Platform SDK: Active Directory, ADSI, and Directory Services |
The following code fragment contains a function that creates an ACE that assigns creation rights for user objects to the specified trustee:
//Create an ACE that assigns the right to create User objects //beneath the current object. //For this function, the ACE is inherited by all subobjects //and is an effective right on the current object. HRESULT CreateAceCreateUsers( LPOLESTR szTrustee, BOOL bAllowed, IDispatch **ppDispACE ) { HRESULT hr = E_FAIL; IADsAccessControlEntry *pACE = NULL; //Create the COM object for the new ACE. hr = CoCreateInstance( CLSID_AccessControlEntry, NULL, CLSCTX_INPROC_SERVER, IID_IADsAccessControlEntry, (void **)&pACE ); if (SUCCEEDED(hr)) { //Set the properties of the new ACE. //Set the access mask containing the rights to assign. //This function assigns rights to create objects. hr = pACE->put_AccessMask(ADS_RIGHT_DS_CREATE_CHILD); //Set the trustee. hr = pACE->put_Trustee( szTrustee ); //AceType must be ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT. if (bAllowed) hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ); else hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_DENIED_OBJECT ); //Set Flags to ADS_FLAG_OBJECT_TYPE_PRESENT //so that the right applies to the creation of a specific object class //within the current object and all its subobjects. hr = pACE->put_Flags(ADS_FLAG_OBJECT_TYPE_PRESENT); //Set ObjectType to the schemaIDGUID of the user class so that the right //controls creation of user objects. hr = pACE->put_ObjectType( L"{bf967aba-0de6-11d0-a285-00aa003049e2}" ); //For this function, set AceFlags so that ACE is inherited by child objects hr = pACE->put_AceFlags(ADS_ACEFLAG_INHERIT_ACE); //Set InheritedObjectType to NULL so that it is inherited by all subobjects. hr = pACE->put_InheritedObjectType(NULL); //Need to QI for the IDispatch pointer to pass to the AddAce method. hr = pACE->QueryInterface(IID_IDispatch,(void**)ppDispACE); } return hr; }