Platform SDK: Exchange Server

Manipulating ACLs

You can use either the IExchangeModifyTable interface or the ACL COM component and Collaboration Data Objects (CDO) to add, delete, and edit members of a folder's access control list (ACL).

The IExchangeModifyTable Interface

An ACL is a MAPI table, which means it can be accessed through the IExchangeModifyTable interface. To obtain IExchangeModifyTable, call the IMAPIProp::OpenProperty method on any property of type PT_OBJECT. This interface contains the following methods:

IExchangeModifyTable::GetLastError

IExchangeModifyTable::GetTable

IExchangeModifyTable::ModifyTable

The ACL COM Component

The ACL COM component, provided in the Platform SDK as a sample, can also be used to manage the access control list (ACL) for a folder. It provides a more object-oriented view of the ACL, with each individual access control entry (ACE) represented by an ACE object. To use the ACL component, you must use the Collaboration Data Objects (CDO) 1.21 COM component to access a particular folder. In many cases, such as in ASP applications, this is desirable since you would most likely be working with scripting languages which can only access objects exposing the IDispatch interface.

A folder ACL can be represented by a bound instance of the ACLObject COM class. You bind the specific folder by setting the IACLObject::CDOItem property to a CDO Folder object reference. Once you have bound the folder, the ACLObject object retrieves the ACL table for the folder and internally creates a collection of ACE objects. Each ACE object contains a particular access control entry. You can then modify the ACL by manipulating the ACEs collection. Each ACE object essentially holds an ID (entry ID) and a set of access-allowed rights.

The following example demonstrates using CDO 1.21 and the ACL component to access the ACL for a person's InBox folder.

Set CDOSession = CreateObject("MAPI.Session") CDOSesion.logon 

Set MyInbox = CDOSession.Inbox 
Set InboxAcl = CreateObject("MSExchange.ACLObject") 
Set InboxAcl.CDOItem = MyInbox 
For each AceObject in InboxAcl.Aces 
  Wscript.echo AceObject.Name ... 
Next AceObject 
Set InboxAcl = Nothing 
CDOSession.Logoff 
Set CDOSession = Nothing 

For general information on ACLs, see About Access Control Lists.