Platform SDK: Active Directory, ADSI, and Directory Services

Example Code for Creating a controlAccessRight Object in the Extended Rights Container

[Visual Basic]

The following Visual Basic code fragment creates a controlAccessRight object in the Extended-Rights container.

Dim ExContainer As IADsContainer
Dim rootdse As IADs
Dim ExRight As IADs
 
Set rootdse = GetObject("LDAP://rootDSE")
configpath = rootdse.Get("configurationNamingContext")
Set ExContainer = GetObject("LDAP://cn=extended-rights," & configpath)
 
'Create the object, specifying the object class and the cn.
Set ExRight = ExContainer.Create("controlAccessRight", "cn=MyExRight")
 
'Set the classes the right applies to.
'Specify the schemaIDGUID of the user and computer classes.
ExRight.PutEx ADS_PROPERTY_UPDATE, "appliesTo", _
         Array("bf967aba-0de6-11d0-a285-00aa003049e2", _
               "bf967a86-0de6-11d0-a285-00aa003049e2")
 
'Set the display name used in Security property pages and other UI
ExRight.PutEx ADS_PROPERTY_UPDATE, "displayName", Array("My-Extended-Right")
 
'Set rightsGUID to a GUID generated by uuidgen.exe.
ExRight.PutEx ADS_PROPERTY_UPDATE, "rightsGUID", _
               Array("64ad33ac-ea09-4ded-b798-a0585c50fd5a")
ExRight.SetInfo
[C++]

The following C++ code fragment is a function that creates a controlAccessRight object in the Extended-Rights container. When you call this function, use the following format to specify the GUID string for the pszRightsGUID parameter:

L"b7b13123-b82e-11d0-afee-0000f80367c1"

The ADSVALUE array for the appliesTo property uses the same GUID format and sets the dwType member to ADSTYPE_CASE_IGNORE_STRING.

#define _WIN32_WINNT 0x0500
 
#include <windows.h>
#include <stdio.h>
#include <activeds.h>
 
// ****************************************************************
//  CreateExtendedRight
// ****************************************************************
HRESULT CreateExtendedRight(
             LPWSTR pszCommonName,     // cn property
             LPWSTR pszDisplayName,    // displayName property
             LPWSTR pszRightsGUID,     // rightsGUID property
             ADSVALUE *pAdsvAppliesTo, // array of GUIDs for appliesTo property
             int cAppliesTo )          // number of GUIDs in array
{
HRESULT hr = E_FAIL;
VARIANT var;
LPOLESTR szADsPath = new OLECHAR[MAX_PATH];
IADs *pRootDSE = NULL;
IDirectoryObject *pExRights = NULL;
 
const int cAttributes = 5;   // Count of attributes that must be set to create an extended right.
PADS_ATTR_INFO pAttributeEntries = new ADS_ATTR_INFO[cAttributes];  // array of attributes
ADSVALUE adsvCN,
         adsvObjectClass,
         adsvDisplayName,
         adsvRightsGUID;
 
LPOLESTR pszRightRelPath = new WCHAR[MAX_PATH];
IDispatch *pNewObject = NULL;
 
hr = ADsOpenObject(L"LDAP://rootDSE",
                   NULL,
                   NULL,
                   ADS_SECURE_AUTHENTICATION, //Use Secure Authentication
                   IID_IADs,
                   (void**)&pRootDSE);
if (FAILED(hr)) {
    wprintf(L"Bind to rootDSE failed: 0x%x\n", hr);
    return hr;
}
 
// Get the DN to the config container.
hr = pRootDSE->Get(L"configurationNamingContext", &var);
if (SUCCEEDED(hr))
{
    // Build ADsPath string to Extended-Rights container
    wcscpy(szADsPath,L"LDAP://cn=Extended-Rights,");
    wcscat(szADsPath,var.bstrVal);
 
