IADsSecurityDescriptor interface

The IADsSecurityDescriptor interface provides access to properties on an ADSI security descriptor object.

Methods

The IADsSecurityDescriptor interface has these methods.

Method Description
IADsSecurityDescriptor::CopySecurityDescriptor The IADsSecurityDescriptor::CopySecurityDescriptor method copies an ADSI security descriptor object that holds security data about an object.

Remarks

Use this interface to examine and change the access controls to an Active Directory directory service object. You can also use it to create copies of a security descriptor. To get this interface, use the IADs.Get method to obtain the ntSecurityDescriptor attribute of the object. For more information about how to create a new security descriptor and set it on an object, see Creating a Security Descriptor for a New Directory Object and Null DACLs and Empty DACLs.

Often, it is not possible to modify all portions of the security descriptor. For example, if the current user has full control of an object, but is not an administrator and does not own the object, the user can modify the DACL, but cannot modify the owner. This will cause an error when the ntSecurityDescriptor is updated. To avoid this problem, the IADsObjectOptions interface can be used to specify the specific portions of the security descriptor that should be modified.

Examples

The following code example shows how to use the IADsObjectOptions interface to only modify specific portions of the security descriptor.

VB
Const ADS_OPTION_SECURITY_MASK = 3
Const ADS_SECURITY_INFO_OWNER = 1
Const ADS_SECURITY_INFO_GROUP = 2
Const ADS_SECURITY_INFO_DACL = 4

Dim obj as IADs Dim sd as IADsSecurityDescriptor Dim oOptions as IADsObjectOptions

' Bind to the object. Set obj = GetObject("LDAP://.....")

' Get the IADsSecurityDescriptor. Set sd = obj.Get("ntSecurityDescriptor")

' Modify the DACL as required.

' Get the IADsObjectOptions for the object - not the IADsSecurityDescriptor. Set oOptions = obj

' Set options so that only the DACL will be updated. oOptions.SetOption ADS_OPTION_SECURITY_MASK, ADS_INFO_DACL

' Update the security descriptor. obj.Put "ntSecurityDescriptor", sd obj.SetInfo

The following code example shows how to display data from a security descriptor.
VB
' Get the security descriptor.
Dim x As IADs
Dim sd As IADsSecurityDescriptor

On Error GoTo Cleanup

Set x = GetObject("LDAP://DC=Fabrikam,DC=com") Set sd = x.Get("ntSecurityDescriptor") Debug.Print sd.Control Debug.Print sd.Group Debug.Print sd.Owner Debug.Print sd.Revision

Cleanup: If (Err.Number<>0) Then MsgBox("An error has occurred. " & Err.Number) End If Set x = Nothing Set sd = Nothing

The following code example shows how to display data from a security descriptor of a directory object.
C++
HRESULT DisplaySD(IADs *pObj)
{
    IADsSecurityDescriptor *pSD = NULL;
    BSTR bstr = NULL;
    long lVal = 0;    
    HRESULT hr = S_OK;
    VARIANT var;
    
    VariantInit(&var);
if(pObj==NULL)
{
    return E_FAIL;
}

hr = pObj-&gt;Get(CComBSTR("ntSecurityDescriptor"), &amp;var);
if(FAILED(hr)){goto Cleanup;}


hr = V_DISPATCH(&amp;var)-&gt;QueryInterface(IID_IADsSecurityDescriptor,(void**)&amp;pSD);
if(FAILED(hr)){goto Cleanup;}

hr = pSD->get_Control(&lVal); printf("SD Control = %d\n",lVal);

hr = pSD->get_Owner(&bstr); printf("SD Owner = %S\n",bstr); SysFreeString(bstr);

hr = pSD->get_Group(&bstr); printf("SD Group = %S\n",bstr); SysFreeString(bstr);

hr = pSD->get_Revision(&lVal); printf("SD Revision= %d\n",lVal);

Cleanup: VariantClear(&var); if(pSD) pSD->Release(); return hr; }

Requirements

   
Windows version Windows Vista Windows Server 2008
Target Platform Windows
Header iads.h

See Also

Creating a Security Descriptor for a New Directory Object

IADsAccessControlEntry

IADsAccessControlList

IDispatch

Null DACLs and Empty DACLs