Controlling object access in Active Directory Domain Services

Each Active Directory directory service object is protected by Windows 2000 security. This security protection controls the operations that each security principal can perform in the directory. The following sections describe how a directory-enabled application can use the access control features in Active Directory.

• How Access Control Works in Active Directory Domain Services
• How access control affects read operations, write operation, object creation and deletion.
• Using the IADs and IDirectoryObject interfaces to work with an object's security descriptor
• Modifying the access permissions on an object
• How security descriptors are set on new directory objects
• Creating a Security Descriptor for a New Directory Object
• Using inheritance of access permissions to enable administrative access to an entire subtree of the directory
• Creating, modifying, and reading the default security descriptor for an object class
• Creating, setting, and checking control access rights for operations that go beyond those covered by the predefined rights
• Using DsAddSidHistory
• Controlling Object Visibility
• Null DACLs and Empty DACLs