Security Descriptor Components

Platform SDK: Active Directory, ADSI, and Directory Services

Security Descriptor Components

Having used the IADs::Get method to retrieve an IADsSecurityDescriptor interface pointer, you can use the property methods of the IADsSecurityDescriptor interface to read or write the components of a directory object's security descriptor. For example, to get or set the object's DACL, use the DiscretionaryAcl property (Visual Basic) or the put_DiscretionaryAcl and get_DiscretionaryAcl methods (C++).

A security descriptor can store the following information:

A security identifier (SID) that identifies the owner of the object. The owner of an object has the implicit right to modify the DACL and owner information in the object's security descriptor.
A discretionary access-control list (DACL) that identifies the users and groups who can perform various operations on the object. A DACL contains a list of access-control entries (ACEs). Each ACE allows or denies a specified set of access rights to a specified user account, group account, or other trustee. See Retrieving an Object's DACL.
A system access-control list (SACL) that controls how the system audits attempts to access the object. Each ACE in a SACL specifies the types of access attempts that generate an audit log entry for a specified user account, group account, or other trustee. See Retrieving an Object's SACL.
A set of SECURITY_DESCRIPTOR_CONTROL control flags that qualify the meaning of a security descriptor or its components. For example, the SE_DACL_PROTECTED flag protects the security descriptor's DACL from inheriting ACEs from its parent.
A security identifier (SID) that identifies the primary group of the object. Active Directory does not use this component.

For sample code that reads and displays the information in an object's security descriptor and DACL, see Reading an Object's Security Descriptor.