Reading the defaultSecurityDescriptor for an Object Class

Using ADSI, you can obtain the defaultSecurityDescriptor attribute for an object class with the IADs interface. To obtain the defaultSecurityDescriptor attribute for an object class, perform the following steps.

  1. Get an IADs interface pointer to the classSchema object for the object class.
  2. Use the IADs.Get method to get the default security descriptor of the object. The name of the property that contains the security descriptor is "defaultSecurityDescriptor". The property will be returned as a VARIANT containing a BSTR with the default security descriptor in SDDL string format.
  3. Use the ConvertStringSecurityDescriptorToSecurityDescriptor function to convert the SDDL string form to a security descriptor.
  4. Use the GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, GetSecurityDescriptorOwner, and GetSecurityDescriptorControl Security APIs to read the parts of the security descriptor.

For a code example that demonstrates how to do this, see Example Code for Reading defaultSecurityDescriptor.