Active Directory Provider::Get SACL

Active Directory Provider::Get SACL

Returns the system access control list (SACL) for the specified object. Used by Microsoft® Provisioning Framework (MPF).

XML Input Schema
The following code fragment shows the format for sending data to this procedure. For more information on individual elements and attributes, see the Elements and Attributes table.
<executeData>1..1
  <name>1..1</name>
  <objectType>1..1</objectType>
</executeData>
XML Output Schema
The following code fragment shows the format for data this procedure returns. For more information on individual elements and attributes, see the Elements and Attributes table.
<executeData>1..1
  <sacl>0..1
	<ace>0..unbounded
	<permission>1..unbounded</permission>
	<mode>1..1</mode>
	<trusteeForm>1..1</trusteeForm>
	<trustee>1..1</trustee>
	<trusteeType>0..1</trusteeType>
	<inheritance>0..unbounded</inheritance>
	<objectTypeName>0..1</objectTypeName>
	<inheritedObjectTypeName>0..1</inheritedObjectTypeName>
	</ace>
  </sacl>
</executeData></executeData>
Elements and Attributes
The following table describes the XML schema elements and attributes. Unless otherwise indicated, the data type is string.
Element Description, relationships, and attributes

ace Description:
Access control elements (ACEs) for the SACL.
Parent:
sacl

Children:
inheritance (minOccurs="1" maxOccurs="1", output only)
inheritedObjectTypeName (minOccurs="0" maxOccurs="1", output only)
mode (minOccurs="1" maxOccurs="1", output only)
objectTypeName (minOccurs="0" maxOccurs="1", output only)
permission (minOccurs="1" maxOccurs="1", output only)
trustee (minOccurs="1" maxOccurs="1", output only)
trusteeForm (minOccurs="1" maxOccurs="1", output only)
trusteeType (minOccurs="1" maxOccurs="1", output only)

executeData Description:
Encapsulates the procedure's input and output data.
Children:
name (minOccurs="1" maxOccurs="1", input only)
objectType (minOccurs="1" maxOccurs="1", input only)
sacl (minOccurs="0" maxOccurs="1", output only)
inheritance
Description:
Set of bit flags that determines whether other containers or objects can inherit the ACE from the primary object to which the SACL is attached. The value of this member corresponds to the inheritance portion (low-order byte) of the AceFlags member of the ACE_HEADER structure. This parameter can be zero to indicate that the ACE is not inheritable; or it can be a combination of the values in the AceFlags table. For example:
<ace>
  <inheritance>3</inheritance>
</ace>
AceFlags:

0x0 Default. This ACE will not be inherited by other objects.

0x1 Non-container objects contained by the primary object inherit the ACE.

0x2 Other containers contained by the primary object inherit the ACE.

0x3 Both containers and non-container objects contained by the primary object inherit the ACE.

0x4 The SUB_OBJECTS_ONLY_INHERIT and SUB_CONTAINERS_ONLY_INHERIT flags are not propagated to an inherited ACE.

0x8 The ACE does not apply to the primary object to which the ACL is attached, but objects contained by the primary object inherit the ACE.

0x10 The permission or restriction is inherited from the parent object.

Parent:
ace
inheritedObjectTypeName Description:
Type of objects that can inherit the ACE.
Parent:
ace

mode Description:
Indicates whether the ACL generates audit messages (success/failure) for attempts to use the specified access rights. Specifies a value from the following ACCESS_MODE enumeration.

5 Indicates a SYSTEM_AUDIT_ACE that generates audit messages for successful attempts to use the specified access rights.

6 Indicates a SYSTEM_AUDIT_ACE that generates audit messages for failed attempts to use the specified access rights.

Parent:
ace

name Description:
Name of the object to update the ACL for. For Microsoft® Active Directory® objects, this would be the lightweight directory access protocol (LDAP) path.
Parent:
executeData

objectType Description:
One of the object types listed in the following SE_OBJECT_TYPE table. For Active Directory objects, this should be SE_DS_OBJECT.

