This editor is used to show, edit or create access control entries (ACEs) in the Microsoft security descriptor attributes. It only appears if you were in the attribute editor for Microsoft security descriptor (NTSecurityDescriptor) attributes. If you use the Edit or New buttons there, this editor is shown:
Please note that if you click on OK here, you just set the line ACE entry line in editor for Microsoft security descriptor (NTSecurityDescriptor) attributes. No data is written to the directory at this point - until you close the security descriptor editor with an OK.
This determines whether a permission is granted or denied.
Please remember that in the world of Active Directory object permissions, a deny entry winds always over a colliding grant entry. If you want to change the entry's type, just click on the type label and choose Grant or Deny from the pulldown list.
If you are editing an entry from the System Access Control list (SACL), than you don't see the Grant/Deny choice here - instead there are settings for activating the audit for Success, Failure or Both:
These values are readonly - the access mask reflects the value which is determined by the permission flags chosen on the right side of the dialog. For more flexibility, the current permission flag value is shown as a decimal and a hexadecimal value.
These buttons can configure the permissions exactly like it is set in the Microsoft standard dialog for setting object security:
In fact, these settings are just combinations of the internal permission flags:
The strange thing is that the standard combination FULL doesn't contain the GENERIC_ALL permission flag. This is because the GENERIC_xxx flags are designed for file system security descriptors and are very seldom used in Active Directory object security settings.
The security principal object which has permission for the regarding object.
Technically, there are SID (Security Identifier) of the regarding object used for the access control entry. Some of them are well-known SIDs which are representing generic user/groups like SYSTEM, ANONYMOUS or AUTHENTICATED USERS. The well-known SID entries are marked in brackets like this [Authenticated Users].
The Trustee text box can be used to enter a distinguished name directly - or you use the Browse button and choose an object from a object select browser.
The text box for the trustee's name has also the ability to quick-search objects when you enter names are parts of names which can be used to find them. When the Check Names button is active, you just have to enter a string and LEX will automatically search for directory objects which match to this string. If more than one objects match to the search string, then an additional dialog lets you choose the object from a list:
The search for this objects is done with the same criteria as in the simple search function when you use the Directory Search dialog. If you chose the object from the list, or if you entered directly the full distinguished name of an object, then LEX realizes that the string in the text box is a real DN, it is underline to show that LEX matches this information internally. If the Check Names button is inactive, you can always try to resolve the string you entered into an objects DN by pressing F5.
If you want to see the distinguished name in the text box in a shorter, more readable form, you can activate the Show friendly object names button . This is the same feature which is used also in the LEX main windows object list.
When you are in the mode where the distinguished names are displayed as short relative names, you can move your mouse over the regarding objects name: A popup text line will show you the complete distinguished name:
Object permissions can be inherited to child objects and subtrees in an Active Directory environment. This setting determines the propagation configuration of the regarding access control entry to child objects. There are different types of propagation:
Please note that the propagation could be blocked somewhere in the subtree of an object. this inheritance block can be set in this tab also: Just deactivate the Inherit permissions from parent objects option. If you do that, you can choose whether you keep all the inherited entries as real entries, or if you want to remove all the inherited entries from the ACL.
These are all the permission flags which can be used to built up the access mask. Basically there are AD specific permission flags in this list, the last few GENERIC_xxx flags are designed for file system security descriptors and are very seldom used in Active Directory object security settings.
Please note that for each permission flag, a two-character abbreviation is shown which is exactly the abbreviation used in the according DSACL.EXE calls.