| Platform SDK: Active Directory, ADSI, and Directory Services |
The security descriptor of an Active Directory object may contain a system access-control list (SACL). A SACL contains access-control entries (ACEs) that specify the types of access attempts that generate audit records in the security event log of a domain controller. Note that a SACL generates log entries only on the domain controller where the access attempt occurred, not on every DC that contains a replica of the object.
To set or retrieve the SACL in an object's security descriptor, the SE_SECURITY_NAME privilege must be enabled in the access token of the requesting thread. The administrators group has this privilege by default, and it can be assigned to other users or groups. For more information, see SACL Access Right.
To get and set the SACL of a directory object, use the IADsSecurityDescriptor interface. Using C++, the IADsSecurityDescriptor::get_SystemAcl method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface, and use the methods on that interface to access the individual ACEs in the SACL. The procedure for modifying a SACL is similar to that for modifying a DACL, as described in Setting Access Rights on an Object.
To enumerate the ACEs in a SACL, use the IADsAccessControlList::get__NewEnum method, which returns an IUnknown pointer. Call QueryInterface on that IUnknown pointer to get an IEnumVARIANT interface. Use the IEnumVARIANT::Next method to enumerate the ACEs in the ACL. Each ACE is returned as a VARIANT containing an IDispatch pointer (the vt member is VT_DISPATCH). Call QueryInterface on that IDispatch pointer to get an IADsAccessControlEntry interface for the ACE. You can use the methods of the IADsAccessControlEntry interface to set or retrieve the components of an ACE.
For more information about SACLs, see the following topics in the Platform SDK.