ADS_SECURITY_INFO_ENUM

The ADS_SECURITY_INFO_ENUM enumeration specifies the available options for examining security data of an object.

typedef enum 
{
  ADS_SECURITY_INFO_OWNER = 0x1, 
  ADS_SECURITY_INFO_GROUP = 0x2, 
  ADS_SECURITY_INFO_DACL = 0x4, 
  ADS_SECURITY_INFO_SACL = 0x8
} ADS_SECURITY_INFO_ENUM;

Values

ADS_SECURITY_INFO_OWNER

Reads or sets the owner data.

ADS_SECURITY_INFO_GROUP

Reads or sets the group data.

ADS_SECURITY_INFO_DACL

Reads or sets the discretionary access-control list (DACL) data.

ADS_SECURITY_INFO_SACL

Reads or sets the system access-control list (SACL) data.

Remarks

The options defined in this enumeration are bit-masks. More than one option can be set using appropriate bit-wise operations.

To read the security data for an object, use the IADsObjectOptions interface, supplying the security data options listed in this enumeration. For example, assuming obj is an object implementing the IADsObjectOptions interface, the following example will enable users to read the security data of the owner, group, or DACL of an object.

obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
									Or ADS_SECURITY_INFO_GROUP _
									Or ADS_SECURITY_INFO_DACL

This is the default setting when an object is created. To enable users to read the SACL, explicitly set the SACL option by calling the IADsObjectOptions::SetOption method, as shown in the following code:

obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
									Or ADS_SECURITY_INFO_GROUP _
									Or ADS_SECURITY_INFO_DACL _
									Or ADS_SECURITY_INFO_SACL

You cannot use the following syntax, even if you are interested only in the SACL:

obj.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_SACL

When the SACL option is set, you can proceed to read the SACL of the object.

Dim sd as IADsSecurityDescriptor
Dim sacl as IADsAccessControlList
 
obj.GetInfo
set sd = obj.GetEx("ntSecurityDescriptor")
set sacl = sd.SystemAcl
Debug.Print sacl.AceCount

To verify that you can read the SACL, use the IADsObjectOptions::GetOption method to ensure the option is set.

Dim opt, canReadSACL As Var
canReadSACL =   ADS_SECURITY_INFO_OWNER _ 
			 Or ADS_SECURITY_INFO_GROUP _ 
			 Or ADS_SECURITY_INFO_DACL _
			 Or ADS_SECURITY_INFO_SACL 
opt = obj.GetOption(ADS_OPTION_SECURITY_MASK)
if opt = canReadSACL then
	' read SACL
end if

Presently, such options are available for Active Directory only.

Example Code [Visual Basic]

The following Visual Basic code displays the number of access control entries in a SACL.

Dim x As IADs
Dim dso As IADsOpenDSObject
Dim adsPath As String
Dim sd As IADsSecurityDescriptor
Dim sacl As IADsAccessControlList
Dim objOps As IADsObjectOptions
Dim opt As Variant
Dim canReadSacl, canReadDacl, canReadOwner, canReadGroup As Variant
 
Set dso = GetObject("LDAP:")
adsPath = "LDAP://ArcSrv1/dc=Sales,dc=Fabrikam,dc=com"
Set x = dso.OpenDSObject(adsPath, vbNullString, vbNullString, 1)
Set objOps = x
 
canReadOwner = ADS_SECURITY_INFO_OWNER
 
canReadGroup = ADS_SECURITY_INFO_OWNER _
				Or ADS_SECURITY_INFO_GROUP
 
canReadDacl = ADS_SECURITY_INFO_OWNER _
				Or ADS_SECURITY_INFO_GROUP _
				Or ADS_SECURITY_INFO_DACL
 
canReadSacl = ADS_SECURITY_INFO_OWNER _
				Or ADS_SECURITY_INFO_GROUP _
				Or ADS_SECURITY_INFO_DACL _
				Or ADS_SECURITY_INFO_SACL
 
opt = objOps.GetOption(ADS_OPTION_SECURITY_MASK)
If opt <> canReadSacl Then
	objOps.SetOption ADS_OPTION_SECURITY_MASK, canReadSacl
End If
Set sd = x.Get("ntSecurityDescriptor")
Set sacl = sd.SystemAcl
Debug.Print "sacl(aceCount)= " & sacl.AceCount

Example Code [C++]

The following C++ code displays the number of access-control entries in a system ACL. For brevity, error checking is omitted.

void TestObjectOptions()
{
   IADsObjectOptions *pObjOps;
   IADs *pObj;
   IADsSecurityDescriptor *pSd;
   IADsAccessControlList *pSacl;
   IDispatch *pDisp;
 
   long canReadOwner = ADS_SECURITY_INFO_OWNER;
   long canReadGroup = canReadOwner | ADS_SECURITY_INFO_GROUP;
   long canReadDACL  = canReadGroup | ADS_SECURITY_INFO_DACL;
   long canReadSACL  = canReadDACL  | ADS_SECURITY_INFO_SACL;
   HRESULT hr = S_OK;
 
   BSTR adsPath = _bstr_t("LDAP://arcSrv1/dc=Sales,dc=Fabrikam,dc=com");
   long readOwner, readGroup, readDacl, readSacl;
 
	readOwner = ADS_SECURITY_INFO_OWNER;
 
	readGroup = ADS_SECURITY_INFO_OWNER 
			| ADS_SECURITY_INFO_GROUP;
 
	readDacl  = ADS_SECURITY_INFO_OWNER 
			| ADS_SECURITY_INFO_GROUP 
			| ADS_SECURITY_INFO_DACL;
 
	readSacl  = ADS_SECURITY_INFO_OWNER 
			| ADS_SECURITY_INFO_GROUP 
			| ADS_SECURITY_INFO_DACL 
			| ADS_SECURITY_INFO_SACL;
 
   hr = ADsOpenObject(adsPath, NULL, NULL,
					ADS_SECURE_AUTHENTICATION,
					IID_IADs,(void**)&pObj);
   hr = pObj->QueryInterface(IID_IADsObjectOptions,(void**)&pObjOps);
 
   long opt;
   VARIANT var;
   VariantInit(&var);
   hr = pObjOps->GetOption(ADS_OPTION_SECURITY_MASK,&var);
   opt = V_I4(&var);
   VariantClear(&var);
   if(opt != canReadSACL) {
	 V_I4(&var)=canReadSACL;
	 V_VT(&var)=VT_I4;
	 hr = pObjOps->SetOption(ADS_OPTION_SECURITY_MASK, var);
   }
 
   hr = pObj->Get(CComBSTR("ntSecurityDescriptor"), &var);
   hr = V_DISPATCH(&var)->QueryInterface(IID_IADsSecurityDescriptor, 
										 (void**)&pSd);
   hr = pSd->get_SystemAcl(&pDisp);
   hr = pDisp->QueryInterface(IID_IADsAccessControlList, 
							(void**)&pSacl);
   hr = pSacl->get_AceCount(&opt);
   printf("Number of ACE's in the SACL is %d\n",opt);
 
   pSacl->Release();
   pDisp->Release();
   pSd->Release();
   VariantClear(&var);
   pObjOps->Release();
   pObj->Release();
}

Requirements

Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

ADSI Enumerations, IADsObjectOptions, IADsObjectOptions::GetOption, IADsObjectOptions::SetOption