Directory Services

Setting Rights to Specific Types of Objects

To set an ACE that can be inherited only by a specific class of objects, you must do the following.

Important  You must set ADS_ACEFLAG_INHERIT_ACE to cause the ACE to be inherited. In addition, you must set ADS_ACEFLAG_INHERIT_ONLY_ACE if the object type this ACE applies to does not match the object type of the container where the ACE is specified. If this is not done, the ACE will also become effective on the container and can grant unexpected rights.

For C++ and Visual Basic additional sample code for setting this kind of ACE, see: