Platform SDK: Active Directory, ADSI, and Directory Services

Checking an Extended Right in an Object's ACL

To check an extended right on an object's ACL, use the AccessCheckByTypeResultList function. To use this function, your application needs a pointer to the SECURITY_DESCRIPTOR for the object (instead of an IADsSecurityDescriptor interface to an ADSI security descriptor COM object).

If you are using ADSI, use the following steps for checking access for an extended right on an object (see the following code fragment for an example):

  1. Get an IDirectoryObject interface pointer to the object.
  2. Use the IDirectoryObject::Get method to get the security descriptor of the object. The name of the property containing the security descriptor is nTSecurityDescriptor. The property will be returned as a VARIANT containing an IDispatch pointer (the vt member is VT_DISPATCH). Call QueryInterface on that IDispatch pointer to get an IADsSecurityDescriptor interface to use the methods on that interface to access the security descriptor's ACL.
  3. Use the IADsSecurityDescriptor::get_DiscretionaryAcl method to get the ACL. The method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface to use the methods on that interface to access the individual ACEs in the ACL.
  4. Get the token of the client whose access you want to check.
  5. Use the AccessCheckByTypeResultList function to check the permissions for the specified extended right for the specified client.
Built on Tuesday, February 08, 2000