Platform SDK: Active Directory, ADSI, and Directory Services

IADsAccessControlEntry Property Methods

The property methods of the IADsAccessControlEntry interface get or set the properties described in the following table. For more information, see Interface Property Methods.

Properties in Vtable Order

Property Description
AccessMask

[Visual Basic]
Access: Read/Write
Data Type: LONG

[C++]
HRESULT get_AccessMask
([out] LONG *plnAccessMask);

HRESULT put_AccessMask
([in] LONG lnAccessMask);

 A flag specifying access permissions. Valid values are defined in ADS_RIGHTS_ENUM.
AceType

[Visual Basic]
Access: Read/Write
Data Type: LONG

[C++]
HRESULT get_AceType
([out] LONG *plAceType);

HRESULT put_AceType
([in] LONG lnAceType);

 A flag indicating ACE types. Valid values are defined in ADS_ACETYPE_ENUM.
AceFlags

[Visual Basic]
Access: Read/Write
Data Type: LONG

[C++]
HRESULT get_AceFlags
([out] LONG *plnAceFlags);

HRESULT put_AceFlags
([in] LONG lnAceFlags);

 A flag specifying whether other containers or objects can inherit the ACE from the owner of the ACL. Valid values are defined in ADS_ACEFLAG_ENUM.
Flags

[Visual Basic]
Access: Read/Write
Data Type: LONG

[C++]
HRESULT get_Flags
([out] LONG *lnflags);

HRESULT put_Flags
([in] LONG lnflags);

 A flag indicating whether the ACE has an object type or inherited object type. Valid flags are defined in ADS_FLAGTYPE_ENUM.
ObjectType

[Visual Basic]
Access: Read/Write
Data Type: BSTR

[C++]
HRESULT get_ObjectType
([out] BSTR *bstrObjectType);

HRESULT put_ObjectType
([in] BSTR bstrObjectType);

 A flag indicating the type of an ADSI object. Its value is a GUID to a property or an object in string format. The GUID refers to a property when ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks are used. The GUID specifies an object when ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks are used.
InheritedObjectType

[Visual Basic]
Access: Read/Write
Data Type: BSTR

[C++]
HRESULT get_InheritedObjectType
([out] BSTR *bstrInheritedObjectType);

HRESULT put_InheritedObjectType
([in] BSTR bstrInheritedObjectType);

 A flag indicating the type of a child object of an ADSI object. Its value is a GUID to an object in string format. When such a GUID is set, the ACE applies only to the object referred to by the GUID.
Trustee

[Visual Basic]
Access: Read/Write
Data Type: BSTR

[C++]
HRESULT get_Trustee
([out] BSTR *pbstrSecurityId);

HRESULT put_Trustee
([in] BSTR bstrSecurityId);

 A user path who is granted access permissions as set in the ACE of the object.

Example Code [Visual Basic]

The following Visual Basic® code snippet illustrates how to add entries to a discretionary ACL using the IADsAccessControlEntry property methods:

----- Visual Basic Example Adding ACEs to DACL-----
Dim x As IADs
Dim sd As IADsSecurityDescriptor
Dim ace As IADsAccessControlEntry
Dim Dacl As IADsAccessControlList
Dim Ace1 As New AccessControlEntry
Dim Ace2 As New AccessControlEntry
 
Set x = GetObject("LDAP://OU=Sales, DC=Fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Set Dacl = sd.DiscretionaryAcl
 
'Show existing ACEs
For Each ace In Dacl
  Debug.Print ace.Trustee
Next
 
 
' Set up the first ACE
Ace1.AccessMask = -1 'Full Permission (Allowed)
Ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Ace1.AceFlags = ADS_ACEFLAG_INHERIT_ACE
Ace1.Trustee = "ACTIVED\Administrator"
 
' Set up the 2nd ACE
Ace2.AccessMask = -1 'Full Permission (Denied)
Ace2.AceType = ADS_ACETYPE_ACCESS_DENIED
Ace2.AceFlags = ADS_ACEFLAG_INHERIT_ACE
Ace2.Trustee = "ACTIVED\Andyhar"
 
' Add the ACEs to the Discretionary ACL
Dacl.AddAce Ace1
Dacl.AddAce Ace2
 
sd.DiscretionaryAcl = Dacl
x.Put "ntSecurityDescriptor", Array(sd)
x.SetInfo

Example Code [C++]

The following C++ code snippet displays access-control entries: 

LONG aceMask;
LONG aceType;
int idx;
BSTR bstr;
CString sObjectType;
 
ASSERT( pACE );
 
///////////////////////////////////////////////////
//Get Access Mask, Ace Type, and Object Type
///////////////////////////////////////////////////
if( !SUCCEEDED(pACE->get_AccessMask(&aceMask)) )
{
    return;
}
if ( !SUCCEEDED(pACE->get_AceType(&aceType)) )
{
   return;
}
 
if ( !SUCCEEDED(pACE->get_ObjectType(&bstr)) )
{
   return;
}
 
sObjectType = bstr;
SysFreeString( bstr );
 
//////////////////////////////////////
// Display the type
//////////////////////////////////////
printf("AceType: %d", aceType );
 
// Standard ACE Rights
if ( aceMask & ADS_RIGHT_DELETE ) 
{
printf("Right to Delete");
}
 
if ( aceMask & ADS_RIGHT_READ_CONTROL )
{
printf("Right to Read Control");
}
 
if ( aceMask & ADS_RIGHT_WRITE_DAC )
{
   printf("Right to Write Control");
}
 
if ( aceMask & ADS_RIGHT_WRITE_OWNER )
{
   printf("Right to Take Ownership");
 
}
 
// Directory ACE Rights
if ( aceMask & ADS_RIGHT_DS_CREATE_CHILD )
{
   DisplayAceObjectType( aceMask, sObjectType );
}
 
if ( aceMask & ADS_RIGHT_DS_DELETE_CHILD )
{
   DisplayAceObjectType( aceMask, sObjectType );
}
 
if ( aceMask & ADS_RIGHT_ACTRL_DS_LIST )
{
   printf("List Content");
}
 
if ( aceMask & ADS_RIGHT_DS_SELF )
{
printf("List Object");
}
 
if ( aceMask & ADS_RIGHT_DS_DELETE_TREE )
{
printf("Delete Tree");
}
 
if ( aceMask & ADS_RIGHT_DS_READ_PROP )
{
printf("Read Property :");
DisplayAceObjectType( aceMask, sObjectType );
}
 
if ( aceMask & ADS_RIGHT_DS_WRITE_PROP )
{
   printf("Write Property: ");
   DisplayAceObjectType( aceMask, sObjectType );
}
 
void DisplayAceObjectType( LONG aceMask, CString &sObjectType )
{
if ( sObjectType.IsEmpty() )
{
   printf("ALL");
}
else
{
// This should be a GUID (object's, attribute's or extended right's GUID)
   printf( "%s", sObjectType );
}
}

See Also

IADsAccessControlList, IADsSecurityDescriptor

Built on Tuesday, February 08, 2000