3.1.1.4.5.5 allowedChildClassesEffective
The allowedChildClassesEffective attribute has different behavior on AD DS and AD LDS.
If the DC is running as AD LDS, then let fAllowPrincipals equal TRUE if the value of the ADAMAllowADAMSecurityPrincipalsInConfigPartition configuration setting (section 3.1.1.3.4.7) is 1, FALSE otherwise. If the ADAMAllowADAMSecurityPrincipalsInConfigPartition configuration setting is not supported, then let fAllowPrincipals = FALSE.
Let TO be the object from which the allowedChildClassesEffective attribute is being read.
TO!allowedChildClassesEffective contains each object class O in TO!allowedChildClasses such that:
(
(TO!nTSecurityDescriptor grants RIGHT_DS_CREATE_CHILD via a simple ACE to the client for instantiating an object beneath TO)
or
(TO.nTSecurityDescriptor grants RIGHT_DS_CREATE_CHILD via an object-specific ACE to the client for instantiating an object of class O beneath TO)
)
and (fAllowPrincipals or (not TO!distinguishedName in config NC) or (not SPC(O)))
and (fAllowPrincipals or (not TO!distinguishedName in schema NC) or (not SPC(O)))
Simple ACEs and object-specific ACEs are discussed in section 5.1.3.