Skip to content

ADS_RIGHTS_ENUM

The ADS_RIGHTS_ENUM enumeration specifies access rights assigned to an Active Directory object. The IADsAccessControlEntry::AccessMask property contains a combination of these values for an Active Directory object.

Syntax

enum ADS_RIGHTS_ENUM
{
    ADS_RIGHT_DELETE                   = 65536,         //0x10000
    ADS_RIGHT_READ_CONTROL             = 131072,        //0x20000
    ADS_RIGHT_WRITE_DAC                = 262144,        //0x40000
    ADS_RIGHT_WRITE_OWNER              = 524288,        //0x80000
    ADS_RIGHT_SYNCHRONIZE              = 1048576,       //0x100000
    ADS_RIGHT_ACCESS_SYSTEM_SECURITY   = 16777216,      //0x1000000
    ADS_RIGHT_GENERIC_READ             = 2147483648,    //0x80000000
    ADS_RIGHT_GENERIC_WRITE            = 1073741824,    //0x40000000
    ADS_RIGHT_GENERIC_EXECUTE          = 536870912,     //0x20000000
    ADS_RIGHT_GENERIC_ALL              = 268435456,     //0x10000000
    ADS_RIGHT_DS_CREATE_CHILD          = 1,             //0x1
    ADS_RIGHT_DS_DELETE_CHILD          = 2,             //0x2
    ADS_RIGHT_ACTRL_DS_LIST            = 4,             //0x4
    ADS_RIGHT_DS_SELF                  = 8,             //0x8
    ADS_RIGHT_DS_READ_PROP             = 16,            //0x10
    ADS_RIGHT_DS_WRITE_PROP            = 32,            //0x20
    ADS_RIGHT_DS_DELETE_TREE           = 64,            //0x40
    ADS_RIGHT_DS_LIST_OBJECT           = 128,           //0x80
    ADS_RIGHT_DS_CONTROL_ACCESS        = 256            //0x100
    ADS_RIGHT_DS_RESTORE_TO            = 2048           //0x800
}

Constants

  • Flag

  • Description

  • ADS_RIGHT_DELETE

  • The right to delete the object.

  • ADS_RIGHT_READ_CONTROL

  • The right to read data from the security descriptor of the object, not including the data in the SACL.

  • ADS_RIGHT_WRITE_DAC

  • The right to modify the discretionary access-control list (DACL) in the object security descriptor.

  • ADS_RIGHT_WRITE_OWNER

  • The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users.

  • ADS_RIGHT_SYNCHRONIZE

  • The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.

  • ADS_RIGHT_ACCESS_SYSTEM_SECURITY

  • The right to get or set the SACL in the object security descriptor.

  • ADS_RIGHT_GENERIC_READ

  • The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.

  • ADS_RIGHT_GENERIC_WRITE

  • The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.

  • ADS_RIGHT_GENERIC_EXECUTE

  • The right to read permissions on, and list the contents of, a container object.

  • ADS_RIGHT_GENERIC_ALL

  • The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, remove the object from the directory, and read or write with an extended right.

  • ADS_RIGHT_DS_CREATE_CHILD

  • The right to create child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies the type of child object whose creation is controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.

  • ADS_RIGHT_DS_DELETE_CHILD

  • The right to delete child objects of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.

  • ADS_RIGHT_ACTRL_DS_LIST

  • The right to list child objects of this object.

  • ADS_RIGHT_DS_SELF

  • The right to perform an operation controlled by a validated write access right. The ObjectType member of an ACE can contain a GUID that identifies the validated write. If ObjectType does not contain a GUID, the ACE controls the rights to perform all valid write operations associated with the object.

  • ADS_RIGHT_DS_READ_PROP

  • The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object properties.

  • ADS_RIGHT_DS_WRITE_PROP

  • The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object properties.

  • ADS_RIGHT_DS_DELETE_TREE

  • The right to delete all child objects of this object, regardless of the permissions of the child objects.

  • ADS_RIGHT_DS_LIST_OBJECT

  • The right to list a particular object. If the user is not granted such a right, and the user does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the user. This right is ignored if the third character of the dSHeuristics property is 0 or not set.

  • ADS_RIGHT_DS_CONTROL_ACCESS

  • The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.

  • ADS_RIGHT_DS_RESTORE_TO

  • The right to restore deleted objects. The ObjectType member of an ACE can contain a GUID that identifies the type of objects whose restoring is controlled. If ObjectType does not contain a GUID, the ACE controls restoring all object types.

Remarks

To assign access rights to an object, set the AccessMask field of an access-control entry (ACE) to a combination of the constants defined in this enumeration. In addition to the AccessMask field, an ACE can have other fields, including AceType, AceFlags, ObjectType, InheritedObjectType, Flags and Trustee. The IADsAccessControlEntry interface provides property methods to obtain and modify these fields.

The ObjectType field specifies a GUID that identifies the property set, property, extended right, or type of child object to which the ACE applies. The InheritedObjectType field specifies a GUID that identifies the type of child object that can inherit the ACE. The Trustee field identifies the security principal to whom the ACE allows or denies the specified access rights.

For more information about AceType, AceFlags, and Flags, see ADS_ACETYPE_ENUM and ADS_ACEFLAG_ENUM.

Requirements

Minimum required version: 2009.1

See also