Platform SDK: Active Directory, ADSI, and Directory Services

ADS_RIGHTS_ENUM

The ADS_RIGHTS_ENUM enumeration specifies the access rights to a directory object. The member values are assigned to the AccessMask field of an ACE.

typedef enum {
  ADS_RIGHT_DELETE                 = 0x10000,
  ADS_RIGHT_READ_CONTROL           = 0x20000,
  ADS_RIGHT_WRITE_DAC              = 0x40000,
  ADS_RIGHT_WRITE_OWNER            = 0x80000,
  ADS_RIGHT_SYNCHRONIZE            = 0x100000,
  ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x1000000,
  ADS_RIGHT_GENERIC_READ           = 0x80000000,
  ADS_RIGHT_GENERIC_WRITE          = 0x40000000,
  ADS_RIGHT_GENERIC_EXECUTE        = 0x20000000,
  ADS_RIGHT_GENERIC_ALL            = 0x10000000,
  ADS_RIGHT_DS_CREATE_CHILD        = 0x1,
  ADS_RIGHT_DS_DELETE_CHILD        = 0x2,
  ADS_RIGHT_ACTRL_DS_LIST          = 0x4,
  ADS_RIGHT_DS_SELF                = 0x8,
  ADS_RIGHT_DS_READ_PROP           = 0x10,
  ADS_RIGHT_DS_WRITE_PROP          = 0x20,
  ADS_RIGHT_DS_DELETE_TREE         = 0x40,
  ADS_RIGHT_DS_LIST_OBJECT         = 0x80,
  ADS_RIGHT_DS_CONTROL_ACCESS      = 0x100
  } ADS_RIGHTS_ENUM;

Elements

ADS_RIGHT_DELETE: The right to delete the object.
ADS_RIGHT_READ_CONTROL: The right to read information from the security descriptor of the object, not including the information in the SACL.
ADS_RIGHT_WRITE_DAC: The right to modify the discretionary access-control list (DACL) in the object's security descriptor.
ADS_RIGHT_WRITE_OWNER: The right to assume ownership of the object. The user must be a trustee of the object. The user cannot transfer the ownership to other users.
ADS_RIGHT_SYNCHRONIZE: The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.
ADS_RIGHT_ACCESS_SYSTEM_SECURITY: The right to get or set the SACL in the object's security descriptor.
ADS_RIGHT_GENERIC_READ: The right to read from the security descriptor, examine the object as well as its children, and read all properties.
ADS_RIGHT_GENERIC_WRITE: The right to write all the properties and write to the DACL. The user can add and remove the object to and from the directory.
ADS_RIGHT_GENERIC_EXECUTE: The right to list children of this object.
ADS_RIGHT_GENERIC_ALL: The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
ADS_RIGHT_DS_CREATE_CHILD: The right to create children of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is being controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.
ADS_RIGHT_DS_DELETE_CHILD: The right to delete children of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is being controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.
ADS_RIGHT_ACTRL_DS_LIST: The right to list children of this object.
ADS_RIGHT_DS_SELF: The right to modify the group membership of a group object.
ADS_RIGHT_DS_READ_PROP: The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object's properties.
ADS_RIGHT_DS_WRITE_PROP: The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object's properties.
ADS_RIGHT_DS_DELETE_TREE: The right to delete all children of this object, regardless of the permission on the children.
ADS_RIGHT_DS_LIST_OBJECT: The right to list a particular object. If the user is not granted such a right, the object is hidden from the user.
ADS_RIGHT_DS_CONTROL_ACCESS: The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.

Remarks

To assign access rights to an object, set the AccessMask field of an access-control entry (ACE) to a combination of the constants defined in this enumeration. In addition to the AccessMask field, an ACE can have other fields, including ACEType, ACEFlags, ObjectType, InheritedObjectType, Flags, and Trustee. The IADsAccessControlEntry interface provides property methods to obtain and modify these fields.

The ObjectType field specifies a GUID that identifies the property set, property, extended right, or type of child object to which the ACE applies. The InheritedObjectType field specifies a GUID that identifies the type of child object that can inherit the ACE. The Trustee field identifies the security principal to whom the ACE allows or denies the specified access rights.

For information on ACEType, ACEFlags, and Flags, see ADS_ACETYPE_ENUM, ADS_ACEFLAGS_ENUM.

Note Because VBScript cannot read information from a type library, VBScript applications do not understand the symbolic constants as defined above. You should use the numerical constants instead to set the appropriate flags in your VBScript applications. If you want to use the symbolic constants as a good programming practice, you should make explicit declarations of such constants, as done here, in your VBScript applications.

Requirements

  Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
  Windows 95/98: Requires Windows 95 or later (with DSClient).
  Header: Declared in Iads.h.

ADS_RIGHTS_ENUM

Elements

Remarks

Requirements

See Also