Directory Services

Retrieving an Object's DACL

An object's security descriptor may contain a discretionary access-control list (DACL). A DACL contains zero or more access-control entries (ACEs) that identify the users and groups who can access the object. If a DACL is empty (that is, it contains zero ACEs), no access is explicitly granted, so access is implicitly denied. However, if an object's security descriptor does not have a DACL, the object is unprotected and everyone has complete access.

To retrieve an object's DACL, you must be the object's owner or have READ_CONTROL access to the object.

To get and set the DACL of a directory object, use the IADsSecurityDescriptor interface. Using C++, the IADsSecurityDescriptor::get_DiscretionaryAcl method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface, and use the methods on that interface to access the individual ACEs in the DACL. The procedure for modifying a DACL is described in Setting Access Rights on an Object.

To enumerate the ACEs, use the IADsAccessControlList::get__NewEnum method. The method returns an IUnknown pointer. Call QueryInterface on that IUnknown pointer to get an IEnumVARIANT interface. Use the IEnumVARIANT::Next method to enumerate the ACEs in the ACL. Each ACE is returned as a VARIANT containing an IDispatch pointer (the vt member is VT_DISPATCH). Call QueryInterface on that IDispatch pointer to get an IADsAccessControlEntry interface for the ACE. You can use the methods of the IADsAccessControlEntry interface to set or retrieve the components of an ACE.

For more information about DACLs and ACEs, see the following topics in the Platform SDK.