Platform SDK: Access Control |
Windows 2000 supports object-specific ACEs for directory service (DS) objects. An object-specific ACE contains a pair of globally unique identifiers (GUIDs) that expand the ways in which the ACE can protect an object.
Windows 2000 supports three types of object-specific ACEs. System-alarm object ACEs are not currently supported.
Type | Description |
---|---|
Access-denied object ACE | Windows 2000: Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure. |
Access-allowed object ACE | Windows 2000: Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure. |
System-audit object ACE | Windows 2000: Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure. |
Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.