IAccessControl interface

Enables the management of access to objects and properties on the objects.

When to implement

Distributed COM provides an implementation of the IAccessControl interface. COM servers can use this implementation to help protect their objects from unauthorized access. To get a pointer to this implementation, call CoCreateInstance, specifying CLSID_DCOMAccessControl as the CLSID. This implementation supports the IPersist interface to save the state of the access control object.

The implementation of IAccessControl provided by COM calls built-in access control functions such as OpenThreadToken and AccessCheck. If you decide to implement IAccessControl yourself, you can also call these access control functions. However, because IAccessControl methods take access information in a different format than the built-in access control functions do, your implementation must be able to convert from one format to the other as necessary.

If you decide to implement IAccessControl and pass your implementation to CoInitializeSecurity, be sure that it is completely thread-safe, because COM can call it on any thread, at any time.

In addition to the COM implementation of IAccessControl, another implementation is supplied for storage and Directory Service objects.

When to use

Call methods of the IAccessControl interface to manage access to objects and properties on the objects and to obtain access information. This interface is primarily used to set processwide security with a call to CoInitializeSecurity, specifying EOAC_ACCESS_CONTROL as the capability flag, and providing a pointer to an instance of IAccessControl as the first (pVoid) parameter. COM then calls IAccessControl methods to determine access rights.

IAccessControl should be used only to manage access rights. To manage launch permissions, use DCOMCNFG or set the LaunchPermission value under the AppID registry key. For details on using DCOMCNFG, see the DCOMCNFG online help.


The IAccessControl interface inherits from the IUnknown interface. IAccessControl also has these types of members:


The IAccessControl interface has these methods.


Gets the entire list of access rights and/or the owner and group for the specified object.


Merges the new list of access rights with the existing access rights on the object.


Determines whether the specified trustee has access rights to the object or property.


Removes any explicit entries for the list of trustees.


Replaces the existing access rights on an object with the specified list.


Sets the owner or the group of an item.



Minimum supported client

Windows 2000 Professional [desktop apps only]

Minimum supported server

Windows 2000 Server [desktop apps only]






IID_IAccessControl is defined as EEDD23E0-8410-11CE-A1C3-08002B2B8D8F

See also

Setting Process-Wide Security with CoInitializeSecurity