Export (0) Print
Expand All

IADsSecurityDescriptor interface

The IADsSecurityDescriptor interface provides access to properties on an ADSI security descriptor object.

Members

The IADsSecurityDescriptor interface inherits from the IDispatch interface. IADsSecurityDescriptor also has these types of members:

Methods

The IADsSecurityDescriptor interface has these methods.

MethodDescription
CopySecurityDescriptor

Copies the security descriptor.

 

Properties

The IADsSecurityDescriptor interface has these properties.

PropertyAccess typeDescription

Control

Read/write

Gets and sets the Security_Descriptor_Control flag.

DaclDefaulted

Read/write

Gets and sets the flag that indicates if the DACL is derived from a default mechanism.

DiscretionaryAcl

Read/write

Gets and sets the discretionary ACL associated with the security descriptor.

Group

Read/write

Gets and sets the group that owns the object associated with the security descriptor.

GroupDefaulted

Read/write

Gets and sets the flag that indicates if the group data is derived by a default mechanism.

Owner

Read/write

Gets and sets the owner of the object associated with the security descriptor.

OwnerDefaulted

Read/write

Gets and sets the flag that indicates if the owner data is derived by a default mechanism.

Revision

Read/write

Gets and sets the revision number assigned to the security descriptor.

SaclDefaulted

Read/write

Gets and sets the flag that indicates if the SACL is derived from a default mechanism.

SystemAcl

Read/write

Gets and sets the system ACL associated with the security descriptor.

 

Remarks

Use this interface to examine and change the access controls to an Active Directory directory service object. You can also use it to create copies of a security descriptor. To get this interface, use the IADs.Get method to obtain the ntSecurityDescriptor attribute of the object. For more information about how to create a new security descriptor and set it on an object, see Creating a Security Descriptor for a New Directory Object and Null DACLs and Empty DACLs.

Often, it is not possible to modify all portions of the security descriptor. For example, if the current user has full control of an object, but is not an administrator and does not own the object, the user can modify the DACL, but cannot modify the owner. This will cause an error when the ntSecurityDescriptor is updated. To avoid this problem, the IADsObjectOptions interface can be used to specify the specific portions of the security descriptor that should be modified.

Examples

The following code example shows how to use the IADsObjectOptions interface to only modify specific portions of the security descriptor.


Const ADS_OPTION_SECURITY_MASK = 3
Const ADS_SECURITY_INFO_OWNER = 1
Const ADS_SECURITY_INFO_GROUP = 2
Const ADS_SECURITY_INFO_DACL = 4

Dim obj as IADs
Dim sd as IADsSecurityDescriptor
Dim oOptions as IADsObjectOptions

' Bind to the object.
Set obj = GetObject("LDAP://.....")

' Get the IADsSecurityDescriptor.
Set sd = obj.Get("ntSecurityDescriptor")

' Modify the DACL as required.

' Get the IADsObjectOptions for the object - not the IADsSecurityDescriptor.
Set oOptions = obj

' Set options so that only the DACL will be updated.
oOptions.SetOption ADS_OPTION_SECURITY_MASK, ADS_INFO_DACL

' Update the security descriptor.
obj.Put "ntSecurityDescriptor", sd
obj.SetInfo

The following code example shows how to display data from a security descriptor.


' Get the security descriptor.
Dim x As IADs
Dim sd As IADsSecurityDescriptor

On Error GoTo Cleanup
 
Set x = GetObject("LDAP://DC=Fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Debug.Print sd.Control
Debug.Print sd.Group
Debug.Print sd.Owner
Debug.Print sd.Revision
 
Cleanup:
    If (Err.Number<>0) Then
        MsgBox("An error has occurred. " & Err.Number)
    End If
    Set x = Nothing
    Set sd = Nothing


The following code example shows how to display data from a security descriptor of a directory object.


HRESULT DisplaySD(IADs *pObj)
{
    IADsSecurityDescriptor *pSD = NULL;
    BSTR bstr = NULL;
    long lVal = 0;    
    HRESULT hr = S_OK;
    VARIANT var;
    
    VariantInit(&var);

    if(pObj==NULL)
    {
        return E_FAIL;
    }
    
    hr = pObj->Get(CComBSTR("ntSecurityDescriptor"), &var);
    if(FAILED(hr)){goto Cleanup;}
    
    
    hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor,(void**)&pSD);
    if(FAILED(hr)){goto Cleanup;}
    
   hr = pSD->get_Control(&lVal);
   printf("SD Control = %d\n",lVal);

   hr = pSD->get_Owner(&bstr);
   printf("SD Owner   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Group(&bstr);
   printf("SD Group   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Revision(&lVal);
   printf("SD Revision= %d\n",lVal);
        
Cleanup:
    VariantClear(&var);
    if(pSD) pSD->Release();
    return hr;
}


Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Iads.h

DLL

Activeds.dll

IID

IID_IADsSecurityDescriptor is defined as B8C787CA-9BDD-11D0-852C-00C04FD8D503

See also

Creating a Security Descriptor for a New Directory Object
Null DACLs and Empty DACLs
IADsAccessControlEntry
IADsAccessControlList

 

 

Show:
© 2014 Microsoft