Object-specific ACEs

Artikel
08/19/2021

Object-specific ACEs are supported for directory service (DS) objects. An object-specific ACE contains a pair of GUIDs that expand the ways in which the ACE can protect an object.

GUID	Description
ObjectType	Identifies one of the following: A type of child object. The ACE controls the right to create a specified type of child object. For more information, see Controlling Child Object Creation in C++. A property set or property. The ACE controls the right to read or write the property or property set. For more information, see ACEs to Control Access to an Object's Properties. An extended right. The ACE controls the right to perform the operation associated with the extended right. A validated write. The ACE controls the right to perform certain write operations. These validated write permissions, defined and exposed in the ACL Editor, provide permissions for validated writes of properties rather than unchecked low-level writes of any value to a property that is granted with a "write property" permission.
InheritedObjectType	Indicates the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. For more information, see ACE Inheritance.

GUID

Description

ObjectType

Identifies one of the following:

A type of child object. The ACE controls the right to create a specified type of child object. For more information, see Controlling Child Object Creation in C++.
A property set or property. The ACE controls the right to read or write the property or property set. For more information, see ACEs to Control Access to an Object's Properties.
An extended right. The ACE controls the right to perform the operation associated with the extended right.
A validated write. The ACE controls the right to perform certain write operations. These validated write permissions, defined and exposed in the ACL Editor, provide permissions for validated writes of properties rather than unchecked low-level writes of any value to a property that is granted with a "write property" permission.

InheritedObjectType

Indicates the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. For more information, see ACE Inheritance.

Three types of object-specific ACEs are supported.

Note

System-alarm object ACEs are not currently supported.

Type	Description
Access-denied object ACE	Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACE	Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACE	Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure.

Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.

Del via

Object-specific ACEs

Feedback

Yderligere ressourcer