AceType Bit Values to Use in Creating ACLs in P&M

ID: Q198529

The information in this article applies to:

Microsoft Site Server version 3.0
Microsoft Active Directory Service Interfaces, version 2.5

SUMMARY

This article describes which values to assign to the AceType bit when programmatically accessing and manipulating the LDAP Directory Store Access Control Lists through ADSI. This article does not apply to tools such as Membership Directory Manager.

Each ACE has a field called AceType. AceType indicates the type of ACE. Possible values for the Site Server DS are as follows:


   * ADS_ACETYPE_ACCESS_ALLOWED:  value of 0
   * ADS_ACETYPE_ACCESS_DENIED:  value of 1
   * ADS_ACETYPE_ACCESS_ALLOWED_OBJECT:  value of 5
   * ADS_ACETYPE_ACCESS_DENIED_OBJECT:  value of 6

The latter two settings are used only if the ObjectType field contains a GUID.

The ObjectType field contains a GUID that refers to a class or attribute. If the GUID refers to a class, then the ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP access masks must be set. This corresponds to setting an ACL that allows a security principal to read or write a specific attribute, for example "grant Joe the right to read or write the 'userPassword' attribute."

If the GUID refers to an attribute, then the ADS_RIGHT_DS_CREATE_CHILD or ADS_RIGHT_DS_DELETE_CHILD access masks must be set. This corresponds to setting an ACL that allows a security principal to create or delete child objects of a specific class, for example "grant Joe the right to create or delete objects of class 'organizationalUnit' under the target object."

For more information regarding the AceType setting, see the Microsoft Site Server 3.0 SDK. The SDK contains a script that documents the different parameters and flags for ACEs and ACLs. This is the same standard used by ADSI. See http://adsi/security.doc for a detailed explanation (see Section 5).

Additional query words:

Keywords : kbADSI
Version : winnt:2.5,3.0
Platform : winnt
Issue type : kbinfo