2.4.4.5 ACCESS_DENIED_OBJECT_ACE
The ACCESS_DENIED_OBJECT_ACE structure defines an ACE that controls denied access to an object, a property set, or a property. The ACE contains a set of access rights, a GUID that identifies the type of object, and a SID that identifies the trustee to whom the system will deny access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header |
|||||||||||||||||||||||||||||||
Mask |
|||||||||||||||||||||||||||||||
Flags |
|||||||||||||||||||||||||||||||
ObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
InheritedObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
Sid (variable) |
|||||||||||||||||||||||||||||||
... |
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It also contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK that specifies the user rights allowed by this ACE.
-
Value
Meaning
ADS_RIGHT_DS_CONTROL_ACCESS
0X00000100
The ObjectType GUID identifies an extended access right.
ADS_RIGHT_DS_CREATE_CHILD
0X00000001
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.
ADS_RIGHT_DS_DELETE_CHILD
0X00000002
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to delete this type of child object.
ADS_RIGHT_DS_READ_PROP
0x00000010
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.
ADS_RIGHT_DS_WRITE_PROP
0x00000020
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.
ADS_RIGHT_DS_SELF
0x00000008
The ObjectType GUID identifies a validated write.
Flags (4 bytes): A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values.
-
Value
Meaning
0x00000000
Neither ObjectType nor InheritedObjectType is valid.
ACE_OBJECT_TYPE_PRESENT
0x00000001
ObjectType is valid.
ACE_INHERITED_OBJECT_TYPE_PRESENT
0x00000002
InheritedObjectType is valid. If this value is not specified, all types of child objects can inherit the ACE.
ObjectType (16 bytes): A GUID that identifies a property set, a property, an extended right, or a type of child object. The purpose of this GUID depends on the user rights specified in the Mask field. This field is valid only if the ACE _OBJECT_TYPE_PRESENT bit is set in the Flags field. Otherwise, the ObjectType field is ignored. For information about access rights and for a mapping of the control access rights to the corresponding GUID value that identifies each right, see [MS-ADTS] sections 5.1.3.2 and 5.1.3.2.1.
-
ACCESS_MASK bits are not mutually exclusive. Therefore, the ObjectType field can be set in an ACE with any ACCESS_MASK. If the AccessCheck algorithm calls this ACE and does not find an appropriate GUID, that ACE will be ignored. For more information about access checks and object access, see [MS-ADTS] section 5.1.3.3.3.
InheritedObjectType (16 bytes): A GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. This field is valid only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType field is ignored.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4.