APIs for Working with Security Descriptors

Every directory object has an nTSecurityDescriptor property that contains the object's security descriptor. There are two main ways to read and manipulate a directory object's security descriptor.

• You can use the IADs::Get method to retrieve the security descriptor as an ADSI COM object with an IADsSecurityDescriptor interface. You can then use the IADsSecurityDescriptor, IADsAccessControlList, and IADsAccessControlEntry interfaces to work with the security descriptor and its components (ACLs, ACEs, and so on). For sample code that retrieves an IADsSecurityDescriptor interface pointer for a specified object's security descriptor, see Using IADs to Get a Security Descriptor.
• You can use the IDirectoryObject::GetObjectAttributes method to retrieve an object's security descriptor as a pointer to a self-relative Win32 security descriptor (PSECURITY_DESCRIPTOR). Then you can use this pointer with the Win32 access-control functions such as AccessCheck and BuildSecurityDescriptor that have a PSECURITY_DESCRIPTOR parameter. For sample code that uses IDirectoryObject to retrieve a security descriptor, see Using IDirectoryObject to Get a Security Descriptor.

The recommended technique, and the one used by most of the samples in this guide, is to use the IADs interfaces because they simplify handling security descriptors, ACLs, and ACEs. For Visual Basic programmers, the IADs interfaces are the only easy way to work with security descriptors.

The IDirectoryObject technique is useful primarily when you need a PSECURITY_DESCRIPTOR pointer. For example, the sample code in the Checking an Extended Right in an Object's ACL uses this method to retrieve a security descriptor to pass to the AccessCheckByTypeResultList function.