extended rights access to special operations, AccessMask must contain the ADS_RIGHT_DS_CONTROL_ACCESS flag.

For control access rights that define a property set, AccessMask contains ADS_RIGHT_DS_READ_PROP and/or ADS_RIGHT_DS_WRITE_PROP.

For control access rights that control validated writes, AccessMask contains ADS_RIGHT_DS_SELF.

Flags This value must include the ADS_FLAG_OBJECT_TYPE_PRESENT flag.
ObjectType This value must be the StringFromGUID2 format of the rightsGUID attribute of the control access right. Be aware that, in an ACE, the GUID string must include the starting and terminating curly braces even though the rightsGUID attribute of the controlAccessRight object does not include the curly braces.
AceType Either ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the access control right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the trustee the control access right.
Trustee The security principal, for example user, group, computer, and so on, to which the ACE applies.


For more information about creating an ACE, see Setting Access Rights on an Object.

For more information and a code example for setting an ACE, see Example Code for Setting an ACE on a Directory Object.