| Platform SDK: Active Directory, ADSI, and Directory Services |
All Active Directory™ objects support a standard set of access rights defined in the ADS_RIGHTS_ENUM enumeration. You can use these access rights in the ACEs of an object's security descriptor to control access to the object, that is, to control who can perform standard operations, such as creating and deleting child objects, or reading and writing the properties of an object. However, for some objects classes you may want to control access in a way not supported by the standard access rights. So Active Directory provides a way to extend the standard access control mechanism.
Extended rights are used in two ways.
Each extended right is represented by a controlAccessRight object in the Extended-Rights container of the Configuration partition. Because the Configuration container is replicated across the entire forest, extended rights are propagated across all domains in a forest. There are a number of predefined extended rights, and of course, you can define your own.
For C++ and Visual Basic® sample code that sets an ACE to control read/write access to a property set, see Example Code for Setting an ACE on a Directory Object.
For information on using extended rights to control access to special operations, see the following topics.