This release (version 2.0) of ADSI cannot manipulate Windows NT version 4.0 Access Control Lists (ACLs), which contain security information about the permissions users have for objects. This release also cannot get the Windows NT security identifier (SID), the binary representation of a user's account name, and thus ADSI cannot set the bits necessary to create users' rights.
This means that developers cannot create a functional Mailbox object with ADSI alone, because a Mailbox object requires the Windows NT account SID in the Assoc-NT-Account attribute as well as the correct security rights on the Mailbox object in the NT-Security-Descriptor attribute. The capability to manipulate ACLs is expected in a future release of ADSI.