Active Directory Security Constants
This page lists security descriptor constants, including a brief description and the hexadecimal value of each constant. These constants are used when creating scripts that manage Active Directory security; because scripting languages do not have access to type libraries, you must define each constant before using it in a script. For example, if you need to use the constant ADS_RIGHT_DELETE in a script, this line of code should appear somewhere near the beginning of that script:
Const ADS_RIGHT_DELETE = &H10000
ADS_RIGHTS_ENUM (Access Mask)
Contains a set of flags that specifies access privileges for the object. Valid values for Active Directory objects are defined in the ADS_RIGHTS_ENUM enumeration.
Constant/Description | Value |
ADS_RIGHT_DELETE The right to delete the object. |
&H10000 |
ADS_RIGHT_READ_CONTROL The right to read data from the security descriptor of the object, not including the data in the system access control list (SACL). |
&H20000 |
ADS_RIGHT_WRITE_DAC The right to modify the discretionary access control list (DACL) in the object security descriptor. |
&H40000 |
ADS_RIGHT_WRITE_OWNER The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. |
&H80000 |
ADS_RIGHT_SYNCHRONIZE The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. |
&H100000 |
ADS_RIGHT_ACCESS_SYSTEM_SECURITY The right to get or set the SACL in the object security descriptor. |
&H1000000 |
ADS_RIGHT_GENERIC_READ The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. |
&H80000000 |
ADS_RIGHT_GENERIC_WRITE The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. |
&H40000000 |
ADS_RIGHT_GENERIC_EXECUTE The right to read permissions on, and list the contents of, a container object. |
&H20000000 |
ADS_RIGHT_GENERIC_ALL The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. |
&H10000000 |
ADS_RIGHT_DS_CREATE_CHILD The right to create child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types. |
&H1 |
ADS_RIGHT_DS_DELETE_CHILD The right to delete child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types. |
&H2 |
ADS_RIGHT_ACTRL_DS_LIST The right to list child objects of this object. For more information about this right, see Controlling Object Visibility. |
&H4 |
ADS_RIGHT_DS_SELF The right to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object. |
&H8 |
ADS_RIGHT_DS_READ_PROP The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties. |
&H10 |
ADS_RIGHT_DS_WRITE_PROP The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties. |
&H20 |
ADS_RIGHT_DS_DELETE_TREE The right to delete all child objects of this object, regardless of the permissions of the child objects. |
&H40 |
ADS_RIGHT_DS_LIST_OBJECT The right to list a particular object. If the user is not granted such a right, and the user does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is '0' or not set. |
&H80 |
ADS_RIGHT_DS_CONTROL_ACCESS The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object. |
&H100 |
ADS_ACETYPE_ENUM (Ace Type)
Contains a value that indicates the type of ACE. Valid values for Active Directory objects are defined in the ADS_ACETYPE_ENUM enumeration.
Constant/Description | Value |
ADS_ACETYPE_ACCESS_ALLOWED The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL. |
0 |
ADS_ACETYPE_ACCESS_DENIED The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL. |
&H1 |
ADS_ACETYPE_SYSTEM_AUDIT The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL. |
&H2 |
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT The ACE grants access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object. Windows NT 4.0: Not used. |
&H5 |
ADS_ACETYPE_ACCESS_DENIED_OBJECT The ACE denies access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object. Windows NT 4.0: Not used. |
&H6 |
ADS_ACETYPE_SYSTEM_AUDIT_OBJECT The ACE audits access to an object or a subobject of the object, such as a property set or property. ObjectType or InheritedObjectType or both contain a GUID that identifies a property set, property, extended right, or type of child object. Windows NT 4.0: Not used. |
&H7 |
ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK Same functionality as ADS_ACETYPE_ACCESS_ALLOWED, but used with applications that use Authz to verify ACEs. Windows NT 4.0: Not used. |
&H9 |
ADS_ACETYPE_ACCESS_DENIED_CALLBACK Same functionality as ADS_ACETYPE_ACCESS_DENIED, but used with applications that use Authz to verify ACEs. Windows NT 4.0: Not used. |
&HA |
ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT Same functionality as ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, but used with applications that use Authz to verify ACEs. Windows NT 4.0: Not used. |
&HB |
ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT Same functionality as ADS_ACETYPE_ACCESS_DENIED_OBJECT, but used with applications that use Authz to check ACEs. Windows NT 4.0: Not used. |
&HC |
ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK Same functionality as ADS_ACETYPE_SYSTEM_AUDIT, but used with applications that use Authz to check ACEs. Windows NT 4.0: Not used. |
&HD |
ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_ OBJECT Same functionality as ADS_ACETYPE_SYSTEM_AUDIT_OBJECT, but used with applications that use Authz to verify ACEs. Windows NT 4.0: Not used. |
&HF |
ADS_ACEFLAG_ENUM (Ace Flags)
Contains a set of flags that specifies if other containers or objects can inherit the ACE. Valid values for Active Directory object are defined in the ADS_ACEFLAG_ENUM enumeration.
Constant/Description | Value |
ADS_ACEFLAG_INHERIT_ACE Child objects will inherit this access-control entry (ACE). The inherited ACE is inheritable unless the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag is set. |
&H2 |
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE The system will clear the ADS_ACEFLAG_INHERIT_ACE flag for the inherited ACEs of child objects. This prevents the ACE from being inherited by subsequent generations of objects. |
&H4 |
ADS_ACEFLAG_INHERIT_ONLY_ACE Indicates that an inherit-only ACE that does not exercise access control on the object to which it is attached. If this flag is not set, the ACE is an effective ACE that exerts access control on the object to which it is attached. |
&H8 |
ADS_ACEFLAG_INHERITED_ACE Indicates whether or not the ACE was inherited. The system sets this bit. |
&H10 |
ADS_ACEFLAG_VALID_INHERIT_FLAGS Indicates whether the inherit flags are valid. The system sets this bit. |
&H1f |
ADS_ACEFLAG_SUCCESSFUL_ACCESS Generates audit messages for successful access attempts, used with ACEs that audit the system in a system access-control list (SACL). |
&H40 |
ADS_ACEFLAG_FAILED_ACCESS Generates audit messages for failed access attempts, used with ACEs that audit the system in a SACL. |
&H80 |
ADS_FLAGTYPE_ENUM (Flags)
A flag that indicates if the ACE has an object type or inherited object type. Valid flags are defined in the ADS_FLAGTYPE_ENUM enumeration.
Constant/Description | Value |
ADS_FLAG_OBJECT_TYPE_PRESENT The ObjectType field is present in the ACE. |
&H1 |
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT The InheritedObjectType field is present in the ACE. |
&H2 |