Directory Services

Protecting Objects from the Effects of Inherited Rights

As discussed in the topic, Inheritance and Delegation of Administration, ACEs can be set on a container object, such as an organizational unit, domainDNS, container, and so on, and propagated to child objects based on the AceFlag property set on those ACEs.

If you have a secure object or an object whose ACEs you want to explicitly control, such as a private OU or a special user, you can prevent ACEs from being propagated to the object by its parent container or its parent container's predecessors.

Use the IADsSecurityDescriptor::put_Control method to control whether DACLs and SACLs are inherited by the object from its parent container.

The Control property can be used to protect an object from the effects of inherited ACEs. The following flags force access control to be set explicitly on the object and prevent a user from modifying access control to the object by setting inheritable ACEs on the object's parent container, or its parent container's predecessors.

Flag Description
SE_DACL_PROTECTED Prevents ACEs set on the DACL of the parent container, and any objects above the parent container in the directory hierarchy, from being applied to the object DACL.
SE_SACL_PROTECTED Prevents ACEs set on the SACL of the parent container, and any objects above the parent container in the directory hierarchy, from being applied to the object SACL.

Be aware that the SE_DACL_PRESENT flag must be present to set SE_DACL_PROTECTED and SE_SACL_PRESENT must be present to set SE_SACL_PROTECTED.