Example Code for Setting Rights to Specific Types of Objects

Platform SDK: Active Directory, ADSI, and Directory Services

Example Code for Setting Rights to Specific Types of Objects

The following code fragment contains a function that creates an ACE that assigns rights that are inherited by the specified type of object but are not effective on the current object:

//Create an ACE that is inherited by child objects of the specified type
//but does not apply to the current object.
//This ACE is also propagated to all descendants of the current object.
HRESULT CreateAceNoEffectiveInheritObject(LPOLESTR szTrustee,
                           long lAccessRights,
                           long lAccessType,
                           LPOLESTR szObjectGUID,
                           LPOLESTR szInheritedObjectGUID,
                           IDispatch **ppDispACE)
{
 
HRESULT hr = E_FAIL;
IADsAccessControlEntry *pACE = NULL;
long lFlags = 0L;
//Create the COM object for the new ACE.
hr  = CoCreateInstance( 
                            CLSID_AccessControlEntry,
                            NULL,
                            CLSCTX_INPROC_SERVER,
                            IID_IADsAccessControlEntry,
                            (void **)&pACE
                          );
if (SUCCEEDED(hr))
{
    //Set the properties of the new ACE.
    //Set the access mask containing the rights to assign.
    hr = pACE->put_AccessMask(lAccessRights);
    //Set the trustee.
    hr = pACE->put_Trustee( szTrustee );
    //Set AceType
    hr = pACE->put_AceType( lAccessType );
    //For this function, set AceFlags so that ACE is inherited by child objects 
    //but not effective on the current object.
    //Set AceFlags to ADS_ACEFLAG_INHERIT_ACE and ADS_ACEFLAG_INHERIT_ONLY_ACE.
    hr = pACE->put_AceFlags(ADS_ACEFLAG_INHERIT_ACE|ADS_ACEFLAG_INHERIT_ONLY_ACE);
    //If an szObjectGUID is specified, add ADS_FLAG_OBJECT_TYPE_PRESENT flag to the lFlags mask
    //and set the ObjectType.
    if (szObjectGUID)
    {
        lFlags |= ADS_FLAG_OBJECT_TYPE_PRESENT;
        hr = pACE->put_ObjectType( szObjectGUID );
    }
    //If an szInheritedObjectGUID is specified, add ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT flag to the lFlags  
mask
    //and set the InheritedObjectType.
    if (szInheritedObjectGUID)
    {
        lFlags |= ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;
        hr = pACE->put_InheritedObjectType( szInheritedObjectGUID );
    }
    //Set flags if ObjectType or InheritedObjectType were set.
    if (lFlags)
    {
        hr = pACE->put_Flags(lFlags);
    }
    //Need to QI for IDispatch pointer to pass to the AddAce method.
    hr = pACE->QueryInterface(IID_IDispatch,(void**)ppDispACE);
}
 
return hr;
}