Active Directory Provider::Get DACL
Returns the discretionary access control list (DACL) for the specified object. Used by Microsoft Provisioning Framework (MPF).
The following table describes the XML schema elements and attributes. Unless otherwise indicated, the data type is string.
|Element||Description, relationships, and attributes|
<ace> <inheritance>3</inheritance> </ace>
0x0Default. This ACE will not be inherited by other objects.
0x1Non-container objects contained by the primary object inherit the ACE.
0x2Other containers contained by the primary object inherit the ACE.
0x3Both containers and non-container objects contained by the primary object inherit the ACE.
0x4The SUB_OBJECTS_ONLY_INHERIT and SUB_CONTAINERS_ONLY_INHERIT flags are not propagated to an inherited ACE.
0x8The ACE does not apply to the primary object to which the DACL is attached, but objects contained by the primary object inherit the ACE.
0x10The permission or restriction is inherited from the parent object.
2Indicates an ACCESS_ALLOWED_ACE that allows the specified rights.
3Indicates an ACCESS_DENIED_ACE that denies the specified rights.
0SE_UNKNOWN_OBJECT_TYPEUnknown object type.
A file or directory. The name string that identifies a file or directory object can be one of the following.
2SE_SERVICEA Microsoft Win32 service. A service object can be a local service, such as Servicename; or a remote service, such as \\Machinename\Servicename.
3SE_PRINTERA printer. A printer object can be a local printer, such as Printername; or a remote printer, such as \\Machinename\Printername.
A registry key. A registry key object can be in the local registry, such as CLASSES_ROOT\Somepath; or in a remote registry, such as \\Machinename\CLASSES_ROOT\Somepath.The names of registry keys must use the following literal strings to identify the predefined registry keys: CLASSES_ROOT, CURRENT_USER, MACHINE, and USERS.
5SE_LMSHAREA network share. A share object can be local, such as sharename; or remote, such as \\machinename\sharename.
A local kernel object. The GetSecurityInfo and SetSecurityInfo functions support all types of kernel objects. The GetNamedSecurityInfo and SetNamedSecurityInfo functions work only with the following kernel objects: semaphore, event, mutex, waitable timer, and file mapping.
7SE_WINDOW_OBJECTA window station or desktop object on the local machine. You cannot use GetNamedSecurityInfo and SetNamedSecurityInfo with these objects because the names of window stations or desktops are not unique.
Microsoft Windows 2000: A directory service (DS) object, or a property set or property of a directory service object.The name string for a DS object can be a UNC name such as \\tailspintoys.com\ou1\ou2\Someobject.The name string can also be in X.500 form, such as "CN=someobject,OU=ou2,OU=ou1,DC=domain,DC=microsoft,DC=com,O=internet".
9SE_DS_OBJECT_ALLWindows 2000: A directory service object and all of its property sets and properties.
10SE_PROVIDER_DEFINED_OBJECTWindows 2000: A provider-defined object.
11SE_WMIGUID_OBJECTWindows 2000: A Windows Management Instrumentation (WMI) object.
Standard and generic permissions (ACCESS_MASK):
0x00020000LRead access to the owner, group, and DACL of the security descriptor
0x00040000LWrite access to the DACL
0x00080000LWrite access to owner
0x00100000LWindows NT or Windows 2000: Synchronize access
0x01000000LAccess system security (ACCESS_SYSTEM_SECURITY). This flag is not a typical access type. It is used to indicate access to a system access control list (SACL). This type of access requires the calling process to SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited.
Active Directory permissions (ADS_RIGHTS_ENUM):
0x1The right to create children of the object. The ObjectType member of an ACE can contain a globally unique identifier (GUID) that identifies the type of child object whose creation is being controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.
0x2The right to delete children of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is being controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.
0x4The right to list children of this object.
0x8The right to modify the group membership of a group object.
0x10The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object's properties.
0x20The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object's properties.
0x40The right to delete all children of this object, regardless of the permission on the children.
0x80The right to list an object. If the user is not granted such a right, the object is hidden from the user.
0x100The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.
0x10000The right to delete the object.
0x20000The right to read information from the security descriptor of the object, not including the information in the SACL.
0x40000The right to modify the DACL in the object's security descriptor.
0x80000The right to assume ownership of the object. The user must be a trustee of the object. The user cannot transfer the ownership to other users.
0x100000The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.
0x1000000The right to get or set the SACL in the object's security descriptor.
0x80000000The right to read from the security descriptor, examine the object as well as its children, and read all properties.
0x40000000The right to write all the properties and write to the DACL. The user can add and remove the object to and from the directory.
0x20000000The right to list children of this object.
0x10000000The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
0x0001Permission to query subkey data.
0x0002Permission to set subkey data.
0x0004Permission to create subkeys.
0x0008Permission to enumerate subkeys.
0x0010Permission for change notification.
0x0020Permission to create a symbolic link.
File system permissions:
0x0001Right to read data from the file. For a directory, the right to list the contents of the directory.
0x0002Right to write data to the file. For a directory, the right to create a file in the directory.
0x0004Right to append data to the file. For a directory, the right to create a subdirectory.
0x0008Right to read extended attributes.
0x0010Right to write extended attributes.
0x0020Right to execute a program.
0x0040For a directory, the right to delete a subdirectory.
0x0080Right to read file attributes.
0x0100Right to write file attributes.
0trustee is the security identifier (SID) of the trustee.
1trustee is the name of the trustee.
3trustee is the SID of the trustee. Returns objectTypeName and/or inheritedObjectTypeName.
4trustee is the name of the trustee. Returns objectTypeName and/or inheritedObjectTypeName.
0Trustee type is unknown, but not necessarily invalid.
1Indicates a user.
2Indicates a group.
3Indicates an Active Directory domain.
4Indicates an alias.
5Indicates a well-known group.
6Indicates a deleted account.
7Indicates an invalid trustee type.
8Indicates a computer.
<executeData>1..1 <name>1..1</name> <objectType>0..1</objectType> </executeData>
<executeData>1..1 <dacl>0..1 <ace>0..unbounded <permission>1..1</permission> <mode>1..1</mode> <trusteeForm>1..1</trusteeForm> <trustee>1..1</trustee> <trusteeType>1..1</trusteeType> <inheritance>1..1</inheritance> <objectTypeName>0..1</objectTypeName> <inheritedObjectTypeName>0..1</inheritedObjectTypeName> </ace> </dacl> </executeData>
Example XML Request
The following code fragment shows the format for sending data to this procedure. For more information on individual elements and attributes, see the Elements and Attributes table.
Example XML Response
The following code fragment shows the format for data this procedure returns. For more information on individual elements and attributes, see the Elements and Attributes table.
- Hosted Messaging and Collaboration version 4.5
- Hosted Messaging and Collaboration version 4.0
- Hosted Messaging and Collaboration version 3.5
- Hosted Messaging and Collaboration version 3.0
- Windows-based Hosting version 4.5
- Windows-based Hosting version 4.0
- Windows-based Hosting version 3.5
- Windows-based Hosting for Applications version 1.0