5.1.3.2 Access Rights
The following diagram specifies access rights that can be assigned to or requested for an Active Directory object. The access mask in an ACE contains a combination of these values.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
G R |
G W |
G X |
G A |
X |
X |
X |
X |
X |
X |
X |
X |
W O |
W D |
R C |
D E |
X |
X |
X |
X |
X |
X |
X |
C R |
L O |
D T |
W P |
R P |
V W |
L C |
D C |
C C |
Note The values are presented in big-endian byte order.
CC (RIGHT_DS_CREATE_CHILD, 0x00000001): The right to create child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies the objectClass of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object classes allowed by the schema.
DC (RIGHT_DS_DELETE_CHILD, 0x00000002): The right to delete child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies the objectClass of the child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object classes.
LC (RIGHT_DS_LIST_CONTENTS, 0x00000004): The right to list child objects of this object. For more information about this right, see section 3.1.1.4.
VW (RIGHT_DS_WRITE_PROPERTY_EXTENDED, 0x00000008): The right to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all validated write operations associated with the object. For a list of validated write rights, see section 5.1.3.2.2. For specifics of validated write processing, see the Modify operation in section 3.1.1.5.3.
RP (RIGHT_DS_READ_PROPERTY, 0x00000010): The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or an attribute. If ObjectType does not contain a GUID, the ACE controls the right to read all attributes of the object.
WP (RIGHT_DS_WRITE_PROPERTY, 0x00000020): The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or an attribute. If ObjectType does not contain a GUID, the ACE controls the right to write all attributes of the object.
DT (RIGHT_DS_DELETE_TREE, 0x00000040): The right to perform a Delete-Tree operation on this object. See the Delete operation in section 3.1.1.5.5 for more details.
LO (RIGHT_DS_LIST_OBJECT, 0x00000080): The right to list a particular object. If the user is not granted this right, and the user is not granted the RIGHT_DS_LIST_CONTENTS right on the object's parent, the object is hidden from the user. Note that LIST_OBJECT rights are not enforced by Active Directory by default. In order to enable LIST_OBJECT enforcement, the fDoListObject heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) MUST be TRUE.
CR (RIGHT_DS_CONTROL_ACCESS, 0x00000100): The right to perform an operation controlled by a control access right. The ObjectType member of an ACE can contain a GUID that identifies the control access right. If ObjectType does not contain a GUID, the ACE controls the right to perform all control access right controlled operations associated with the object. For a list of control access rights, see section 5.1.3.2.1.
DE (RIGHT_DELETE, 0x00010000): The right to delete the object.
RC (RIGHT_READ_CONTROL, 0x00020000): The right to read data from the security descriptor of the object, not including the data in the SACL.
WD (RIGHT_WRITE_DAC, 0x00040000): The right to modify the DACL in the object security descriptor.
WO (RIGHT_WRITE_OWNER, 0x00080000): The right to modify the owner of an object in the object's security descriptor. A user can only take ownership of an object, but cannot transfer ownership of an object to other users.
GA (RIGHT_GENERIC_ALL, 0x10000000): The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right.
GX (RIGHT_GENERIC_EXECUTE, 0x20000000): The right to read permissions on, and list the contents of, a container object.
GW (RIGHT_GENERIC_WRITE, 0x40000000): The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.
GR (RIGHT_GENERIC_READ, 0x80000000): The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.
X: Ignored. These bits are ignored in Active Directory DACLs.
The four generic rights are presented, along with the specific access rights which they represent. The mapping for access to objects in Active Directory is as follows:
GR = (RC | LC | RP | LO)
GW = (RC | WP | VW)
GX = (RC | LC)
GA = (DE | RC | WD | WO | CC | DC | DT | RP | WP | LC | LO | CR | VW)
Note that the preceding "GENERIC" access mask bits are never stored in Active Directory security descriptor values. They can be present in an SD value sent by a user in an add or modify request. When the SD value is stored in the database, the GENERIC access bits are mapped according to the specific access rights that they represent, using the mapping described above. See section 6.1.3 and [MS-DTYP] section 2.4.3 for more information.