Platform SDK: Active Directory, ADSI, and Directory Services |
The following Visual Basic code fragment creates a controlAccessRight object in the Extended-Rights container.
Dim ExContainer As IADsContainer Dim rootdse As IADs Dim ExRight As IADs Set rootdse = GetObject("LDAP://rootDSE") configpath = rootdse.Get("configurationNamingContext") Set ExContainer = GetObject("LDAP://cn=extended-rights," & configpath) 'Create the object, specifying the object class and the cn. Set ExRight = ExContainer.Create("controlAccessRight", "cn=MyExRight") 'Set the classes the right applies to. 'Specify the schemaIDGUID of the user and computer classes. ExRight.PutEx ADS_PROPERTY_UPDATE, "appliesTo", _ Array("bf967aba-0de6-11d0-a285-00aa003049e2", _ "bf967a86-0de6-11d0-a285-00aa003049e2") 'Set the display name used in Security property pages and other UI ExRight.PutEx ADS_PROPERTY_UPDATE, "displayName", Array("My-Extended-Right") 'Set rightsGUID to a GUID generated by uuidgen.exe. ExRight.PutEx ADS_PROPERTY_UPDATE, "rightsGUID", _ Array("64ad33ac-ea09-4ded-b798-a0585c50fd5a") ExRight.SetInfo
The following C++ code fragment is a function that creates a controlAccessRight object in the Extended-Rights container. When you call this function, use the following format to specify the GUID string for the pszRightsGUID parameter:
L"b7b13123-b82e-11d0-afee-0000f80367c1"
The ADSVALUE array for the appliesTo property uses the same GUID format and sets the dwType member to ADSTYPE_CASE_IGNORE_STRING.
#define _WIN32_WINNT 0x0500 #include <windows.h> #include <stdio.h> #include <activeds.h> // **************************************************************** // CreateExtendedRight // **************************************************************** HRESULT CreateExtendedRight( LPWSTR pszCommonName, // cn property LPWSTR pszDisplayName, // displayName property LPWSTR pszRightsGUID, // rightsGUID property ADSVALUE *pAdsvAppliesTo, // array of GUIDs for appliesTo property int cAppliesTo ) // number of GUIDs in array { HRESULT hr = E_FAIL; VARIANT var; LPOLESTR szADsPath = new OLECHAR[MAX_PATH]; IADs *pRootDSE = NULL; IDirectoryObject *pExRights = NULL; const int cAttributes = 5; // Count of attributes that must be set to create an extended right. PADS_ATTR_INFO pAttributeEntries = new ADS_ATTR_INFO[cAttributes]; // array of attributes ADSVALUE adsvCN, adsvObjectClass, adsvDisplayName, adsvRightsGUID; LPOLESTR pszRightRelPath = new WCHAR[MAX_PATH]; IDispatch *pNewObject = NULL; hr = ADsOpenObject(L"LDAP://rootDSE", NULL, NULL, ADS_SECURE_AUTHENTICATION, //Use Secure Authentication IID_IADs, (void**)&pRootDSE); if (FAILED(hr)) { wprintf(L"Bind to rootDSE failed: 0x%x\n", hr); return hr; } // Get the DN to the config container. hr = pRootDSE->Get(L"configurationNamingContext", &var); if (SUCCEEDED(hr)) { // Build ADsPath string to Extended-Rights container wcscpy(szADsPath,L"LDAP://cn=Extended-Rights,"); wcscat(szADsPath,var.bstrVal); // Get an IDirectory Object pointer to the Extended Rights Container. hr = ADsOpenObject(szADsPath, NULL, NULL, ADS_SECURE_AUTHENTICATION, //Use Secure Authentication IID_IDirectoryObject, (void**)&pExRights); } if (FAILED (hr) ) { wprintf(L"Bind to Extended Rights Container failed: 0x%x\n", hr); goto cleanup; } // Set first attribute: CN pAttributeEntries[0].pszAttrName = L"CN"; // Attribute name: CN pAttributeEntries[0].dwControlCode = ADS_ATTR_APPEND; // Add the attribute. pAttributeEntries[0].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string. // Fill in the ADSVALUE structure for the CN property adsvCN.CaseIgnoreString = pszCommonName; adsvCN.dwType = ADSTYPE_CASE_IGNORE_STRING; pAttributeEntries[0].pADsValues = &adsvCN; pAttributeEntries[0].dwNumValues = 1; // Set second attribute: objectClass pAttributeEntries[1].pszAttrName = L"objectClass"; // Attribute name: objectClass pAttributeEntries[1].dwControlCode = ADS_ATTR_APPEND; // Add the attribute. pAttributeEntries[1].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string. // Fill in the ADSVALUE structure for the objectClass property adsvObjectClass.CaseIgnoreString = L"controlAccessRight"; // objectClass is controlAccessRight adsvObjectClass.dwType = ADSTYPE_CASE_IGNORE_STRING; pAttributeEntries[1].pADsValues = &adsvObjectClass; pAttributeEntries[1].dwNumValues = 1; // Set third attribute: appliesTo // Each value for this property is a schemaIDGUID of a class to which the right can be applied. pAttributeEntries[2].pszAttrName = L"appliesTo"; // Attribute name: appliesTo pAttributeEntries[2].dwControlCode = ADS_ATTR_APPEND; // Add the attribute. pAttributeEntries[2].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string. // The ADSVALUE array for this property is passed in as a parameter to this function. pAttributeEntries[2].pADsValues = pAdsvAppliesTo; pAttributeEntries[2].dwNumValues = cAppliesTo; // Set fourth attribute: displayName pAttributeEntries[3].pszAttrName = L"displayName"; // Attribute name: CN pAttributeEntries[3].dwControlCode = ADS_ATTR_APPEND; // Add the attribute. pAttributeEntries[3].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string. // Fill in the ADSVALUE structure for the displayName property. adsvDisplayName.CaseIgnoreString = pszDisplayName; adsvDisplayName.dwType = ADSTYPE_CASE_IGNORE_STRING; pAttributeEntries[3].pADsValues = &adsvDisplayName; pAttributeEntries[3].dwNumValues = 1; // Set fifth attribute: rightsGUID pAttributeEntries[4].pszAttrName = L"rightsGUID"; // Attribute name: CN pAttributeEntries[4].dwControlCode = ADS_ATTR_APPEND; // Add the attribute. pAttributeEntries[4].dwADsType = ADSTYPE_CASE_IGNORE_STRING; // Attribute syntax is string. // Fill in the ADSVALUE structure for the rightsGUID property. adsvRightsGUID.dwType = ADSTYPE_CASE_IGNORE_STRING; adsvRightsGUID.CaseIgnoreString = pszRightsGUID; pAttributeEntries[4].pADsValues = &adsvRightsGUID; pAttributeEntries[4].dwNumValues = 1; // Set up the relative distinguished name for the new object. wcscpy(pszRightRelPath, L"cn="); wcscat(pszRightRelPath, pszCommonName); // Create the controlAccessRight hr = pExRights->CreateDSObject( pszRightRelPath, // Relative path of new object pAttributeEntries, // Attributes to be set cAttributes, // Number of attributes being set &pNewObject // receives IDispatch pointer to the new object ); cleanup: if (pRootDSE) pRootDSE->Release(); if (pExRights) pExRights->Release(); if (pNewObject) pNewObject->Release(); VariantClear(&var); return hr; }