0 SE_UNKNOWN_OBJECT_TYPE Unknown object type.

1 SE_FILE_OBJECT

A file or directory. The name string that identifies a file or directory object can be one of the following.

A relative path such as Abc.dat or ..\Abc.dat

An absolute path such as \Abc.dat, C:\Dir1\Abc.dat, or G:\Remotedir\Abc.dat

A UNC name such as \\Machinename\Sharename\Abc.dat.

A local file system root such as \\\\.\\C:. Security set on a file system root does not persist when the system is restarted.

2 SE_SERVICE A Microsoft® Win32® service. A service object can be a local service, such as servicename; or a remote service, such as \\Machinename\Servicename.

3 SE_PRINTER A printer. A printer object can be a local printer, such as Printername; or a remote printer, such as \\Machinename\Printername.

4 SE_REGISTRY_KEY

A registry key. A registry key object can be in the local registry, such as CLASSES_ROOT\somepath; or in a remote registry, such as \\Machinename\CLASSES_ROOT\Somepath.
The names of registry keys must use the following literal strings to identify the predefined registry keys: CLASSES_ROOT, CURRENT_USER, MACHINE, and USERS.

5 SE_LMSHARE A network share. A share object can be local, such as sharename; or remote, such as \\Machinename\Sharename.

6 SE_KERNEL_OBJECT

A local kernel object. The GetSecurityInfo and SetSecurityInfo functions support all types of kernel objects. The GetNamedSecurityInfo and SetNamedSecurityInfo functions work only with the following kernel objects: semaphore, event, mutex, waitable timer, and file mapping.

7 SE_WINDOW_OBJECT A window station or desktop object on the local machine. You cannot use GetNamedSecurityInfo and SetNamedSecurityInfo with these objects because the names of window stations or desktops are not unique.

8 SE_DS_OBJECT

Microsoft® Windows® 2000: A directory service (DS) object, or a property set or property of a directory service object.
The name string for a DS object can be a UNC name such as \\tailspintoys.com\ou1\ou2\someobject.

The name string can also be in X.500 form, such as "CN=someobject,OU=ou2,OU=ou1,DC=domain,DC=microsoft,DC=com,O=internet".

9 SE_DS_OBJECT_ALL Windows 2000: A directory service object and all of its property sets and properties.

10 SE_PROVIDER_DEFINED_OBJECT Windows 2000: A provider-defined object.

11 SE_WMIGUID_OBJECT Windows 2000: A WMI object.

Parent:
executeData

objectTypeName Description:
String that identifies the type of object, property set, or property protected by the ACE. If this ACE is inherited, it identifies the type of object, property set, or property protected by the inherited ACE. The format varies depending on the value for trusteeForm.
Parent:
ace

permission Description:
Value containing standard, specific, and generic rights. These rights are used in ACEs and are the primary means of specifying the requested or granted access to an object. The permission value can be any combination of bits from the following tables. Each objectType node has different specific rights that may not be listed in the following tables.
Standard and generic permissions (ACCESS_MASK):

0x00010000L Delete access

0x00020000L Read access to the owner, group, and discretionary access control list (SACL) of the security descriptor

0x00040000L Write access to the SACL

0x00080000L Write access to owner

0x00100000L Microsoft® Windows NT® or Windows 2000: Synchronize access

0x01000000L Access system security (ACCESS_SYSTEM_SECURITY). This flag is not a typical access type. It is used to indicate access to a system ACL. This type of access requires the calling process to SE_SECURITY_NAME (Manage auditing and security log) privilege. If this flag is set in the access mask of an audit access ACE (successful or unsuccessful access), the SACL access will be audited.

0x02000000L Maximum allowed

0x10000000L Generic all

0x20000000L Generic execute

0x40000000L Generic write

0x80000000L Generic read

Active Directory permissions (ADS_RIGHTS_ENUM):

0x1 The right to create children of the object. The ObjectType member of an ACE can contain a globally unique identifier (GUID) that identifies the type of child object whose creation is being controlled. If ObjectType does not contain a GUID, the ACE controls the creation of all child object types.

