Platform SDK: Active Directory, ADSI, and Directory Services

Access Control and Read Operations

Security is an implicit filter when performing searches, enumerating containers, or reading properties. If you don't have the necessary access rights, attempts to list objects or read properties can fail with the following error codes even thought the object or property exists:

E_ADS_INVALID_DOMAIN_OBJECT
E_ADS_PROPERTY_NOT_SUPPORTED
E_ADS_PROPERTY_NOT_FOUND

One important case to note is that a caller with ADS_RIGHT_ACTRL_DS_LIST access to a container can enumerate the child objects in the container. But an attempt to access a child object can still fail with an error such as E_ADS_UNKNOWN_OBJECT if the caller does not have ADS_RIGHT_ACTRL_DS_LIST_OBJECT access to the child object.

The impact of security on read operations is not necessarily manifested as an error. For example, a search operation can succeed but the search results do not include objects or properties to which the caller does not have access.