The SccmAceString simple type, in Configuration Manager:

<xs:simpleType name="SccmAceString">
	<xs:restriction
		base="string"
	>
				<xs:pattern
			value= "\((A|D|OA|OD);[^;]*;((GA|GR|GW|GX|RC|SD|WD|WO|RP|WP|CC|DC|LC|SW|LO|DT|CR|KA|KR|KW|KX|FR|FW|FX|FA)+|(0x[0-9A-Fa-f]{1,8}));[^;]*;[^;]*;[^;]*\)"
				/>
	</xs:restriction>
</xs:simpleType>

Child Elements

Element Description

Standard ACE SDDL String Format:

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid

Ace_type

This will only allow for ALLOW and DENY type access control entries (ACEs).

Ace_flags

Not used.

Any values specified here are ignored when doing the IsFullySpecified comparisons. So, IsFullySpecified is still not an exact match.

Rights

The values used here are the entire set of possible string ACE rights or a hexadecimal representation.

Registry

"KR" - key read

"KA" - full control

File/folder

"FR" - file read

"FW" - file write

"FR" - file read

"FX" - file execute

"FA" - all access

Object_guid

Not used.

Any values specified here are ignored when doing the IsFullySpecified comparisons. So, IsFullySpecified is still not an exact match.

Inherit_object_guid

Not used.

Any values specified here are ignored when doing the IsFullySpecified comparisons. So, IsFullySpecified is still not an exact match.

Account_sid

This will either be one of the well-known security identifier (SID) strings or a non-resolved name. Non-resolved names must be wrapped in curly braces {}. Resolution will take place on the target computer where the evaluation occurs.

See Also


Send comments about this topic to Microsoft.