0x2 The right to delete children of the object. The ObjectType member of an ACE can contain a GUID that identifies a type of child object whose deletion is being controlled. If ObjectType does not contain a GUID, the ACE controls the deletion of all child object types.

0x4 The right to list children of this object.

0x8 The right to modify the group membership of a group object.

0x10 The right to read properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to read all of the object's properties.

0x20 The right to write properties of the object. The ObjectType member of an ACE can contain a GUID that identifies a property set or property. If ObjectType does not contain a GUID, the ACE controls the right to write all of the object's properties.

0x40 The right to delete all children of this object, regardless of the permission on the children.

0x80 The right to list an object. If the user is not granted such a right, the object is hidden from the user.

0x100 The right to perform an operation controlled by an extended access right. The ObjectType member of an ACE can contain a GUID that identifies the extended right. If ObjectType does not contain a GUID, the ACE controls the right to perform all extended right operations associated with the object.

0x10000 The right to delete the object.

0x20000 The right to read information from the security descriptor of the object, not including the information in the SACL.

0x40000 The right to modify the SACL in the object's security descriptor.

0x80000 The right to assume ownership of the object. The user must be a trustee of the object. The user cannot transfer the ownership to other users.

0x100000 The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.

0x1000000 The right to get or set the SACL in the object's security descriptor.

0x80000000 The right to read from the security descriptor, examine the object as well as its children, and read all properties.

0x40000000 The right to write all the properties and write to the SACL. The user can add and remove the object to and from the directory.

0x20000000 The right to list children of this object.

0x10000000 The right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.

Registry permissions:

0x0001 Permission to query subkey data.

0x0002 Permission to set subkey data.

0x0004 Permission to create subkeys.

0x0008 Permission to enumerate subkeys.

0x0010 Permission for change notification.

0x0020 Permission to create a symbolic link.

File system permissions:

0x0001 Right to read data from the file. For a directory, the right to list the contents of the directory.

0x0002 Right to write data to the file. For a directory, the right to create a file in the directory.

0x0004 Right to append data to the file. For a directory, the right to create a subdirectory.

0x0008 Right to read extended attributes.

0x0010 Right to write extended attributes.

0x0020 Right to execute a program.

0x0040 For a directory, the right to delete a subdirectory.

0x0080 Right to read file attributes.

0x0100 Right to write file attributes.

Parent:
ace

sacl Description:
SACL for the specified object. The returned list contains both inherited and non-inherited ACEs. Returned values are decimals rather than enumeration strings.
Parent:
executeData

Child:
ace (minOccurs="0" maxOccurs="*")

trustee Description:
Identifies the user, group, or program (such as a Win32 service) to which the ACE applies. The format varies depending on the value for the trusteeForm node.
Parent:
ace

trusteeForm Description:
Indicates the type of value in the trustee node. Specifies a value from the following TRUSTEE_FORM enumeration.

0 trustee is the security identifier (SID) of the trustee.

1 trustee is the name of the trustee.

3 trustee is the SID of the trustee. Returns objectTypeName and/or inheritedObjectTypeName.

4 trustee is the name of the trustee. Returns objectTypeName and/or inheritedObjectTypeName.

Parent:
ace

trusteeType Description:
Indicates whether the trustee is a user account, a group account, or the account type is unknown. Specifies a value from the following TRUSTEE_TYPE enumeration type.

0 Trustee type is unknown, but not necessarily invalid.

1 Indicates a user.

2 Indicates a group.

3 Indicates an Active Directory domain.

4 Indicates an alias.

5 Indicates a well-known group.

6 Indicates a deleted account.

7 Indicates an invalid trustee type.

8 Indicates a computer.

Parent:
ace
Remarks

This action requires special privileges usually possessed only by the owner or Active Directory domain administrator.

See Also

Active Directory Provider, Get DACL, Preferred DC Active Directory Provider

Top of Page
© 1999-2002 Microsoft Corporation. All rights reserved.