Directory Services


The IADsAccessControlEntry interface is a dual interface that enables directory clients to access and manipulate individual access-control entries (ACEs) of the owning object. An ACE stipulates who can access the object and what type of access granted and specifies whether the access control settings can be propagated from the object to any of its children. An ACE exposes a set of properties through this interface to provide such services.

An object can have a number of ACEs, one for each client or a group of clients. ACEs are maintained in an access-control list (ACL) which implements the IADsAccessControlList interface. This means that a client needs to go through an ACL in order to access ACEs. To access the ACL, retrieve the security descriptor of the object that implements the IADsSecurityDescriptor interface. The following procedures describe how to manage access controls over an ADSI object.

To managing access controls over an ADSI object

  1. Retrieve the security descriptor for the object that implements the IADsSecurityDescriptor interface.
  2. Retrieve the ACL from the security descriptor.
  3. Work with the ACE, or ACEs, of the object in the ACL.

To set a new or modified ACE as persistent

  1. Add the ACE to the ACL.
  2. Assign the ACL to the security descriptor.
  3. Commit the security descriptor to the directory store.

Methods in Vtable Order

The IADsAccessControlEntry interface inherits the methods of the standard COM interfaces:

In addition, IADsAccessControlEntry defines the following methods.

Method Description
get_AccessMask Gets the access mask for an ACE.
put_AccessMask Sets the access mask for an ACE.
get_AceType Gets the ACE type.
put_AceType Sets the ACE type.
get_AceFlags Gets ACE flag values.
put_AceFlags Sets ACE flag values.
get_Flags Gets flag values.
put_Flags Sets flag values.
get_ObjectType Gets the object type.
put_ObjectType Sets the object type.
get_InheritedObjectType Gets the inherited object type.
put_InheritedObjectType Sets the inherited object type.
get_Trustee Gets the trustee.
put_Trustee Sets the trustee.


The IADsAccessControlEntry interface defines the following properties. The preceding table includes access methods for these properties.

Property Description
AccessMask Gets or sets the access mask for an ACE.
AceFlags Gets or sets ACE flag values.
AceType Gets/sets the ACE type.
Flags Gets or sets flag values.
InheritedObjectType Gets or sets the inherited object type.
ObjectType Gets or sets the object type.
Trustee Gets or sets the trustee.


Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

IAccessControlList, IADsSecurityDescriptor