IADsSecurityDescriptor Interface

The IADsSecurityDescriptor interface provides access to properties on an ADSI security descriptor object.

Methods

The IADsSecurityDescriptor interface inherits the methods of the IDispatch interface.

In addition, IADsSecurityDescriptor defines the following methods.

MethodDescription

get_Revision

Gets the revision number assigned to the security descriptor.

put_Revision

Sets the revision number assigned to the security descriptor.

get_Control

Gets the Security_Descriptor_Control flag.

put_Control

Sets the Security_Descriptor_Control flag.

get_Owner

Gets the owner of the object associated with the security descriptor.

put_Owner

Sets the owner of the object associated with the security descriptor.

get_OwnerDefaulted

Gets the flag that indicates if the owner data is derived by a default mechanism.

put_OwnerDefaulted

Sets the flag that indicates if the owner data is derived by a default mechanism.

get_Group

Gets the group that owns the object associated with the security descriptor.

put_Group

Sets the group that owns the object associated with the security descriptor.

get_GroupDefaulted

Gets the flag that indicates if the group data is derived by a default mechanism.

put_GroupDefaulted

Sets the flag that indicates if the group data is derived by a default mechanism.

get_DiscretionaryAcl

Gets the discretionary ACL associated with the security descriptor.

put_DiscretionaryAcl

Sets the discretionary ACL associated with the security descriptor.

get_DaclDefaulted

Gets the flag that indicates if the DACL is derived from a default mechanism.

put_DaclDefaulted

Sets the flag that indicates if the DACL is derived from a default mechanism.

get_SystemAcl

Gets the system ACL associated with the security descriptor.

put_SystemAcl

Sets the system ACL associated with the security descriptor.

get_SaclDefaulted

Gets the flag that indicates if the SACL is derived from a default mechanism.

put_SaclDefaulted

Sets the flag that indicates if the SACL is derived from a default mechanism.

CopySecurityDescriptor

Copies the security descriptor.

 

Properties

The IADsSecurityDescriptor interface defines the following properties. The preceding table includes access methods for these properties.

PropertyAccess typeDescription

Control

Read/write

Gets and sets the Security_Descriptor_Control flag.

DaclDefaulted

Read/write

Gets and sets the flag that indicates if the DACL is derived from a default mechanism.

DiscretionaryAcl

Read/write

Gets and sets the discretionary ACL associated with the security descriptor.

Group

Read/write

Gets and sets the group that owns the object associated with the security descriptor.

GroupDefaulted

Read/write

Gets and sets the flag that indicates if the group data is derived by a default mechanism.

Owner

Read/write

Gets and sets the owner of the object associated with the security descriptor.

OwnerDefaulted

Read/write

Gets and sets the flag that indicates if the owner data is derived by a default mechanism.

Revision

Read/write

Gets and sets the revision number assigned to the security descriptor.

SaclDefaulted

Read/write

Gets and sets the flag that indicates if the SACL is derived from a default mechanism.

SystemAcl

Read/write

Gets and sets the system ACL associated with the security descriptor.

 

Remarks

Use this interface to examine and change the access controls to an Active Directory directory service object. You can also use it to create copies of a security descriptor. To get this interface, use the IADs.Get method to obtain the ntSecurityDescriptor attribute of the object. For more information about how to create a new security descriptor and set it on an object, see Creating a Security Descriptor for a New Directory Object and Null DACLs and Empty DACLs.

Often, it is not possible to modify all portions of the security descriptor. For example, if the current user has full control of an object, but is not an administrator and does not own the object, the user can modify the DACL, but cannot modify the owner. This will cause an error when the ntSecurityDescriptor is updated. To avoid this problem, the IADsObjectOptions interface can be used to specify the specific portions of the security descriptor that should be modified.

Examples

The following code example shows how to use the IADsObjectOptions interface to only modify specific portions of the security descriptor.

Const ADS_OPTION_SECURITY_MASK = 3
Const ADS_SECURITY_INFO_OWNER = 1
Const ADS_SECURITY_INFO_GROUP = 2
Const ADS_SECURITY_INFO_DACL = 4

Dim obj as IADs
Dim sd as IADsSecurityDescriptor
Dim oOptions as IADsObjectOptions

' Bind to the object.
Set obj = GetObject("LDAP://.....")

' Get the IADsSecurityDescriptor.
Set sd = obj.Get("ntSecurityDescriptor")

' Modify the DACL as required.

' Get the IADsObjectOptions for the object - not the IADsSecurityDescriptor.
Set oOptions = obj

' Set options so that only the DACL will be updated.
oOptions.SetOption ADS_OPTION_SECURITY_MASK, ADS_INFO_DACL

' Update the security descriptor.
obj.Put "ntSecurityDescriptor", sd
obj.SetInfo

The following code example shows how to display data from a security descriptor.

' Get the security descriptor.
Dim x As IADs
Dim sd As IADsSecurityDescriptor

On Error GoTo Cleanup
 
Set x = GetObject("LDAP://DC=Fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Debug.Print sd.Control
Debug.Print sd.Group
Debug.Print sd.Owner
Debug.Print sd.Revision
 
Cleanup:
    If (Err.Number<>0) Then
        MsgBox("An error has occurred. " & Err.Number)
    End If
    Set x = Nothing
    Set sd = Nothing

The following code example shows how to display data from a security descriptor of a directory object.

HRESULT DisplaySD(IADs *pObj)
{
    IADsSecurityDescriptor *pSD = NULL;
    BSTR bstr = NULL;
    long lVal = 0;    
    HRESULT hr = S_OK;
    VARIANT var;
    
    VariantInit(&var);

    if(pObj==NULL)
    {
        return E_FAIL;
    }
    
    hr = pObj->Get(CComBSTR("ntSecurityDescriptor"), &var);
    if(FAILED(hr)){goto Cleanup;}
    
    
    hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor,(void**)&pSD);
    if(FAILED(hr)){goto Cleanup;}
    
   hr = pSD->get_Control(&lVal);
   printf("SD Control = %d\n",lVal);

   hr = pSD->get_Owner(&bstr);
   printf("SD Owner   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Group(&bstr);
   printf("SD Group   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Revision(&lVal);
   printf("SD Revision= %d\n",lVal);
        
Cleanup:
    VariantClear(&var);
    if(pSD) pSD->Release();
    return hr;
}

Requirements

Minimum supported clientWindows 2000 Professional
Minimum supported serverWindows 2000 Server
HeaderIads.h
DLLActiveds.dll
IIDIID_IADsSecurityDescriptor is defined as B8C787CA-9BDD-11D0-852C-00C04FD8D503

See Also

Creating a Security Descriptor for a New Directory Object
Null DACLs and Empty DACLs
IADsAccessControlEntry
IADsAccessControlList

Send comments about this topic to Microsoft

Build date: 11/12/2009

Tags :


Page view tracker