    // Get an IDirectory Object pointer to the Extended Rights Container.
    hr = ADsOpenObject(szADsPath,
               NULL,
               NULL,
               ADS_SECURE_AUTHENTICATION, //Use Secure Authentication
               IID_IDirectoryObject,
               (void**)&pExRights);
}
if (FAILED (hr) ) {
    wprintf(L"Bind to Extended Rights Container failed: 0x%x\n", hr);
    goto cleanup;
}
 
// Set first attribute: CN
pAttributeEntries[0].pszAttrName = L"CN";                    // Attribute name: CN
pAttributeEntries[0].dwControlCode = ADS_ATTR_APPEND;        // Add the attribute.
pAttributeEntries[0].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string.
// Fill in the ADSVALUE structure for the CN property
adsvCN.CaseIgnoreString = pszCommonName;
adsvCN.dwType = ADSTYPE_CASE_IGNORE_STRING;
pAttributeEntries[0].pADsValues = &adsvCN;
pAttributeEntries[0].dwNumValues = 1;
 
// Set second attribute: objectClass
pAttributeEntries[1].pszAttrName = L"objectClass";           // Attribute name: objectClass
pAttributeEntries[1].dwControlCode = ADS_ATTR_APPEND;        // Add the attribute.
pAttributeEntries[1].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string.
// Fill in the ADSVALUE structure for the objectClass property
adsvObjectClass.CaseIgnoreString = L"controlAccessRight";    // objectClass is controlAccessRight
adsvObjectClass.dwType = ADSTYPE_CASE_IGNORE_STRING;
pAttributeEntries[1].pADsValues = &adsvObjectClass;
pAttributeEntries[1].dwNumValues = 1;
 
// Set third attribute: appliesTo
// Each value for this property is a schemaIDGUID of a class to which the right can be applied.
pAttributeEntries[2].pszAttrName = L"appliesTo";             // Attribute name: appliesTo
pAttributeEntries[2].dwControlCode = ADS_ATTR_APPEND;        // Add the attribute.
pAttributeEntries[2].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string.
// The ADSVALUE array for this property is passed in as a parameter to this function.
pAttributeEntries[2].pADsValues = pAdsvAppliesTo;
pAttributeEntries[2].dwNumValues = cAppliesTo;
 
// Set fourth attribute: displayName
pAttributeEntries[3].pszAttrName = L"displayName";           // Attribute name: CN
pAttributeEntries[3].dwControlCode = ADS_ATTR_APPEND;        // Add the attribute.
pAttributeEntries[3].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string.
// Fill in the ADSVALUE structure for the displayName property.
adsvDisplayName.CaseIgnoreString = pszDisplayName;
adsvDisplayName.dwType = ADSTYPE_CASE_IGNORE_STRING;
pAttributeEntries[3].pADsValues = &adsvDisplayName;
pAttributeEntries[3].dwNumValues = 1;
 
// Set fifth attribute: rightsGUID
pAttributeEntries[4].pszAttrName = L"rightsGUID";            // Attribute name: CN
pAttributeEntries[4].dwControlCode = ADS_ATTR_APPEND;        // Add the attribute.
pAttributeEntries[4].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string.
// Fill in the ADSVALUE structure for the rightsGUID property.
adsvRightsGUID.dwType = ADSTYPE_CASE_IGNORE_STRING;
adsvRightsGUID.CaseIgnoreString = pszRightsGUID;
pAttributeEntries[4].pADsValues = &adsvRightsGUID;
pAttributeEntries[4].dwNumValues = 1;
 
// Set up the relative distinguished name for the new object.
wcscpy(pszRightRelPath, L"cn=");
wcscat(pszRightRelPath, pszCommonName);
 
// Create the controlAccessRight
hr = pExRights->CreateDSObject(
                     pszRightRelPath,   // Relative path of new object
                     pAttributeEntries, // Attributes to be set
                     cAttributes,       // Number of attributes being set
                     &pNewObject        // receives IDispatch pointer to the new object
                     );
 
cleanup:
 
if (pRootDSE)
    pRootDSE->Release();
if (pExRights)
    pExRights->Release();
if (pNewObject)
    pNewObject->Release();
 
VariantClear(&var);
return hr;
}