| Platform SDK: Active Directory, ADSI, and Directory Services |
The following code fragment contains a function that creates an ACE that assigns creation rights for user objects to the specified trustee:
//Create an ACE that assigns the right to create User objects
//beneath the current object.
//For this function, the ACE is inherited by all subobjects
//and is an effective right on the current object.
HRESULT CreateAceCreateUsers(
LPOLESTR szTrustee,
BOOL bAllowed,
IDispatch **ppDispACE
)
{
HRESULT hr = E_FAIL;
IADsAccessControlEntry *pACE = NULL;
//Create the COM object for the new ACE.
hr = CoCreateInstance(
CLSID_AccessControlEntry,
NULL,
CLSCTX_INPROC_SERVER,
IID_IADsAccessControlEntry,
(void **)&pACE
);
if (SUCCEEDED(hr))
{
//Set the properties of the new ACE.
//Set the access mask containing the rights to assign.
//This function assigns rights to create objects.
hr = pACE->put_AccessMask(ADS_RIGHT_DS_CREATE_CHILD);
//Set the trustee.
hr = pACE->put_Trustee( szTrustee );
//AceType must be ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT.
if (bAllowed)
hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_ALLOWED_OBJECT );
else
hr = pACE->put_AceType( ADS_ACETYPE_ACCESS_DENIED_OBJECT );
//Set Flags to ADS_FLAG_OBJECT_TYPE_PRESENT
//so that the right applies to the creation of a specific object class
//within the current object and all its subobjects.
hr = pACE->put_Flags(ADS_FLAG_OBJECT_TYPE_PRESENT);
//Set ObjectType to the schemaIDGUID of the user class so that the right
//controls creation of user objects.
hr = pACE->put_ObjectType( L"{bf967aba-0de6-11d0-a285-00aa003049e2}" );
//For this function, set AceFlags so that ACE is inherited by child objects
hr = pACE->put_AceFlags(ADS_ACEFLAG_INHERIT_ACE);
//Set InheritedObjectType to NULL so that it is inherited by all subobjects.
hr = pACE->put_InheritedObjectType(NULL);
//Need to QI for the IDispatch pointer to pass to the AddAce method.
hr = pACE->QueryInterface(IID_IDispatch,(void**)ppDispACE);
}
return hr;
}