Platform SDK: Active Directory, ADSI, and Directory Services

Creating a Security Descriptor Object

The following Visual Basic example shows how to create a security descriptor object for an ADSI object.

' Assume you have the credentials to create objects.
Dim MyObject As IADs
Dim MySecDes As IADsSecurityDescriptor
Dim Var As Variant
Dim SecDes As New SecurityDescriptor
Dim Dacl As New AccessControlList
Dim Ace As New AccessControlEntry
 
'Create an Access Control Entry (ACE) for Group objects at Microsoft
'    on an LDAP namespace. 
Ace.AccessMask = 0
Ace.AceType = 1
Ace.AceFlags = 1
Ace.Trustee = "cn=Groups,o=Microsoft"
 
' Add the newly created ACE object as the only ACE 
'    in a new access-control list (ACL).
Dacl.AceCount = 1
Dacl.AclRevision = 4
Dacl.AddAce Ace
 
' Use this ACL as the discretionary ACL (DACL) for
'    this Security Descriptor object and use
'    this DACL instead of the default. 
SecDes.Revision = 1
SecDes.OwnerDefaulted = True
SecDes.GroupDefaulted = True
SecDes.DaclDefaulted = False
SecDes.SaclDefaulted = True
SecDes.DiscretionaryAcl = Dacl
' Attach  this security descriptor
'    to the ADSI object
MyObject.Put "ntSecurityDescriptor", SecDes
' Commit the changes to the underlying directory service.
MyObject.SetInfo
' Read the properties back in to the property cache.
MyObject.GetInfo
' Retrieve the SecurityDescriptor object.
Set MySecDes = MyObject.Get("ntSecurityDescriptor")