[This is preliminary documentation and subject to change.]
Windows NT version 5.0 supports object-specific ACEs for directory service (DS) objects. Object-specific ACEs contain the same trustee and access right information found in the older ACE types. They also contain two GUID structures, which contain globally unique identifiers (GUIDs) that identify types of objects. These GUIDs enable the ACE to provide the following functionality:
Windows NT version 5.0 supports three types of object-specific ACEs. System-alarm object ACEs are not currently supported.
Type | Description |
---|---|
Access-denied object ACE | Windows NT 5.0 and later: Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure. |
Access-allowed object ACE | Windows NT 5.0 and later: Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure. |
System-audit object ACE | Windows NT 5.0 and later: Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure. |
Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.