Directory Services

How Access Control Works in Active Directory

Access control for Microsoft® Active Directory® objects is based on Windows NT/Windows 2000 access-control model. For more information and a detailed description of this model and its components such as security descriptors, access tokens, SIDs, ACLs, ACEs, see Access Control Model.

Access privileges for Active Directory resources are usually granted through the use of an access control entry (ACE). An ACE defines an access or audit permission on an object for a specific user or group. An access-control list (ACL) is the ordered collection of access control entries defined for an object. A security descriptor supports properties and methods that create and manage ACLs. For more information about security models, see Security or the Microsoft Windows 2000 Server Resource Kit.

The basic outline of the security model is:

The following table lists ADSI interfaces used to manipulate the access control features of Active Directory.

Interface Description
IADsSecurityDescriptor Used to read and write security properties of a directory service object.
IADsAccessControlList Used to manage and enumerate all ACEs for a directory service object.
IADsAccessControlEntry Used to read and write ACE properties.