| Platform SDK: Active Directory, ADSI, and Directory Services |
A security descriptor can contain two access control lists: a discretionary access-control list (DACL) and a system access-control list (SACL). We are not concerned with the SACL, which is used for auditing. The discretionary access-control list on a directory object defines which Windows NTŪ accounts have permissions on the particular directory object. The DACL is a list of access-control entries (ACE). Each ACE controls access to an object with an access mask. The ACE has a security identifier (SID) and an access mask that specifies the access rights.
The security descriptor is the data you see displayed on the Permissions tab of an Exchange directory object. The access-control list (ACL) is stored in binary format in the NT-Security-Descriptor attribute of a directory object. ADSI is capable of setting the value of this attribute once it has been created. However, it cannot create the attribute. You must use either the Win32 API or the Exchange SDK AcctCrt COM component.
When creating an Exchange mailbox, you must associate the mailbox with a Windows NT account. This value is stored in the Assoc-NT-Account attribute of the mailbox. This value is the SID, which is the binary representation of the Windows NT account. Again, ADSI is capable of setting the value of this attribute once it's created, but cannot create the attribute from a domain\username pair such as "NORTHAMERICA\jsmith".
To properly obtain the SID of a mailbox or the security descriptor for a mailbox or any other object, you have a few choices.
See the Creating an Exchange Mailbox example in this topic for a demonstration of how to use the IADsSecurity interfaces to create an Exchange mailbox.