Directory Services

Retrieving an Object's SACL

The security descriptor of an Active Directory object may contain a system access-control list (SACL). A SACL contains access-control entries (ACEs) that specify the types of access attempts that generate audit records in the security event log of a domain controller. Be aware that a SACL generates log entries only on the domain controller where the access attempt occurred, not on every DC that contains a replica of the object.

To set or get the SACL from an object security descriptor, the SE_SECURITY_NAME privilege must be enabled in the access token of the requesting thread. The administrators group has this privilege by default, and it can be assigned to other users or groups. For more information, see SACL Access Right.

To get and set the SACL of a directory object, use the IADsSecurityDescriptor interface. Using C++, the IADsSecurityDescriptor::get_SystemAcl method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface, and use the methods on that interface to access the individual ACEs in the SACL. For more information about the procedure for modifying a SACL, which is similar to that for modifying a DACL, see Setting Access Rights on an Object.

To enumerate the ACEs in a SACL, use the IADsAccessControlList::get__NewEnum method, which returns an IUnknown pointer. Call QueryInterface on that IUnknown pointer to get an IEnumVARIANT interface. Use the IEnumVARIANT::Next method to enumerate the ACEs in the ACL. Each ACE is returned as a VARIANT that contains an IDispatch pointer; be aware that the vt member is VT_DISPATCH. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlEntry interface for the ACE. Use the IADsAccessControlEntry interface methods to set or get the components of an ACE.

For more information about SACLs, see: