Platform SDK: Active Directory, ADSI, and Directory Services

Creating a Security Descriptor

Using ADSI, you can create a security descriptor and set it as a new object's nTSecurityDescriptor property or use it to replace an existing object's nTSecurityDescriptor property.

Use the following steps for creating a security descriptor for an object (see the code fragment that follows for an example):

  1. Use CoCreateInstance to create the ADSI COM object for the new security descriptor and get an IADsSecurityDescriptor interface pointer to that object. Note that the class ID is CLSID_SecurityDescriptor.
  2. Use the IADsSecurityDescriptor::put_Owner method to set the owner of the object. The trustee is a user, group, or other security principal. Your application should use the value from the appropriate property from the user or group object of the trustee to whom you want to apply the ACE.
  3. Use the IADsSecurityDescriptor::put_Control method to control whether DACLs and SACLs are inherited by the object from its parent container.
  4. Use CoCreateInstance to create the ADSI COM object for the DACL for the new security descriptor and get an IADsAccessControlList interface pointer to that object. Note that the class ID is CLSID_AccessControlList.
  5. For each ACE to add to the DACL, use CoCreateInstance to create the ADSI COM object for the new ACE and get an IADsAccessControlEntry interface pointer to that object. Note that the class ID is CLSID_AccessControlEntry.
  6. For each ACE to add to the DACL, set the properties of the ACE using the property methods of the ACE's IADsAccessControlEntry object. For more information on the properties to set on an ACE, see Setting Access Rights on an Object.
  7. For each ACE to add to the DACL, use the QueryInterface method on the IADsAccessControlEntry object to get an IDispatch pointer. The AddAce method requires an IDispatch interface pointer to the ACE.
  8. For each ACE to add to the DACL, use IADsAccessControlList::AddAce to add the new ACE to the DACL. Note that the order of the ACEs within the ACL can affect the evaluation of access to the object. The correct access to the object may require you to create a new ACL, add the ACEs from the existing ACL in the correct order to the new ACL, and then replace the existing ACL in the security descriptor with the new ACL. For more information, see Order of ACEs in a DACL in the Platform SDK.
  9. Follow steps 4-8 to create the SACL for the new security descriptor.
  10. Use the IADsSecurityDescriptor::put_DiscretionaryAcl method to set the DACL.
  11. Use the IADsSecurityDescriptor::put_SystemAcl method to set the DACL.
  12. Get an IADs interface pointer to the object.
  13. Use the IADs::Put method to write the security descriptor to the object's nTSecurityDescriptor property to the property cache.
  14. Use the IADs::SetInfo method to update the property on the object in the directory.
Built on Tuesday, February 08, 2000