Platform SDK: Active Directory, ADSI, and Directory Services |
When you bind to an object, you can specify the ADSI COM interface whose pointer will be returned. An ADSI object can have a number of interfaces, depending on the class of object. However, every ADSI COM object has an IADs interface.
For Automation clients, use the IADs* interfaces. These interfaces are dual-interfaced, provide a greater level of abstraction, and provide data using VARIANTs and VARIANT arrays.
For C/C++ clients, you can use the IDirectorySearch interface for search operations and the IDirectoryObject interface to manipulate objects. These interfaces are not dual-interfaced. However, they do allow you to control exactly which attributes to retrieve (rather than returning the whole set) and allow access to the raw data stored in a property.
For example, security descriptors are stored as an octet string in an ntSecurityDescriptor property. When you use the Get method on an IADs interface to retrieve the ntSecurityDescriptor property, you get an IDispatch pointer to an IADsSecurityDescriptor object that wraps the security descriptor. At that point, you can use the QueryInterface method to query for the IADsSecurityDescriptor interface and use its methods to manipulate the security descriptor. When you use the GetObjectAttributes method of an IDirectoryObject interface, you get a pointer to an array of bytes (LPBYTE), you can cast that pointer to PSECURITY_DESCRIPTOR flag and use the Win32 security APIs to manipulate the security descriptor.