Platform SDK: Active Directory, ADSI, and Directory Services |
The IADsSecurityDescriptor interface provides access to properties on an ADSI security descriptor object. You use this interface to examine and change the access controls to an directory service object. You can also use it to make copies of a security descriptor. You use an object's ntSecurityDescriptor property to access its security descriptor object.
The IADsSecurityDescriptor interface is a dual interface and exposes the following properties and methods.
IUnknown methods | Description |
---|---|
QueryInterface | Returns pointers to supported interfaces. |
AddRef | Increments reference count. |
Release | Decrements reference count. |
IDispatch methods | Description |
---|---|
GetTypeInfoCount | Gets the number of type descriptions. |
GetTypeInfo | Gets a description of object's programmable interface. |
GetIDsOfNames | Maps name of method or property to DISPID. |
Invoke | Calls one of the object's methods, or gets/sets one of its properties. |
IADsSecurityDescriptor property methods | Description |
---|---|
get/put_Revision | Gets/puts the revision number assigned to the security descriptor. |
get/put_Control | Gets/puts the Security_Descriptor_Control flag. |
get/put_Owner | Gets/puts the owner of the object associated with the security descriptor. |
get/put_OwnerDefaulted | Gets/puts the flag that indicates if the owner information is derived by a default mechanism. |
get/put_Group | Gets/puts the group that owns the object associated with the security descriptor. |
get/put_GroupDefaulted | Gets/puts the flag that indicates if the group information is derived by a default mechanism. |
get/put_DiscretionaryAclt | Gets/puts the discretionary ACL associated with the security descriptor. |
get/put_DaclDefaulted | Gets/puts the flag that indicates if the DACL is derived from a default mechanism. |
get/put_SystemAcl | Gets/puts the system ACL (SACL) associated with the security descriptor. |
get/put_SaclDefaulted | Gets/puts the flag that indicates if the SACL is derived from a default mechanism. |
CopySecurityDescriptor | Copies the security descriptor. |
The following Visual Basic® code snippet shows how to manipulate a security descriptor.
'--- Visual Basic Example: Getting the security descriptor Dim x As IADs Dim sd As IADsSecurityDescriptor Dim acl As IADsAccessControlList Set x = GetObject("LDAP://DC=Fabrikam,DC=com") Set sd = x.Get("ntSecurityDescriptor") Debug.Print sd.Control Debug.Print sd.Group Debug.Print sd.Owner Debug.Print sd.Revision Set acl = sd.DiscretionaryAcl Set sacl = sd.SystemAcl
The following C++ code snippet works with the security descriptor of a directory object.
IADs *getIADsObject(LPWSTR,LPWSTR,LPWSTR); IADsSecurityDescriptor *getSD(IADs *); HRESULT workWithSD() { LPWSTR adsPath = L"LDAP://CN=JSmith,CN=Users,dc=Fabrikam,dc=com"; LPWSTR user = L"Administrator"; LPWSTR passwd = L""; HRESULT hr; IADs *pAds = getIADsObject(adsPath,user,passwd); if(!pAds) exit (0); IADsSecurityDescriptor *pSD=getSD(pAds); if(!pSD) { pAds->Release(); exit (0); } BSTR bstr; long lVal; hr = pSD->get_Control(&lVal); printf("SD Control = %d\n",lVal); hr = pSD->get_Owner(&bstr); printf("SD Owner = %S\n",bstr); SysFreeString(bstr); hr = pSD->get_Group(&bstr); printf("SD Group = %S\n",bstr); SysFreeString(bstr); hr = pSD->get_Revision(&lVal); printf("SD Revision= %d\n",lVal); IDispatch *pDisp; IADsAccessControlList *dacl, *sacl; hr = pSD->get_DiscretionaryAcl(&pDisp); hr = pDisp->QueryInterface(IID_IADsAccessControlList, (void**)&dacl); hr = pDisp->Release(); // Work with access control list, code omitted. if(dacl) dacl->Release(); if(pSD) pSD->Release(); if(pAds) pAds->Release(); return S_OK; } ///////////////////////////////////////////////////////// // functions to bind to an object and get its SD and ACL. ///////////////////////////////////////////////////////// IADs *getIADsObject(LPWSTR adsPath,LPWSTR usr,LPWSTR passwd) { if(!adsPath) return NULL; HRESULT hr; IADs *pObj; if(!usr) { hr = ADsGetObject(adsPath,IID_IADs,(void**)&pObj); if(FAILED(hr)) { if(pObj) pObj->Release(); return NULL; } } else { hr = ADsOpenObject(adsPath, usr, passwd, 1, IID_IADs, (void**)&pObj); if(FAILED(hr)) { printf("adsopenobject: hr = %x\n",hr); if(pObj) pObj->Release(); return NULL; } } return pObj; } /////////////////////////////////////// // IADsSecurityDescriptor *getSD(IADs*) /////////////////////////////////////// IADsSecurityDescriptor *getSD(IADs *pObj) { VARIANT var; VariantInit(&var); HRESULT hr; hr = pObj->Get(L"ntSecurityDescriptor",&var); if(FAILED(hr)) { VariantClear(&var); return NULL; } IADsSecurityDescriptor *psd; hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor, (void**)&psd); if(FAILED(hr)) { if(psd) psd->Release(); return NULL; } return psd; }
Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
Windows 95/98: Requires Windows 95 or later (with DSClient).
Header: Declared in Iads.h.