All Active Directory® objects support a standard set of access rights defined in the ADS_RIGHTS_ENUM enumeration. These access rights can be used in the Access Control Entries (ACEs) of an object's security descriptor to control access to the object; that is, to control who can perform standard operations, such as creating and deleting child objects, or reading and writing the object properties. However, for some object classes, it may be desirable to control access in a way not supported by the standard access rights. To facilitate this, Active Directory allows the standard access control mechanism to be extended through the controlAccessRight object.
Control access rights are used in three ways:
There are only three validated writes defined in the Windows 2000 Active Directory schema:
For convenience, each control access right is represented by a controlAccessRight object in the Extended-Rights container of the Configuration partition, even though property sets and validated writes are not considered to be extended rights. Because the Configuration container is replicated across the entire forest, control rights are propagated across all domains in a forest. There are a number of predefined control access rights, and of course, custom access rights can also be defined.
All control access rights can be viewed as permissions in the ACL Editor.
For more information and a C++ and Visual Basic® code example that sets an ACE to control read/write access to a property set, see Example Code for Setting an ACE on a Directory Object.
For more information about using control access rights to control access to special operations, see: