Updates the security descriptor for an Active Directory directory service object. The security descriptor consists of the discretionary access control list (DACL) that sets permissions and the system access control list (SACL) that sets auditing. Used by Microsoft Provisioning Framework (MPF).
Update ACL is a wrapper for the Win32 API functions GetNamedSecurityInfo, SetEntriesInAcl and SetNamedSecurityInfo.
Each ace element specifies access control or audit control information for a specified trustee. A trustee can be a user, group, or other security identifier (SID) value, such as a logon identifier or logon type (for instance, a Win32 service or batch job). You can use a name, LDAP path, or a SID to identify a trustee.
You can use Update ACL to modify the list of ACEs in a DACL or a SACL. A DACL controls access to an object, and a SACL controls the system's auditing of attempts to access to an object. Note that Update ACL does not prevent you from mixing access control and audit control information in the same ACL; however, the resulting ACL will contain meaningless entries.
In the new DACL or SACL, Update ACL places new access-denied ACEs at the beginning of the list and new access-allowed ACEs before existing access-allowed ACEs.
To remove an ACE, use "<mode>REVOKE_ACCESS</mode>" and make sure the trustee, permission and inheritance elements match the ACE you want to remove. If a matching ACE is not found, no error occurs. When a new ACE with a generic permission is added to an ACL, the permission is converted to specific permissions, so removing it will require knowing what the specific permissions are. This is explained in Microsoft knowledgebase article Q254665. An attempt to revoke an ACE inherited from the parent will be ignored.
The following table describes the XML schema elements and attributes. Unless otherwise indicated, the data type is string.
During rollback, Update ACL restores the original DACL or SACL.
Numbers passed in are assumed to be decimal. A number can be prefixed with "0x" or "&H" to be interpreted as hex.
Example XML Request
The following code fragment shows the format for sending data to this procedure. For more information on individual elements and attributes, see the Elements and Attributes table.
Example XML Response
Update ACL does not return data.
Active Directory Provider for: