Example Code for Setting Permissions on a Group of Properties

Platform SDK: Active Directory, ADSI, and Directory Services

Example Code for Setting Permissions on a Group of Properties

The following code fragment contains a function that creates an ACE that assigns read/write access to the telephoneNumber property of user objects to the specified trustee:

//Create an ACE that assigns change (Read/Write) property rights 
//to properties of the Personal Information property group in user objects.
//For this function, the ACE is inherited only;
//therefore, it is not an effective right on the current object.
HRESULT CreateAceChangePersonalInfoPropGroupOfUsers(
                           LPOLESTR szTrustee,
                           BOOL bAllowed,
                           IDispatch **ppDispACE
                           )
{
 
HRESULT hr = E_FAIL;
IADsAccessControlEntry *pACE = NULL;
//Create the COM object for the new ACE.
hr  = CoCreateInstance( 
                            CLSID_AccessControlEntry,
                            NULL,
                            CLSCTX_INPROC_SERVER,
                            IID_IADsAccessControlEntry,
                            (void **)&pACE
                          );
if (SUCCEEDED(hr))
{
    //Set the properties of the new ACE.
    //Set the access mask containing the rights to assign.
    //This function assigns ADS_RIGHT_DS_READ_PROP|ADS_RIGHT_DS_WRITE_PROP to control change.
    hr = pACE->put_AccessMask(ADS_RIGHT_DS_READ_PROP|ADS_RIGHT_DS_WRITE_PROP);
    //Set the trustee.
    hr = pACE->put_Trustee( szTrustee );
    //AceType must be ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT.
    if (bAllowed)
        hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_ALLOWED_OBJECT );
    else
        hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_DENIED_OBJECT );
    //Set Flags to ADS_FLAG_OBJECT_TYPE_PRESENT|ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
    //so that the right applies only to a specific property of the specified object class.
    hr = pACE->put_Flags(ADS_FLAG_OBJECT_TYPE_PRESENT|ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT);
    //Set ObjectType to the rightsGUID of the personalInformation controlAccessRight object. 
    hr = pACE->put_ObjectType( L"{77B5B886-944A-11d1-AEBD-0000F80367C1}" );
    //For this function, set AceFlags so that ACE is inherited by child objects 
    //but not effective on the current object.
    //Set AceFlags to ADS_ACEFLAG_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE.
    hr = pACE->put_AceFlags(ADS_ACEFLAG_INHERIT_ACE|ADS_ACEFLAG_INHERIT_ONLY_ACE);
    //Set InheritedObjectType to schemaIDGUID of the user class.
    hr = pACE->put_InheritedObjectType( L"{bf967aba-0de6-11d0-a285-00aa003049e2}" );
    //Need to QI for the IDispatch pointer to pass to the AddAce method.
    hr = pACE->QueryInterface(IID_IDispatch,(void**)ppDispACE);
}
 
return hr;
}