2.4.4.11 SYSTEM_AUDIT_OBJECT_ACE

The SYSTEM_AUDIT_OBJECT_ACE structure defines an ACE for a SACL. The ACE can audit access to an object or subobjects, such as property sets or properties. The ACE contains a set of user rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee for whom the system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Header

Mask

Flags

ObjectType (16 bytes)

...

...

InheritedObjectType (16 bytes)

...

...

Sid (variable)

...

ApplicationData (variable)

...

Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects.

Mask (4 bytes): An ACCESS_MASK structure that specifies the user rights that cause audit messages to be generated.

Value

Meaning

ADS_RIGHT_DS_CONTROL_ACCESS

0X00000100

The ObjectType GUID identifies an extended access right.

ADS_RIGHT_DS_CREATE_CHILD

0X00000001

The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.

ADS_RIGHT_DS_READ_PROP

0x00000010

The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.

ADS_RIGHT_DS_WRITE_PROP

0x00000020

The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.

ADS_RIGHT_DS_SELF

0x00000008

The ObjectType GUID identifies a validated write.

Flags (4 bytes): A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values.

Value

Meaning

0x00000000

Neither ObjectType nor InheritedObjectType is valid.

ACE_OBJECT_TYPE_PRESENT

0x00000001

ObjectType is present.

ACE_INHERITED_OBJECT_TYPE_PRESENT

0x00000002

InheritedObjectType is present. If this value is not specified, all types of child objects can inherit the ACE.

ObjectType (16 bytes): A GUID that identifies a property set, a property, an extended right, or a type of child object. The purpose of this GUID depends on the user rights specified in the Mask field. This field is present only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags field. Otherwise, the ObjectType field is ignored.

InheritedObjectType (16 bytes): A GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. This field is present only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType field is ignored.

Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4.

ApplicationData (variable): Optional application data. The size of the application data is determined by the AceSize field of the ACE_HEADER.