Directory Services

Retrieving, Setting, or Modifying Security Descriptors on File Systems, File Shares, and Registry Keys

Active Directory Service Interfaces (ADSI) can be used to manage and secure file systems within an organization, including the ability to set or modify ACLs on files or fileshares created by users. Security interfaces, such as IADsSecurityDescriptor, IADsAccessControlList, and IADsAccessControlEntry set ACLs on Active Directory, Exchange, file, fileshare, or registry key objects. Before using these interfaces, the security descriptor may need to be modified if it uses a different format from the interface, or if you do not have access rights to the SACL of the security descriptor because you are not a member of the security administrator group.

To get, set, or modify the security descriptor, use the IADsSecurityUtility interface. This interface enables you to retrieve a security descriptor from various resources in its original format, such as the ADSI format IADsSecurityDescriptor, a raw security descriptor, or as a hexadecimal string as used in Exchange 5.5. When retrieved, you can convert it to another format, for example, from a raw security descriptor to IADsSecurityDescriptor. You can then write the new format back to the resource.

You can set a security mask on IADsSecurityUtility that enables you to retrieve part of the security descriptor, without retrieving the parts that you do not have access to. For example, you can retrieve one or more parts of the security descriptor for owner, group, or dacl without retrieving the SACL.