The ADS_RIGHTS_ENUM enumeration specifies the access
rights that are assigned to a directory object. The member values
are assigned to the AccessMask field of an ACE.
The right to read data from the security descriptor of the
object, not including the data in the SACL.
ADS_RIGHT_WRITE_DAC
The right to modify the discretionary access-control list
(DACL) in the object security descriptor.
ADS_RIGHT_WRITE_OWNER
The right to assume ownership of the object. The user must be
an object trustee. The user cannot transfer the ownership to other
users.
ADS_RIGHT_SYNCHRONIZE
The right to use the object for synchronization. This enables a
thread to wait until the object is in the signaled state.
ADS_RIGHT_ACCESS_SYSTEM_SECURITY
The right to get or set the SACL in the object security
descriptor.
ADS_RIGHT_GENERIC_READ
The right to read permissions on this object, read all the
properties on this object, list this object name when the parent
container is listed, and list the contents of this object if it is
a container.
ADS_RIGHT_GENERIC_WRITE
The right to read permissions on this object, write all the
properties on this object, and perform all validated writes to this
object.
ADS_RIGHT_GENERIC_EXECUTE
The right to read permissions on, and list the contents of, a
container object.
ADS_RIGHT_GENERIC_ALL
The right to create or delete children, delete a subtree, read
and write properties, examine children and the object itself, add
and remove the object from the directory, and read or write with an
extended right.
ADS_RIGHT_DS_CREATE_CHILD
The right to create children of the object. The
ObjectType member of an ACE can contain a GUID that
identifies the type of child object whose creation is controlled.
If ObjectType does not contain a GUID, the ACE controls the
creation of all child object types.
ADS_RIGHT_DS_DELETE_CHILD
The right to delete children of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a type of child object whose deletion is controlled. If
ObjectType does not contain a GUID, the ACE controls the
deletion of all child object types.
ADS_RIGHT_ACTRL_DS_LIST
The right to list children of this object. For more information
about this right, see Controlling Object
Visibility.
ADS_RIGHT_DS_SELF
The right to perform an operation controlled by a validated
write access right. The ObjectType member of an ACE can
contain a GUID that identifies the validated write. If
ObjectType does not contain a GUID, the ACE controls the
rights to perform all valided write operations associated with the
object.
ADS_RIGHT_DS_READ_PROP
The right to read properties of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a property set or property. If ObjectType does
not contain a GUID, the ACE controls the right to read all of the
object properties.
ADS_RIGHT_DS_WRITE_PROP
The right to write properties of the object. The
ObjectType member of an ACE can contain a GUID that
identifies a property set or property. If ObjectType does
not contain a GUID, the ACE controls the right to write all of the
object properties.
ADS_RIGHT_DS_DELETE_TREE
The right to delete all children of this object, regardless of
the permissions of the children.
ADS_RIGHT_DS_LIST_OBJECT
The right to list a particular object. If the user is not
granted such a right, and the user does not have
ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is
hidden from the user. This right is ignored if the third character
of the dSHeuristics property is '0' or not set. For more
information about this right, see Controlling Object
Visibility.
ADS_RIGHT_DS_CONTROL_ACCESS
The right to perform an operation controlled by an extended
access right. The ObjectType member of an ACE can contain a
GUID that identifies the extended right. If ObjectType does
not contain a GUID, the ACE controls the right to perform all
extended right operations associated with the object.
Remarks
To assign access rights to an object, set the AccessMask
field of an access-control entry (ACE) to a combination of the
constants defined in this enumeration. In addition to the
AccessMask field, an ACE can have other fields, including
ACEType, ACEFlags, ObjectType,
InheritedObjectType, Flags, and Trustee. The
IADsAccessControlEntry
interface provides property methods to obtain and modify these
fields.
The ObjectType field specifies a GUID that identifies the
property set, property, extended right, or type of child object to
which the ACE applies. The InheritedObjectType field
specifies a GUID that identifies the type of child object that can
inherit the ACE. The Trustee field identifies the security
principal to whom the ACE allows or denies the specified access
rights.
Note Because VBScript cannot read
data from a type library, VBScript applications do not recognize
the symbolic constants as defined above. Instead, use the numerical
constants to set the appropriate flags in your VBScript
application. To use the symbolic constants as a good programming
practice, create explicit declarations of such constants, as done
here, in your VBScript applications.
The specific access rights granted by the four generic rights
enumerations (ADS_RIGHT_GENERIC_xxx) is dependent on
the specific ADSI service provider being accessed. For Active
Directory, these generic rights are defined in the Ntdsapi.h header
file as DS_GENERIC_READ,
DS_GENERIC_WRITE, DS_GENERIC_EXECUTE,
and DS_GENERIC_ALL. For more information about how to
use the Access Right and Access Masks, see Access Control.
Requirements
Client: Included in Windows XP and
Windows 2000 Professional. Server: Included in Windows Server 2003 and
Windows 2000 Server. Redistributable: Requires Active Directory Client Extension
on Windows NT 4.0 SP6a and Windows 95/98/Me. Header: Declared in Iads.h.