Setting an Extended Right ACE in an Object's ACL
Using ADSI, you set an extended right ACE just as you would a property-specific ACE, except that the ObjectType field of the ACE is the rightsGUID of the extended right. Note that you can also use the Win32 security APIs to set ACLs on directory objects.
For extended rights, set the properties on the ACE in the following manner:
- AccessMask
- For extended rights that control access to special operations, AccessMask must contain the ADS_RIGHT_DS_CONTROL_ACCESS flag.
For extended rights that define a property set, AccessMask contains ADS_RIGHT_READ_PROP and/or ADS_RIGHT_WRITE_PROP.
- Flags
- This value must include the ADS_FLAG_OBJECT_TYPE_PRESENT flag.
- ObjectType
- This value must be the StringFromGUID2 format of the rightsGUID property of the extended right. Note that in an ACE, the GUID string must include the starting and terminating curly braces (even though the rightsGUID property of the controlAccessRight object does not include the curly braces).
- AceType
- Either ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the extended right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the trustee the extended right.
- Trustee
- The security principal (user, group, computer, and so on) to whom the ACE applies.
For a discussion of the steps for creating an ACE, see Setting Access Rights on an Object.
For additional C++ and Visual Basic sample code for setting an ACE, see: