Platform SDK: Active Directory, ADSI, and Directory Services

ADS_RIGHTS_ENUM

The ADS_RIGHTS_ENUM enumeration specifies the access rights to a directory object. The member values are assigned to the AccessMask field of an ACE.

typedef enum {
  ADS_RIGHT_DELETE                 = 0x10000,
  ADS_RIGHT_READ_CONTROL           = 0x20000,
  ADS_RIGHT_WRITE_DAC              = 0x40000,
  ADS_RIGHT_WRITE_OWNER            = 0x80000,
  ADS_RIGHT_SYNCHRONIZE            = 0x100000,
  ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x1000000,
  ADS_RIGHT_GENERIC_READ           = 0x80000000,
  ADS_RIGHT_GENERIC_WRITE          = 0x40000000,
  ADS_RIGHT_GENERIC_EXECUTE        = 0x20000000,
  ADS_RIGHT_GENERIC_ALL            = 0x10000000,
  ADS_RIGHT_DS_CREATE_CHILD        = 0x1,
  ADS_RIGHT_DS_DELETE_CHILD        = 0x2,
  ADS_RIGHT_ACTRL_DS_LIST          = 0x4,
  ADS_RIGHT_DS_SELF                = 0x8,
  ADS_RIGHT_DS_READ_PROP           = 0x10,
  ADS_RIGHT_DS_WRITE_PROP          = 0x20,
  ADS_RIGHT_DS_DELETE_TREE         = 0x40,
  ADS_RIGHT_DS_LIST_OBJECT         = 0x80,
  ADS_RIGHT_DS_CONTROL_ACCESS      = 0x100
  } ADS_RIGHTS_ENUM;

Elements

ADS_RIGHT_DELETE
The right to delete the object.
ADS_RIGHT_READ_CONTROL
The right to read information from the security descriptor of the object, not including the information in the SACL.
ADS_RIGHT_WRITE_DAC
The right to modify the discretionary access-control list (DACL) in the object's security descriptor.
ADS_RIGHT_WRITE_OWNER
The right to assume ownership of the object. The user must be a trustee of the object. The user cannot transfer the ownership to other users.
ADS_RIGHT_SYNCHRONIZE
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.
ADS_RIGHT_ACCESS_SYSTEM_SECURITY
The right to get or set the SACL in the object's security descriptor.
ADS_RIGHT_GENERIC_READ
The right to read from the security descriptor, examine the object as well as its children, and read all properties.
ADS_RIGHT_GENERIC_WRITE
The right to write all the properties and write to the DACL. The user can add and remove the object to and from the directory.
ADS_RIGHT_GENERIC_EXECUTE
The right to list children of this object.
ADS_RIGHT_GENERIC_ALL
The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
ADS_RIGHT_DS_CREATE_CHILD
The right to create children of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is being controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.
ADS_RIGHT_DS_DELETE_CHILD
The right to delete children of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is being controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.
ADS_RIGHT_ACTRL_DS_LIST
The right to list children of this object.
ADS_RIGHT_DS_SELF
The right to modify the group membership of a group object.
ADS_RIGHT_DS_READ_PROP
The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object's properties.
ADS_RIGHT_DS_WRITE_PROP
The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object's properties.
ADS_RIGHT_DS_DELETE_TREE
The right to delete all children of this object, regardless of the permission on the children.
ADS_RIGHT_DS_LIST_OBJECT
The right to list a particular object. If the user is not granted such a right, the object is hidden from the user.
ADS_RIGHT_DS_CONTROL_ACCESS
The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.

Remarks

To assign access rights to an object, set the AccessMask field of an access-control entry (ACE) to a combination of the constants defined in this enumeration. In addition to the AccessMask field, an ACE can have other fields, including ACEType, ACEFlags, ObjectType, InheritedObjectType, Flags, and Trustee. The IADsAccessControlEntry interface provides property methods to obtain and modify these fields.

The ObjectType field specifies a GUID that identifies the property set, property, extended right, or type of child object to which the ACE applies. The InheritedObjectType field specifies a GUID that identifies the type of child object that can inherit the ACE. The Trustee field identifies the security principal to whom the ACE allows or denies the specified access rights.

For information on ACEType, ACEFlags, and Flags, see ADS_ACETYPE_ENUM, ADS_ACEFLAGS_ENUM.

Note  Because VBScript cannot read information from a type library, VBScript applications do not understand the symbolic constants as defined above. You should use the numerical constants instead to set the appropriate flags in your VBScript applications. If you want to use the symbolic constants as a good programming practice, you should make explicit declarations of such constants, as done here, in your VBScript applications.

Requirements

  Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
  Windows 95/98: Requires Windows 95 or later (with DSClient).
  Header: Declared in Iads.h.

See Also

ADSI Enumerations, ADS_ACETYPE_ENUM, IADsAccessControlEntry