2.4.4.11 SYSTEM_AUDIT_OBJECT_ACE
The SYSTEM_AUDIT_OBJECT_ACE structure defines an ACE for a SACL. The ACE can audit access to an object or subobjects, such as property sets or properties. The ACE contains a set of user rights, a GUID that identifies the type of object or subobject, and a SID that identifies the trustee for whom the system will audit access. The ACE also contains a GUID and a set of flags that control inheritance of the ACE by child objects.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Header |
|||||||||||||||||||||||||||||||
Mask |
|||||||||||||||||||||||||||||||
Flags |
|||||||||||||||||||||||||||||||
ObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
InheritedObjectType (16 bytes) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
Sid (variable) |
|||||||||||||||||||||||||||||||
... |
|||||||||||||||||||||||||||||||
ApplicationData (variable) |
|||||||||||||||||||||||||||||||
... |
Header (4 bytes): An ACE_HEADER structure that specifies the size and type of ACE. It contains flags that control inheritance of the ACE by child objects.
Mask (4 bytes): An ACCESS_MASK structure that specifies the user rights that cause audit messages to be generated.
-
Value
Meaning
ADS_RIGHT_DS_CONTROL_ACCESS
0X00000100
The ObjectType GUID identifies an extended access right.
ADS_RIGHT_DS_CREATE_CHILD
0X00000001
The ObjectType GUID identifies a type of child object. The ACE controls the trustee's right to create this type of child object.
ADS_RIGHT_DS_READ_PROP
0x00000010
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to read the property or property set.
ADS_RIGHT_DS_WRITE_PROP
0x00000020
The ObjectType GUID identifies a property set or property of the object. The ACE controls the trustee's right to write the property or property set.
ADS_RIGHT_DS_SELF
0x00000008
The ObjectType GUID identifies a validated write.
Flags (4 bytes): A 32-bit unsigned integer that specifies a set of bit flags that indicate whether the ObjectType and InheritedObjectType fields contain valid data. This parameter can be one or more of the following values.
-
Value
Meaning
0x00000000
Neither ObjectType nor InheritedObjectType is valid.
ACE_OBJECT_TYPE_PRESENT
0x00000001
ObjectType is present.
ACE_INHERITED_OBJECT_TYPE_PRESENT
0x00000002
InheritedObjectType is present. If this value is not specified, all types of child objects can inherit the ACE.
ObjectType (16 bytes): A GUID that identifies a property set, a property, an extended right, or a type of child object. The purpose of this GUID depends on the user rights specified in the Mask field. This field is present only if the ACE_OBJECT_TYPE_PRESENT bit is set in the Flags field. Otherwise, the ObjectType field is ignored.
InheritedObjectType (16 bytes): A GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the inheritance flags in the ACE_HEADER, as well as by any protection against inheritance placed on the child objects. This field is present only if the ACE_INHERITED_OBJECT_TYPE_PRESENT bit is set in the Flags member. Otherwise, the InheritedObjectType field is ignored.
Sid (variable): The SID of a trustee. The length of the SID MUST be a multiple of 4.
ApplicationData (variable): Optional application data. The size of the application data is determined by the AceSize field of the ACE_HEADER.