Platform SDK: Active Directory, ADSI, and Directory Services

IADsSecurityDescriptor

The IADsSecurityDescriptor interface provides access to properties on an ADSI security descriptor object. You use this interface to examine and change the access controls to an directory service object. You can also use it to make copies of a security descriptor. You use an object's ntSecurityDescriptor property to access its security descriptor object.

The IADsSecurityDescriptor interface is a dual interface and exposes the following properties and methods.

Methods in Vtable Order

IUnknown methods Description
QueryInterface Returns pointers to supported interfaces.
AddRef Increments reference count.
Release Decrements reference count.

IDispatch methods Description
GetTypeInfoCount Gets the number of type descriptions.
GetTypeInfo Gets a description of object's programmable interface.
GetIDsOfNames Maps name of method or property to DISPID.
Invoke Calls one of the object's methods, or gets/sets one of its properties.

IADsSecurityDescriptor property methods Description
get/put_Revision Gets/puts the revision number assigned to the security descriptor.
get/put_Control Gets/puts the Security_Descriptor_Control flag.
get/put_Owner Gets/puts the owner of the object associated with the security descriptor.
get/put_OwnerDefaulted Gets/puts the flag that indicates if the owner information is derived by a default mechanism.
get/put_Group Gets/puts the group that owns the object associated with the security descriptor.
get/put_GroupDefaulted Gets/puts the flag that indicates if the group information is derived by a default mechanism.
get/put_DiscretionaryAclt Gets/puts the discretionary ACL associated with the security descriptor.
get/put_DaclDefaulted Gets/puts the flag that indicates if the DACL is derived from a default mechanism.
get/put_SystemAcl Gets/puts the system ACL (SACL) associated with the security descriptor.
get/put_SaclDefaulted Gets/puts the flag that indicates if the SACL is derived from a default mechanism.
CopySecurityDescriptor Copies the security descriptor.

Example Code [Visual Basic]

The following Visual Basic® code snippet shows how to manipulate a security descriptor.

'--- Visual Basic Example: Getting the security descriptor
Dim x As IADs
Dim sd As IADsSecurityDescriptor
Dim acl As IADsAccessControlList
 
Set x = GetObject("LDAP://DC=Fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Debug.Print sd.Control
Debug.Print sd.Group
Debug.Print sd.Owner
Debug.Print sd.Revision
 
Set acl = sd.DiscretionaryAcl
Set sacl = sd.SystemAcl

Example Code [C++]

The following C++ code snippet works with the security descriptor of a directory object.

IADs *getIADsObject(LPWSTR,LPWSTR,LPWSTR);
IADsSecurityDescriptor *getSD(IADs *);

HRESULT workWithSD()
{
   LPWSTR adsPath = L"LDAP://CN=JSmith,CN=Users,dc=Fabrikam,dc=com";
   LPWSTR user = L"Administrator";
   LPWSTR passwd = L"";

   HRESULT hr;

   IADs *pAds = getIADsObject(adsPath,user,passwd);
   if(!pAds) exit (0);

   IADsSecurityDescriptor *pSD=getSD(pAds);
   if(!pSD) {
       pAds->Release();
       exit (0);
   }

   BSTR bstr;
   long lVal;
   hr = pSD->get_Control(&lVal);
   printf("SD Control = %d\n",lVal);

   hr = pSD->get_Owner(&bstr);
   printf("SD Owner   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Group(&bstr);
   printf("SD Group   = %S\n",bstr);
   SysFreeString(bstr);

   hr = pSD->get_Revision(&lVal);
   printf("SD Revision= %d\n",lVal);

   IDispatch *pDisp;
   IADsAccessControlList *dacl, *sacl;
   hr = pSD->get_DiscretionaryAcl(&pDisp);
   hr = pDisp->QueryInterface(IID_IADsAccessControlList, 
                              (void**)&dacl);
   hr = pDisp->Release();

// Work with access control list, code omitted.

   if(dacl) dacl->Release();
   if(pSD)  pSD->Release();
   if(pAds) pAds->Release();
   return S_OK;
}

/////////////////////////////////////////////////////////
// functions to bind to an object and get its SD and ACL.
/////////////////////////////////////////////////////////
IADs *getIADsObject(LPWSTR adsPath,LPWSTR usr,LPWSTR passwd)
{
    if(!adsPath) return NULL;
    HRESULT hr;
    IADs *pObj;
    if(!usr) {
         hr = ADsGetObject(adsPath,IID_IADs,(void**)&pObj);
         if(FAILED(hr)) {
             if(pObj) pObj->Release();
             return NULL;
         }
    }
    else {
        hr = ADsOpenObject(adsPath,
                          usr,
                          passwd,
                          1,
                          IID_IADs,
                          (void**)&pObj);

        if(FAILED(hr)) {
            printf("adsopenobject: hr = %x\n",hr);
            if(pObj) pObj->Release();
            return NULL;
        }
    }
    return pObj;
}
///////////////////////////////////////
// IADsSecurityDescriptor *getSD(IADs*)
///////////////////////////////////////
IADsSecurityDescriptor *getSD(IADs *pObj)
{
    VARIANT var;
    VariantInit(&var);
    HRESULT hr;

    hr = pObj->Get(L"ntSecurityDescriptor",&var);
    if(FAILED(hr)) {
        VariantClear(&var);
        return NULL;
    }

    IADsSecurityDescriptor *psd;
    hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor,
                                  (void**)&psd);
    if(FAILED(hr)) {
        if(psd) psd->Release();
        return NULL;
    }
    return psd;
}

Requirements

  Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
  Windows 95/98: Requires Windows 95 or later (with DSClient).
  Header: Declared in Iads.h.

See Also

IADsAccessControlEntry, IADsAccessControlList