Active Directory Provider::Update ACL

Updates the security descriptor for an Active Directory directory service object. The security descriptor consists of the discretionary access control list (DACL) that sets permissions and the system access control list (SACL) that sets auditing. Used by Microsoft Provisioning Framework (MPF).

Update ACL is a wrapper for the Win32 API functions GetNamedSecurityInfo, SetEntriesInAcl and SetNamedSecurityInfo.

Each ace element specifies access control or audit control information for a specified trustee. A trustee can be a user, group, or other security identifier (SID) value, such as a logon identifier or logon type (for instance, a Win32 service or batch job). You can use a name, LDAP path, or a SID to identify a trustee.

You can use Update ACL to modify the list of ACEs in a DACL or a SACL. A DACL controls access to an object, and a SACL controls the system's auditing of attempts to access to an object. Note that Update ACL does not prevent you from mixing access control and audit control information in the same ACL; however, the resulting ACL will contain meaningless entries.

In the new DACL or SACL, Update ACL places new access-denied ACEs at the beginning of the list and new access-allowed ACEs before existing access-allowed ACEs.

To remove an ACE, use "<mode>REVOKE_ACCESS</mode>" and make sure the trustee, permission and inheritance elements match the ACE you want to remove. If a matching ACE is not found, no error occurs. When a new ACE with a generic permission is added to an ACL, the permission is converted to specific permissions, so removing it will require knowing what the specific permissions are. This is explained in Microsoft knowledgebase article Q254665. An attempt to revoke an ACE inherited from the parent will be ignored.

 Schema Definition
 Sample Code
 Applies To
 See Also