Object-Specific ACEs

Platform SDK: Access Control

Object-Specific ACEs

Windows 2000 supports object-specific ACEs for directory service (DS) objects. An object-specific ACE contains a pair of globally unique identifiers (GUIDs) that expand the ways in which the ACE can protect an object.

ObjectType GUID

Identifies one of the following:

A type of child object. The ACE controls the right to create a specified type of child object. For more information, see Controlling Child Object Creation.
A property set or property. The ACE controls the right to read or write the property or property set. For more information, see ACEs to Control Access to an Object's Properties.
An extended right. The ACE controls the right to perform the operation associated with the extended right. For more information, see Extended Rights.

InheritedObjectType GUID

Indicates the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. For more information, see ACE Inheritance.

Windows 2000 supports three types of object-specific ACEs. System-alarm object ACEs are not currently supported.

Type	Description
Access-denied object ACE	Windows 2000: Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACE	Windows 2000: Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACE	Windows 2000: Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure.

Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.