Platform SDK: Active Directory, ADSI, and Directory Services

Protecting Objects from the Effects of Inherited Rights

As discussed in Inheritance and Delegation of Administration, ACEs can be set on a container object (such as an organizational unit, domainDNS, container, and so on) and propagated to child objects (based on the AceFlag property set on those ACEs).

If you have a highly secured object or an object whose ACEs you want to explicitly control (such as a private OU or a special user), you may want to prevent ACEs from being propagated to the object by its parent container (or its parent container's predecessors).

You can use the IADsSecurityDescriptor::put_Control method to control whether DACLs and SACLs are inherited by the object from its parent container.

The Control property can be used to protect an object from the effects of inherited ACEs. The following flags force access control to be set explicitly on the object and prevent a user from effectively modifying access control to the object by setting inheritable ACEs on the object's parent container (or its parent container's predecessors):

Flag Effect
SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container (and any objects above the parent container in the directory hierarchy) from being applied to the object's DACL.
SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container (and any objects above the parent container in the directory hierarchy) from being applied to the object's SACL.

Note that the SE_DACL_PRESENT flag needs to be present to set SE_DACL_PROTECTED and SE_SACL_PRESENT needs to be present to set SE_SACL_PROTECTED.