Setting Rights to Specific Types of Objects
The following procedure shows how to set an ACE that can be inherited only by a specific class of objects.
To set an ACE that can be inherited only by a specific class of objects
- Set the IADsAccessControlEntry.AceType property to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT.
- Set the IADsAccessControlEntry.AceFlags property to include the ADS_ACEFLAG_INHERIT_ACE flag.
- Set the IADsAccessControlEntry.InheritedObjectType property to the schemaIDGUID of the object class that can inherit the ACE.
- Set the IADsAccessControlEntry.Flags property to ADS_FLAG_INHERITED OBJECT_TYPE_PRESENT.
Important
Set ADS_ACEFLAG_INHERIT_ACE to cause the ACE to be inherited. In addition, you must set ADS_ACEFLAG_INHERIT_ONLY_ACE if the object type this ACE applies to does not match the object type of the container where the ACE is specified. If this is not done, the ACE will also become effective on the container and can grant unintended rights.
For more information and code examples that can be used to set this type of ACE, see Example Code for Setting an ACE on a Directory Object.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for