IADsAccessControlEntry

The IADsAccessControlEntry interface enables you to access and manipulate individual access-control entries (ACEs) of the owning object. An ACE stipulates who can access the object and the type of access granted, and also specifies whether the access control settings can be propagated from the object to any of its children. An ACE exposes a set of properties through this interface to provide such services.

An object can have a number of ACEs, one for each client or a group of clients. ACEs are maintained in an access-control list (ACL) which implements the IADsAccessControlList interface. That is, a client must use an ACL to access an ACE. To access the ACL, retrieve the security descriptor of the object that implements the IADsSecurityDescriptor interface. The following procedures describe how to manage access controls over a directory object.

Some of the IADsAccessControlEntry property values, such as AccessMask and AceFlags, will be different for different object types. For example, an Active Directory object will use the ADS_RIGHT_GENERIC_READ constant of the ADS_RIGHTS_ENUM enumeration for the AccessMask property, but the equivalent access right for a file object is FILE_GENERIC_READ. It is not safe to assume that all property values will be the same for Active Directory objects and non-Active Directory objects.

To manage access controls over a directory object:

• Retrieve the security descriptor for the object that implements the IADsSecurityDescriptor interface.
• Retrieve the ACL from the security descriptor.
• Work with the ACE, or ACEs, of the object in the ACL.

To set a new or modified ACE as persistent:

• Add the ACE to the ACL.
• Assign the ACL to the security descriptor.
• Commit the security descriptor to the directory store.

Inheritance: IDispatch

Properties

Details

AccessMask

Gets or sets a set of flags that specify access privileges for the object. Valid values for Active Directory objects are specified in the ADS_RIGHTS_ENUM enumeration.

---

AceFlags

Gets or sets a set of flags that specify if other containers or objects can inherit the ACE. Valid values for Active Directory objects are specified in the ADS_ACEFLAG_ENUM enumeration.

---

AceType

Gets or sets a value that indicates the type of the ACE. Valid values for Active Directory objects are specified in the ADS_ACETYPE_ENUM enumeration.

---

Flags

Gets or sets a flag that indicates if the ACE has an object type or inherited object type. Valid flags are specified in the ADS_FLAGTYPE_ENUM enumeration.

---

InheritedObjectType

Gets or sets a flag that indicates the type of a child object of a directory object. Its value is a GUID to an object in the string format. When such a GUID is set, the ACE applies only to the object referred to by the GUID.

---

ObjectType

Gets or sets a flag that indicates the directory object type. Its value is a GUID to a property or an object in the string format. The GUID refers to a property when ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks are used. The GUID specifies an object type when ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks are used.

---

Trustee

Gets or sets the name of the account that the ACE applies to.

---

Requirements

Minimum required version: 2009.1

See also

• IADsSecurityDescriptor
• ADS_RIGHTS_ENUM
• ADS_ACEFLAG_ENUM
• ADS_ACETYPE_ENUM
• ADS_FLAGTYPE_ENUM