Directory Services

Creating a Security Descriptor for a New Directory Object

You can use ADSI to create a security descriptor and set it as a new object's nTSecurityDescriptor property or use it to replace an existing object's nTSecurityDescriptor property.

To create a security descriptor for an object:

  1. Use CoCreateInstance to create the ADSI COM object for the new security descriptor and get an IADsSecurityDescriptor interface pointer to that object. Be aware that the class ID is CLSID_SecurityDescriptor.
  2. Use the IADsSecurityDescriptor::put_Owner method to set the owner of the object. The trustee is a user, group, or other security principal. An application should use the value from the appropriate property from the user or group object of the trustee to which to apply the ACE.
  3. Use the IADsSecurityDescriptor::put_Control method to control whether DACLs and SACLs are inherited by the object from its parent container.
  4. Use CoCreateInstance to create the ADSI COM object for the DACL for the new security descriptor and get an IADsAccessControlList interface pointer to that object. Be aware that the class ID is CLSID_AccessControlList.
  5. For each ACE to add to the DACL, use CoCreateInstance to create the ADSI COM object for the new ACE and get an IADsAccessControlEntry interface pointer to that object. Be aware that the class ID is CLSID_AccessControlEntry.
  6. For each ACE to add to the DACL, set the properties of the ACE using the property methods of the ACE's IADsAccessControlEntry object. For more information about the properties to set on an ACE, see Setting Access Rights on an Object.
  7. For each ACE to add to the DACL, use the QueryInterface method on the IADsAccessControlEntry object to get an IDispatch pointer. The IADsAccessControlList::AddAce method requires an IDispatch interface pointer to the ACE.
  8. For each ACE to add to the DACL, use IADsAccessControlList::AddAce to add the new ACE to the DACL. Be aware that the order of the ACEs within the ACL can affect the evaluation of access to the object. The correct access to the object may require you to create a new ACL, add the ACEs from the existing ACL in the correct order to the new ACL, and then replace the existing ACL in the security descriptor with the new ACL. For more information, see Order of ACEs in a DACL.
  9. Follow Steps 4-8 to create the SACL for the new security descriptor.
  10. Use the IADsSecurityDescriptor::put_DiscretionaryAcl method to set the DACL. For more information about DACLs, see Null DACLs and Empty DACLs.
  11. Use the IADsSecurityDescriptor::put_SystemAcl method to set the SACL.
  12. Convert the IADsSecurityDescriptor object to a VARIANT by using the QueryInterface method of the IADsSecurityDescriptor object to obtain an IDispatch interface. Then set the vt member of the VARIANT to VT_DISPATCH and set the pdispVal member of the VARIANT equal to the IDispatch pointer.
  13. Obtain an IADs interface pointer to the object.
  14. Use the IADs::Put method with "nTSecurityDescriptor" and the VARIANT created above to write the new security descriptor to the property cache.
  15. Use the IADs::SetInfo method to update the property on the object in the directory.