Controlling Access to Objects and Their Properties

If your application creates objects in the directory, you probably want to control who can access those objects. To do this, you need to work with the object's security descriptor, and more specifically, with the DACL and its list of ACEs.

When an object is created, it receives a security descriptor. For a description of the rules that the system uses to create the DACL for a new object, see How Security Descriptors are Set on New Directory Objects. These rules reveal that there are several things you can do to control the ACEs an object receives at creation time.

• You can create a new security descriptor and attach it to the object at creation time. See Creating a Security Descriptor.
• An object can inherit ACEs from its parent container. You can apply inheritable ACEs at any point in the directory hierarchy such that the ACEs are inherited by objects down the tree. See Inheritance and Delegation of Administration.
• Every object class definition in the schema includes a default security descriptor which can have a default DACL. If you have the necessary access rights, you can specify the ACEs in the default DACL in the schema. See Default Security Descriptor.

In addition, you can modify the DACL of an existing object.

• You can replace the DACL with a new one
• You can read the existing DACL, modify it, and apply the modified DACL. See Setting Access Rights on an Object.

What can you do with these ACEs? The following list enumerates the most important capabilities of ACEs in Active Directory.

• Control who can perform specified operations on an object
• Control who has access to a specific property or set of properties of an object
• Control who can create child objects in a container, including who can create a specific type of child object.
• Define private access rights (extended rights) for an object type and control who can perform the operations protected by the private rights
• Apply an ACE to a container object at the root of a directory subtree, such that the protections can be inherited automatically by all child objects down the tree.
• Apply an ACE that is inherited automatically by a specific type of child object in a subtree
• Create ACEs that grant rights to a security group, rather than to a single user
• Apply ACEs to Group Policy Objects to control the accounts and computers affected by the policy.