| Platform SDK: Active Directory, ADSI, and Directory Services |
The ADS_SECURITY_INFO_ENUM enumeration specifies the available options for examining security information of an object.
typedef enum {
ADS_SECURITY_INFO_OWNER = 0x1,
ADS_SECURITY_INFO_GROUP = 0x2,
ADS_SECURITY_INFO_DACL = 0x4,
ADS_SECURITY_INFO_SACL = 0x8
} ADS_SECURITY_INFO_ENUM;
The options defined in this enumeration are bit-masks. More than one option can be set using appropriate bit-wise operations.
To read the security information for an object, use the methods of the IADsObjectOptions interface, supplying the security information options listed in this enumeration. For example, assuming obj is an object implementing the IADsObjectOptions interface, the following example will allow users to read the security information of the owner, group, or DACL of an object.
obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP _
Or ADS_SECURITY_INFO_DACL
In fact, this is the default setting when an object is created. To allow users to read the system access-control list (SACL), you must explicitly set the SACL option by calling the IADsObjectOptions::SetOption method, as shown in the following:
obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP _
Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
You cannot use the following syntax, even if you are only interested in the SACL:
obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_SACL
Once the SACL option is set, you can proceed to read the SACL of the object.
Dim sd as IADsSecurityDescriptor
Dim sacl as IADsAccessControlList
obj.GetInfo
set sd = obj.GetEx("ntSecurityDescriptor")
set sacl = sd.SystemAcl
Debug.Print sacl.AceCount
In general, to find out if you can read the SACL, you may want to use the IADsObjectOptions::GetOption method to make sure that the option has been set.
Dim opt, canReadSACL As Var
canReadSACL = ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP _
Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
opt = obj.GetOption(ADS_OPTION_SECURITY_MASK)
if opt = canReadSACL then
' read SACL
end if
Presently, such options are available for Active Directory only.
The following Visual Basic code snippet displays the number of access control entries in a system Acl.
Dim x As IADs
Dim dso As IADsOpenDSObject
Dim adsPath As String
Dim sd As IADsSecurityDescriptor
Dim sacl As IADsAccessControlList
Dim objOps As IADsObjectOptions
Dim opt As Variant
Dim canReadSacl, canReadDacl, canReadOwner, canReadGroup As Variant
Set dso = GetObject("LDAP:")
adsPath = "LDAP://ArcSrv1/dc=Sales,dc=Microsoft,dc=com"
Set x = dso.OpenDSObject(adsPath, "Administrator", "", 1)
Set objOps = x
canReadOwner = ADS_SECURITY_INFO_OWNER
canReadGroup = ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP
canReadDacl = ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP _
Or ADS_SECURITY_INFO_DACL
canReadSacl = ADS_SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP _
Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
opt = objOps.GetOption(ADS_OPTION_SECURITY_MASK)
If opt <> canReadSacl Then
objOps.SetOption ADS_OPTION_SECURITY_MASK, canReadSacl
End If
Set sd = x.Get("ntSecurityDescriptor")
Set sacl = sd.SystemAcl
Debug.Print "sacl(aceCount)= " & sacl.AceCount
The following C++ code snippet displays the number of access control entries in a system Acl. For brevity, error checking is omitted.
void TestObjectOptions()
{
IADsObjectOptions *pObjOps;
IADs *pObj;
IADsSecurityDescriptor *pSd;
IADsAccessControlList *pSacl;
IDispatch *pDisp;
long canReadOwner = ADS_SECURITY_INFO_OWNER;
long canReadGroup = canReadOwner | ADS_SECURITY_INFO_GROUP;
long canReadDACL = canReadGroup | ADS_SECURITY_INFO_DACL;
long canReadSACL = canReadDACL | ADS_SECURITY_INFO_SACL;
HRESULT hr = S_OK;
LPWSTR adsPath = L"LDAP://arcSrv1/dc=Sales,dc=Microsoft,dc=com";
LPWSTR usrName = L"Administrator";
LPWSTR usrPass = L"";
long readOwner, readGroup, readDacl, readSacl;
readOwner = ADS_SECURITY_INFO_OWNER;
readGroup = ADS_SECURITY_INFO_OWNER
| ADS_SECURITY_INFO_GROUP;
readDacl = ADS_SECURITY_INFO_OWNER
| ADS_SECURITY_INFO_GROUP
| ADS_SECURITY_INFO_DACL;
readSacl = ADS_SECURITY_INFO_OWNER
| ADS_SECURITY_INFO_GROUP
| ADS_SECURITY_INFO_DACL
| ADS_SECURITY_INFO_SACL;
hr = ADsOpenObject(adsPath,
usrName,
usrPass,
ADS_SECURE_AUTHENTICATION,
IID_IADs,(void**)&pObj);
hr = pObj->QueryInterface(IID_IADsObjectOptions,(void**)&pObjOps);
long opt;
VARIANT var;
VariantInit(&var);
hr = pObjOps->GetOption(ADS_OPTION_SECURITY_MASK,&var);
opt = V_I4(&var);
VariantClear(&var);
if(opt != canReadSACL) {
V_I4(&var)=canReadSACL;
V_VT(&var)=VT_I4;
hr = pObjOps->SetOption(ADS_OPTION_SECURITY_MASK, var);
}
hr = pObj->Get(L"ntSecurityDescriptor",&var);
hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor,
(void**)&pSd);
hr = pSd->get_SystemAcl(&pDisp);
hr = pDisp->QueryInterface(IID_IADsAccessControlList,
(void**)&pSacl);
hr = pSacl->get_AceCount(&opt);
printf("Number of ACE's in the SACL is %d\n",opt);
pSacl->Release();
pDisp->Release();
pSd->Release();
VariantClear(&var);
pObjOps->Release();
pObj->Release();
}
Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
Windows 95/98: Requires Windows 95 or later (with DSClient).
Header: Declared in Iads.h.
ADSI Enumerations, IADsObjectOptions, IADsObjectOptions::GetOption, IADsObjectOptions::SetOption