Each Active Directory object has a security descriptor assigned to it. A set of trustee rights specific to directory service objects can be set within these security descriptors. These rights are listed in the following table.
| Constant |
Meaning |
| ACTRL_DS_OPEN |
Open a DS object. |
| ACTRL_DS_CREATE_CHILD |
Create a child DS object. |
| ACTRL_DS_DELETE_CHILD |
Delete a child DS object. |
| ACTRL_DS_LIST |
Enumerate a DS object. |
| ACTRL_DS_READ_PROP |
Read the properties of a DS object. |
| ACTRL_DS_WRITE_PROP |
Write properties for a DS object. |
| ACTRL_DS_SELF |
Write properties for a DS object, with the DS validating the write. |
| ACTRL_DS_DELETE_TREE |
Delete a tree of DS objects. |
| ACTRL_DS_LIST_OBJECT |
List a tree of DS objects. |
| ACTRL_DS_CONTROL_ACCESS |
Control access to a DS object. |