Directory Services

Setting a Control Access Right ACE in an Object's ACL

Using ADSI, you set a control access right ACE just as you would a property-specific ACE, except that the ObjectType field of the ACE is the rightsGUID of the control access right. Be aware that you can also use the Win32 security APIs to set ACLs on directory objects.

For control access rights, set properties for the ACE as described in the following table.

Property Description
AccessMask For control access rights that control extended rights access to special operations, AccessMask must contain the ADS_RIGHT_DS_CONTROL_ACCESS flag.

For control access rights that define a property set, AccessMask contains ADS_RIGHT_DS_READ_PROP and/or ADS_RIGHT_DS_WRITE_PROP.

For control access rights that control validated writes, AccessMask contains ADS_RIGHT_DS_SELF.

Flags This value must include the ADS_FLAG_OBJECT_TYPE_PRESENT flag.
ObjectType This value must be the StringFromGUID2 format of the rightsGUID property of the control access right. Be aware that, in an ACE, the GUID string must include the starting and terminating curly braces even though the rightsGUID property of the controlAccessRight object does not include the curly braces.
AceType Either ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the access control right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the trustee the access control right.
Trustee The security principal (user, group, computer, and so on) to which the ACE applies.

For more information about creating an ACE, see Setting Access Rights on an Object.

For more information and a code example additional for setting an ACE, see Example Code for Setting an ACE on a Directory Object.