Platform SDK: Active Directory, ADSI, and Directory Services |
Every directory object has an nTSecurityDescriptor property that contains the object's security descriptor. There are two main ways to read and manipulate a directory object's security descriptor.
The recommended technique, and the one used by most of the samples in this guide, is to use the IADs interfaces because they simplify handling security descriptors, ACLs, and ACEs. For Visual Basic programmers, the IADs interfaces are the only easy way to work with security descriptors.
The IDirectoryObject technique is useful primarily when you need a PSECURITY_DESCRIPTOR pointer. For example, the sample code in the Checking an Extended Right in an Object's ACL uses this method to retrieve a security descriptor to pass to the AccessCheckByTypeResultList function.