Access Control Entries

Article
07/18/2012

All ACEs include the following access control information:

A SID that identifies a user or group
An access mask that specifies access rights
A set of bit flags that determine whether child objects can inherit the ACE
A flag that indicates the type of ACE

ACE Types

Windows 2000 supports six types of ACEs. Three are generic ACE types that can be present in ACLs attached to all securable objects. Table 12.7 lists generic ACE types. The three remaining ACE types are object-specific and can occur only in ACLs for Active Directory objects. Table 12.8 lists object-specific ACE types.

Table 12.7 Generic ACE Types

Type	Description
Access-denied	Used in a DACL to deny access.
Access-allowed	Used in a DACL to allow access.
System-audit	Used in a SACL to log attempts to access.

Table 12.8 Object-Specific ACE Types

Type	Description
Access-denied, object-specific	Used in a DACL to deny access to a property or property set, or to limit inheritance to a specified type of child object.
Access-allowed, object-specific	Used in a DACL to allow access to a property or property set, or to limit inheritance to a specified type of child object.
System-audit, object-specific	Used in a SACL to log attempts to access a property or property set, or to limit inheritance to a specified type of child object

Generic and object-specific ACEs are fundamentally alike. What sets them apart is the granularity of control they offer over inheritance and object access.

Generic ACEs offer limited control over the kinds of child objects that can inherit them. Essentially, they can distinguish only between containers and noncontainers. For example, the DACL on a Folder object in the NTFS file system can include a generic ACE that allows a group of users to list the folder's contents. This is an operation that can be performed only on container objects, so the ACE that allows the operation can be flagged as a CONTAINER_INHERIT_ACE. Only container objects in the folder (that is, only other Folder objects) inherit the ACE. Noncontainer objects (that is, File objects) do not.

Object-specific ACEs offer greater granularity of control over the types of child objects that can inherit them. For example, an OU object's ACL can have an object-specific ACE that is marked for inheritance only by User objects. Other types of objects, such as Computer objects, will not inherit the ACE. This capability is why object-specific ACEs are called object-specific. Their inheritance can be limited to specific types of child objects.

There are similar differences in how the two categories of ACE types control access to objects. Generic ACEs apply to an entire object. If a generic ACE gives a particular user read access, the user can read all information associated with the object—both data and properties. This is not a serious limitation for most object types. File objects, for example, have few properties, all used for describing characteristics of the object rather than for storing information. Most of the information in a File object is stored as object data, so there is little need for separate controls on a file's properties.

Object-specific ACEs can apply to any individual property of an object or to a set of properties. These ACE types are used only in ACLs for Active Directory objects, which, unlike other object types, store most of their information in properties. It is often desirable to place independent controls on each property of an Active Directory object, and object-specific ACEs make that possible. For example, when you define permissions for a User object, you can use one object-specific ACE to allow Principal Self (that is, the user) write access to the Phone-Home-Primary (homePhone) property, and you can use other object-specific ACEs to deny Principal Self access to the Logon-Hours (logonHours) property and other properties that set restrictions on the user account.

Structure of a Generic ACE

All three generic ACE types have the same data structure, which Figure 12.22 illustrates.

Cc961995.DSCE11(en-us,TechNet.10).gif

Figure 12.22 Structure of a Generic ACE

The individual parts of an ACE are as follows:

ACE Size The number of bytes of memory allocated for the ACE.

ACE Type Specifies whether the ACE allows, denies, or monitors access.

Inheritance/Audit Flags A set of bit flags that control inheritance and auditing. For information about inheritance flags, see "Inheritance" later in this chapter. Table 12.9 describes audit flags.

Table 12.9 Audit Flags

Flag	Meaning
FAILED_ACCESS_ACE_FLAG	Meaningful only in system-audit and system-audit object ACEs. The access mask specifies operations that should be logged when they fail.
SUCCESSFUL_ACCESS_ACE_FLAG	Meaningful only in system-audit and system-audit object ACEs. The access mask specifies operations that should be logged when they succeed.

Access Mask A 32-bit value whose bits correspond to access rights for the object. Bits can be set either on or off, but the setting's meaning depends on the ACE type. For example, if the bit that corresponds to the right to read permissions is turned on, and the ACE type is Deny, then the ACE denies the right to read the object's permissions. If the same bit is set on but the ACE type is Allow, then the ACE grants the right to read the object's permissions.

SID Identifies a user or group whose access is controlled or monitored by this ACE.

Structure of an Object-Specific ACE

Figure 12.23 illustrates the structure of an object-specific ACE.

Cc961995.DSCE12(en-us,TechNet.10).gif

Figure 12.23 Structure of an Object-Specific ACE

The fields for ACE Size, ACE Type, Inheritance/Audit Flags, Access Mask, and SID are identical to like elements in the data structure for a generic ACE. The key differences between a generic and an object-specific ACE are as follows:

Object Flags

Object flags indicate whether Object Type or Inherited Object Type are present. Table 12.10 shows the three flags that are possible.

Table 12.10 Object Flags

Flag	Meaning
0 (no flags)	Neither Object Type nor Inherited Object Type are present. In this case, the ACE applies to the entire object. It is, in effect, a generic ACE.
ACE_OBJECT_TYPE_PRESENT	ACE applies to a property, property set, or extended right, or it controls the ability to create a particular type of child object.
ACE_INHERITED_OBJECT_TYPE_PRESENT	ACE can be inherited only by a particular type of child object.

Object Type

Object Type contains a GUID that identifies one of the following:

A type of child object . The ACE controls who can create a particular type of child object within a container. The SID portion of the ACE identifies a user or group who can create this type of child object. The ACE's access mask contains the object-specific access right ADS_RIGHT_DS_CREATE_CHILD.
A property or property set . The ACE controls the ability to read or write a particular property or property set. The SID portion of the ACE identifies a user or group who can read or write the property or property set. The ACE's access mask contains either ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP.
An extended right. The ACE controls the right to perform the operation associated with the extended right. The SID portion of the ACE identifies a user or group who has the extended right. The ACE's access mask contains ADS_RIGHT_DS_CONTROL_ACCESS.

Inherited Object Type

Inherited Object Type contains a GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the ACE's Inheritance Flags and by any protection against inheritance placed on the child object in its Security Descriptor Control Flags.