Creating an Extended Right

To add an extended right to Active Directory, you create a controlAccessRight object in the Extended-Rights container of the Configuration partition. Visual Basic and C++ sample code at the end of this topic show how to do it. To use the extended right, you must do a few more things depending on whether the extended right is for a special operation or a property set.

If you are defining an extended right for a property set, you must use the rightsGUID of the controlAccessRight object to identify the properties in the set. Every property is defined by an attributeSchema object in the Active Directory schema. The attributeSecurityGUID property of an attributeSchema object identifies the property set, if any, that the property belongs to. Note that the attributeSecurityGUID property is single-valued and stores the GUID in binary format (octet string syntax).

If you are defining an extended right to control access to a special operation, it is up to your application to perform the access check when a user tries to perform the operation. The following steps show how to do this:

1. Create an extended right that defines the type of access to the application or service. See sample code below.
2. Create an Active Directory object that represents the application, service, or resource that you are protecting.
3. Add object ACEs to the DACL in the object's security descriptor to allow or deny users or groups the extended right on that object. See Setting an Extended Right ACE in an Object's ACL.
4. When a user tries to perform the operation, check the user's rights by passing the object's security descriptor and the user's access token to the AccessCheckByTypeResultList function. See Checking an Extended Right in an Object's ACL.
5. Based on the result of the access check on the object, the application or service can allow or deny the user access to the application or service

When you create a controlAccessRight object, you must set the following attributes to make the object a legal extended right that is recognized by Active Directory and the Windows NT®/Windows® 2000 security system:

cn

A single-valued property that is the object's relative distinguished name (RDN) in the Extended-Rights container. The cn is the name of the extended right in Active Directory.

appliesTo

A multi-valued property that lists the object classes that the extended right applies to. For example, the Send-As extended right lists the user and computer object classes in its appliesTo property.

In the list, each object class is identified by the schemaIDGUID of its classSchema object. The GUIDs are stored as strings of the form produced by the StringFromGUID2 function in the COM library—but without the starting and terminating curly braces ({ }). For example, the following GUID is the schemaIDGUID for the computer class:

bf967a86-0de6-11d0-a285-00aa003049e2

Note that the schemaIDGUID property of a classSchema object is stored as a binary GUID using the octet string syntax. To convert this octet string format to the string format used in the appliesTo property, use the StringFromGUID2 function and remove the curly braces from the returned string.

To get the schemaIDGUID property of one of the predefined object classes, such as user or computer, see the class reference page in the Active Directory Schema Reference in the Active Directory Reference. For sample code that retrieves a schemaIDGUID from a classSchema object, see Reading attributeSchema and classSchema Objects.

displayName

The string used to display the extended right in user interfaces such as the Security property page and other places in the Active Directory Users and Computers.

rightsGUID

A GUID that identifies the extended right in an ACE. The GUID is stored as a string of the form produced by the StringFromGUID2 function but without the starting and terminating curly braces. Use UUIDGEN.EXE or some other utility to generate a GUID for the extended right.

If you are defining a new property set, you use the rightsGUID of the controlAccessRight object to identify the properties in the set. Every property is defined by an attributeSchema object in the Active Directory schema. The attributeSecurityGUID property of an attributeSchema object identifies the property set, if any, that the property belongs to. Note that the attributeSecurityGUID property is single-valued and stores the GUID in binary format (octet string syntax).

objectClass

This attribute specifies controlAccessRight as the object class.