The system typically assigns the creator of an object as the object's owner, and the owner has implicit rights to control the object. For example, the owner of an object implicitly has the right to modify the object's DACL, which means the owner can control access to the object. You can use the DACL of a container object to control which trustees have the right to create child objects or subcontainers within the container. This allows you to limit what controls access to these child objects.
The various types of container objects have specific access rights that control the ability to create child objects. For example, registry keys have the KEY_CREATE_SUB_KEY access right that controls the right to create subkeys. The DACL of a registry key can control the creation of subkeys by allowing or denying this access right to specified trustees. Similarly, NTFS directory objects support the FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY access rights.
Windows NT provides additional support for controlling child object creation in directory service objects, which can contain many different types of child objects. The DACL for a DS object can contain ACEs that allow or deny the right to create all types of child objects. It can also contain object-specific ACEs that allow or deny the right to create a specified type of child object. This enables you to allow a user to create one type of child object while preventing the user from creating other types of child objects. Use the following procedure to add an object-specific ACE that allows a specified trustee to create or delete a specified type of child object.
To allow a specified trustee to create or delete all types of child objects, follow the same steps, but specify NULL for the lpProperty parameter when you call SetEntriesInAccessList. This creates an ACE that applies to the object itself rather than to a specified type of child object.