The IADsAccessControlEntry interface is a dual interface that enables directory clients to access and manipulate individual access-control entries (ACEs) of the owning object. An ACE stipulates who can access the object and what type of access granted and specifies whether the access control settings can be propagated from the object to any of its children. An ACE exposes a set of properties through this interface to provide such services.
An object can have a number of ACEs, one for each client or a group of clients. ACEs are maintained in an access-control list (ACL) which implements the IADsAccessControlList interface. That is, a client must use an ACL to access an ACE. To access the ACL, retrieve the security descriptor of the object that implements the IADsSecurityDescriptor interface. The following procedures describe how to manage access controls over an ADSI object.
Some of the IADsAccessControlEntry property values, such as AccessMask and AceFlags, will be different for different object types. For example, an Active Directory object will use the ADS_RIGHT_GENERIC_READ member of the ADS_RIGHTS_ENUM enumeration for the IADsAccessControlEntry.AccessMask property, but the equivalent access right for a file object is FILE_GENERIC_READ. It is not safe to assume that all property values will be the same for Active Directory objects and non-Active Directory objects. For more information, see Security Descriptors on Files and Registry Keys.
To managing access controls over an ADSI object
- Retrieve the security descriptor for the object that implements the IADsSecurityDescriptor interface.
- Retrieve the ACL from the security descriptor.
- Work with the ACE, or ACEs, of the object in the ACL.
To set a new or modified ACE as persistent
- Add the ACE to the ACL.
- Assign the ACL to the security descriptor.
- Commit the security descriptor to the directory store.
The IADsAccessControlEntry interface inherits from the IDispatch interface.
The IADsAccessControlEntry interface has these methods.
|Minimum supported client||Windows Vista|
|Minimum supported server||Windows Server 2008|