Directory Services

APIs for Working with Security Descriptors

Each object in Active Directory has an nTSecurityDescriptor attribute that contains the object security descriptor. There are two primary ways to read and manipulate a directory object security descriptor:

The recommended technique, and the one used by most of the code examples in this guide, is to use the IADs* interfaces because they simplify handling security descriptors, ACLs, and ACEs. For Visual Basic programmers, the IADs* interfaces are the most efficient way to handle security descriptors.

The IDirectoryObject technique is useful when a SECURITY_DESCRIPTOR structure is required. For example, the code example in Checking a Control Access Right in an Object's ACL uses this method to retrieve a security descriptor to pass to the AccessCheckByTypeResultList function.

For more information, see: