Having used the IADs::Get
method to retrieve an IADsSecurityDescriptor
interface pointer, you can use the property methods of the
IADsSecurityDescriptor interface to read or write the
components of a directory object's security descriptor. For
example, to get or set the object's DACL, use the
DiscretionaryAcl property (Visual Basic) or the
put_DiscretionaryAcl and get_DiscretionaryAcl methods
(C++).
A security descriptor can store the following information:
A security identifier (SID) that identifies the owner of the
object. The owner of an object has the implicit right to modify
the DACL and owner information in the object's security
descriptor.
A discretionary access-control list (DACL) that identifies
the users and groups who can perform various operations on the
object. A DACL contains a list of access-control entries
(ACEs). Each ACE allows or denies a specified set of access rights
to a specified user account, group account, or other trustee. See
Retrieving an
Object's DACL.
A system access-control list (SACL) that controls how the
system audits attempts to access the object. Each ACE in a SACL
specifies the types of access attempts that generate an audit log
entry for a specified user account, group account, or other
trustee. See Retrieving an Object's
SACL.
A set ofSECURITY_DESCRIPTOR_CONTROLcontrol
flags that qualify the meaning of a security descriptor or its
components. For example, the SE_DACL_PROTECTED flag protects
the security descriptor's DACL from inheriting ACEs from its
parent.
A security identifier (SID) that identifies the primary
group of the object. Active Directory does not use this
component.