3.1.4.21.5 Directory Service Object Access Control
Each directory service object has an associated access control list (ACL) in the directory service. The ACL is generally assigned by the directory service, but can also be assigned by the user. These ACLs are generally mutable.
Unlike other object properties, the ACLs are not retrievable or settable by a property identifier in the protocol. Instead, they are retrieved or set through dedicated RPC methods.