Directory Services

Controlling Access to Objects and Their Properties

To control access to application objects, work with the object security descriptor, and specifically, with the discretionary access-control list (DACL) and its list of access-control entries (ACEs).

When an object is created, it receives a security descriptor. For more information, and a description of the rules that the system uses to create the DACL for a new object, see How Security Descriptors are Set on New Directory Objects. These rules reveal that you can:

In addition the DACL of an existing object can be modified. You can:

The following list describes the most important function of an ACE in Active Directory. With an ACE, you can: