Reading an Extended Right Set in an Object's ACL

Using ADSI, you read an extended right ACE just as you would any other ACE in an ACL. (Note that you can also use the Win32 security APIs to read ACLs on directory objects.) However, extended rights use the properties on the ACE in a manner that is specific to granting and denying extended rights:

• AccessMask must contain the following flag:

  ADS_RIGHT_DS_CONTROL_ACCESS

• Flags is ADS_FLAG_OBJECT_TYPE_PRESENT
• ObjectType is the string form of the rightsGUID property of the extended right. The string format of the GUID is the same string format as the StringFromGUID2 COM Library function
• AceType is either ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the extended right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the trustee the extended right
• Trustee is the security principal (user, group, computer, and so on) to whom the ACE applies

To read ACEs for an extended right on an object in C/C++

If you are using ADSI, use the following steps for reading ACEs for an extended right on an object (see the following code fragment for an example):

1. Get an IADs interface pointer to the object.
2. Use the IADs::Get method to get the security descriptor of the object. The name of the property containing the security descriptor is nTSecurityDescriptor. The property will be returned as a VARIANT containing an IDispatch pointer (the vt member is VT_DISPATCH). Call QueryInterface on that IDispatch pointer to get an IADsSecurityDescriptor interface to use the methods on that interface to access the security descriptor's ACL.
3. Use the IADsSecurityDescriptor::get_DiscretionaryAcl method to get the ACL. The method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface to use the methods on that interface to access the individual ACEs in the ACL.
4. Use the IADsAccessControlList::get__NewEnum method to enumerate the ACEs. The method returns an IUnknown pointer. Call QueryInterface on that IUnknown pointer to get an IEnumVARIANT interface.
5. Use the IEnumVARIANT::Next method to enumerate the ACEs in the ACL. The property will be returned as a VARIANT containing an IDispatch pointer (the vt member is VT_DISPATCH). Call QueryInterface on that IDispatch pointer to get an IADsAccessControlEntry interface to read the ACE.
6. Call the IADsAccessControlEntry::get_AccessMask method to get the AccessMask.
7. Check the AccessMask value for the ADS_RIGHT_DS_CONTROL_ACCESS flag. If it has this flag, the ACE contains an extended right.
8. Call IADsAccessControlEntry::get_Flags method to get the flag for object type.
9. Check Flags value for ADS_FLAG_OBJECT_TYPE_PRESENT flag.
10. If Flags is set to ADS_FLAG_OBJECT_TYPE_PRESENT, call the IADsAccessControlEntry::get_ObjectType method to get a string containing the rightsGUID of the extended right that the ACE applies to.
11. Call the IADsAccessControlEntry::get_AceType method to get the type of ACE. The type will be ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the extended right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the extended right.
12. Call the IADsAccessControlEntry::get_Trustee method to get the security principal (user, group, computer, and so on) to whom the ACE applies.
13. When you are done with for the ObjectType and Trustee strings, use SysFreeString to free the memory for those strings.
14. When you are done with the interfaces, call Release to decrement or release all the interface references.