Directory Services

Setting Rights to Specific Properties of Specific Types of Objects

Property-specific permissions can be used in combination with object specific inheritance to provide the very powerful and granular delegation of administration. You can set a property-specific object-inheritable ACE to allow a specified user or group to read and/or write a specific attribute on a specified class of child objects in a container. For example, you could set an ACE on an organizational unit to allow a group to read and write the telephone number attribute of all user objects in the organizational unit.

To set property-specific object-inheritable ACEs:

Important  You must set ADS_ACEFLAG_INHERIT_ACE to cause the ACE to be inherited. In addition, you must set ADS_ACEFLAG_INHERIT_ONLY_ACE if the object type this ACE applies to does not match the object type of the container where the ACE is specified. If this is not done, the ACE will also become effective on the container and can grant unexpected rights.

For C++ and Visual Basic sample code for setting this kind of ACE, see: