Object-Specific ACEs

[This is preliminary documentation and subject to change.]

Windows NT version 5.0 supports object-specific ACEs for directory service (DS) objects. Object-specific ACEs contain the same trustee and access right information found in the older ACE types. They also contain two GUID structures, which contain globally unique identifiers (GUIDs) that identify types of objects. These GUIDs enable the ACE to provide the following functionality:

Control access to a property or property set on the object.
Specify the type of child object that can inherit the ACE. This enables a finer degree of inheritance control for objects that can have different types of child objects.
Specify the type of child object for which the ACE grants or denies creation rights. For more information, see Controlling Child Object Creation.

Windows NT version 5.0 supports three types of object-specific ACEs. System-alarm object ACEs are not currently supported.

Type	Description
Access-denied object ACE	Windows NT 5.0 and later: Used in a DACL to deny a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_DENIED_OBJECT_ACE structure.
Access-allowed object ACE	Windows NT 5.0 and later: Used in a DACL to allow a trustee access to a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the ACCESS_ALLOWED_OBJECT_ACE structure.
System-audit object ACE	Windows NT 5.0 and later: Used in a SACL to log a trustee's attempts to access a property or property set on the object, or to limit ACE inheritance to a specified type of child object. Uses the SYSTEM_AUDIT_OBJECT_ACE structure.

Any ACL that contains an object-specific ACE must use the revision ACL_REVISION_DS.