Platform SDK: Access Control

Object-Specific ACEs

Windows 2000 supports object-specific ACEs for directory service (DS) objects. An object-specific ACE contains a pair of globally unique identifiers (GUIDs) that expand the ways in which the ACE can protect an object.

ObjectType GUID
Identifies one of the following:
InheritedObjectType GUID
Indicates the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. For more information, see ACE Inheritance.

Windows 2000 supports three types of object-specific ACEs. System-alarm object ACEs are not currently supported.

Type Description
Access-denied object ACE Windows 2000: Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACE Windows 2000: Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACE Windows 2000: Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure.

Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.