Each object in Active Directory has an nTSecurityDescriptor attribute that contains the object security descriptor. There are two primary ways to read and manipulate a directory object security descriptor:
The recommended technique, and the one used by most of the code examples in this guide, is to use the IADs* interfaces because they simplify handling security descriptors, ACLs, and ACEs. For Visual Basic programmers, the IADs* interfaces are the most efficient way to handle security descriptors.
The IDirectoryObject technique is useful when a SECURITY_DESCRIPTOR structure is required. For example, the code example in Checking a Control Access Right in an Object's ACL uses this method to retrieve a security descriptor to pass to the AccessCheckByTypeResultList function.
For more information, see: