Platform SDK: Active Directory, ADSI, and Directory Services

IADsAccessControlList::RemoveAce

The IADsAccessControlList::RemoveAce method removes an access-control entry(ACE) from the access-control list (ACL).

HRESULT RemoveAce(
  IDispatch * pAccessControlEntry 
);

Parameters

pAccessControlEntry
[in] ACEs to be removed from the ACL.

Return Values

This method returns the standard return values, as well as the following:

S_OK
The ACEs were successfully removed.
E_FAIL
The operation has failed.

For other return values, see ADSI Error Codes.

Example Code [Visual Basic]

The following Visual Basic® code snippet shows how to remove entries from a discretionary access-control list.

Dim x As IADs
Dim sd As IADsSecurityDescriptor
Dim Dacl As IADsAccessControlList
 
Set x = GetObject("LDAP://OU=Sales, DC=activeD,DC=nttest,DC=microsoft,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Set Dacl = sd.DiscretionaryAcl
 
'—Removing ACEs belong to jsmith ----
For Each ace In Dacl
  If (ace.Trustee = "FABRIKAM\jsmith") Then
      Dacl.RemoveAce (ace)
  End If
Next

sd.DiscretionaryAcl = Dacl
x.Put "ntSecurityDescriptor", Array(sd)
x.SetInfo

Example Code [C++]

The following C++ code snippet removes the ACEs with the specified Trustee ("aDomain\PowerUser").

HRESULT removeAcesFrom(IADsAccessControlList *pAcl)
{
    IEnumVARIANT *pEnum;
    LPUNKNOWN     pUnk;
    ULONG  lFetch;
    BSTR    bstr;
    IADsAccessControlEntry *pACE;
 
    HRESULT hr = pAcl->get__NewEnum( &pUnk );
    if ( !SUCCEEDED(hr) )
    {
        pAcl->Release();
        return hr;
    }
 
    hr = pUnk->QueryInterface( IID_IEnumVARIANT, (void**) &pEnum );
    if ( !SUCCEEDED(hr) )
    {
        return hr;
    }
 
    VARIANT var;
    VariantInit(&var);
    hr = pEnum->Next( 1, &var, &lFetch );
    IDispatch *pDisp;

    while( hr == S_OK )
    {
       if ( lFetch == 1 )
       {
           if ( VT_DISPATCH != V_VT(&var) )
           {
               pEnum->Release();
               return hr;
           }
           pDisp = V_DISPATCH(&var);
           ///////////////////////////
           // Get the individual ACE
           ///////////////////////////
           hr = pDisp->QueryInterface( IID_IADsAccessControlEntry,
                                       (void**)&pACE ); 
           if ( SUCCEEDED(hr) )
           {
               pACE->get_Trustee(&bstr);
               printf("ACE trustee: %S:\n", bstr);
               //ACE manipulation here
               SysFreeString(bstr);
              if(wcscmp(bstr,L"aDomain\PowerUser")==0) 
              {
                   pACE->QueryInterface(IID_IDispatch,(void**)&pDisp);
                   hr = pAcl->RemoveAce(pDisp);
                   if(FAILED(hr)) 
                   {
                       pDisp->Release();
                       return hr;
                   }
              }
              pACE->Release();
           }
           VariantClear(&var);
       }
       hr = pEnum->Next( 1, &var, &lFetch );
    }
    return S_OK;
}

Requirements

  Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
  Windows 95/98: Requires Windows 95 or later (with DSClient).
  Header: Declared in Iads.h.

See Also

IADsAccessControlEntry IADsSecurityDescriptor