| Platform SDK: Active Directory, ADSI, and Directory Services |
Every object in Active Directory has a unique security descriptor that defines access permissions required to read or update the object or its individual properties. Access permissions are determined by rights granted to users' accounts or by group memberships.
When an application binds to an object in the directory, the access permissions that the application has to that object are based on the user context specified during the bind operation. For the binding functions and methods (ADsGetObject, ADsOpenObject, GetObject, IADsOpenDSObject::OpenDSObject), an application can implicitly use the credentials of the caller, explicitly specify the credentials of a user account, or use an unauthenticated user context (Guest).