[This is preliminary documentation and subject to change.]
The DACL of a directory service (DS) object can contain a hierarchy of ACEs, as follows:
Within this hierarchy, the rights granted or denied at a higher level apply also to the lower levels. For example, if an object-specific ACE on a property set grants a trustee the DS_READ_PROPERTY right, the trustee has implicit read access to all the properties of that property set. Similarly, an ACE on the object itself that grants DS_READ_PROPERTY access gives the trustee read access to all of the object's properties.
The following illustration shows the tree of a hypothetical DS object and its property sets and properties.
Suppose you want to allow the following access to the properties of this DS object:
To do this, set the ACEs in the object's DACL as shown in the following table.
Trustee |
Object GUID | ACE Type |
Provider-Independent Access Rights |
|---|---|---|---|
| Group A | None | Access-allowed ACE | ACTRL_DS_READ_PROP | ACTRL_DS_WRITE_PROP |
| Everyone | Property Set 1 | Access-allowed object ACE | ACTRL_DS_READ_PROP | ACTRL_DS_WRITE_PROP |
| Everyone | Property C | Access-allowed object ACE | ACTRL_DS_READ_PROP | ACTRL_DS_WRITE_PROP |
The ACE for Group A does not have an object GUID, which means that it allows access to all the object's properties. The object-specific ACE for Property Set 1 allows everyone access to Properties A and B. The other object-specific ACE allows everyone access to Property C. Note that although this DACL does not have any access-denied ACEs, it implicitly denies Property D access to everyone except Group A.
When a user tries to access an object's property, the system checks the ACEs in order until the requested access is explicitly granted, denied, or there are no more ACEs, in which case, access is implicitly denied. The system evaluates:
The system ignores object-specific ACEs that apply to other property sets or properties.