public static void SetAclOnAlternateProperty(ADObject obj, GenericAce[] aces, PropertyDefinition sdProperty, SecurityIdentifier owner, SecurityIdentifier group) { DiscretionaryAcl discretionaryAcl = new DiscretionaryAcl(false, true, aces.Length); foreach (GenericAce genericAce in aces) { AccessControlType accessType; if (genericAce.AceType == AceType.AccessAllowed || genericAce.AceType == AceType.AccessAllowedObject) { accessType = AccessControlType.Allow; } else { if (genericAce.AceType != AceType.AccessDenied && genericAce.AceType != AceType.AccessDeniedObject) { throw new AceTypeHasUnsupportedValueException(genericAce.AceType.ToString()); } accessType = AccessControlType.Deny; } if (genericAce is CommonAce) { CommonAce commonAce = genericAce as CommonAce; discretionaryAcl.AddAccess(accessType, commonAce.SecurityIdentifier, commonAce.AccessMask, commonAce.InheritanceFlags, commonAce.PropagationFlags); } else { if (!(genericAce is ObjectAce)) { throw new AceIsUnsupportedTypeException(genericAce.GetType().ToString()); } ObjectAce objectAce = genericAce as ObjectAce; discretionaryAcl.AddAccess(accessType, objectAce.SecurityIdentifier, objectAce.AccessMask, objectAce.InheritanceFlags, objectAce.PropagationFlags, objectAce.ObjectAceFlags, objectAce.ObjectAceType, objectAce.InheritedObjectAceType); } } CommonSecurityDescriptor commonSecurityDescriptor = new CommonSecurityDescriptor(false, true, ControlFlags.DiscretionaryAclPresent, owner, group, null, discretionaryAcl); byte[] binaryForm = new byte[commonSecurityDescriptor.BinaryLength]; commonSecurityDescriptor.GetBinaryForm(binaryForm, 0); RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(binaryForm, 0); obj.SetProperties(new PropertyDefinition[] { sdProperty }, new object[] { rawSecurityDescriptor }); }