Directory Services

Security Descriptor Property Type

In ADSI, this property type is called ADSTYPE_NT_SECURITY_DESCRIPTOR. To read or write this property value, install COM Interop.

Note In the Active Directory Schema, the syntax name used for security descriptors is called String(NT-Sec_Desc) and is represented in the Syntax row of attribute tables with the Syntax ID: 2.5.5.15.

The following code example shows how to read a security descriptor on an object.

[Visual Basic .NET]
Import ActiveDS
Import System.Collections
...
Dim ent As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com")
Dim sd As SecurityDescriptor = CType(ent.Properties("ntSecurityDescriptor").Value, SecurityDescriptor)
Dim acl As AccessControlList = CType(sd.DiscretionaryAcl, AccessControlList) 
Dim ace As AccessControlEntry
For Each ace In  CType(acl, IEnumerable)
	Console.WriteLine("Trustee: {0}", ace.Trustee)
	Console.WriteLine("AccessMask: {0}", ace.AccessMask)
	Console.WriteLine("Access Type: {0}", ace.AceType)
Next ace

[C#]
using ActiveDs;
using System.Collections;
...
DirectoryEntry ent = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
SecurityDescriptor sd = (SecurityDescriptor) ent.Properties["ntSecurityDescriptor"].Value; 
AccessControlList acl= (AccessControlList) sd.DiscretionaryAcl;

foreach(AccessControlEntry ace in (IEnumerable) acl)
{
	Console.WriteLine("Trustee: {0}", ace.Trustee);
	Console.WriteLine("AccessMask: {0}", ace.AccessMask);
	Console.WriteLine("Access Type: {0}", ace.AceType);
}

The following code example shows you how to write a security descriptor to an object.

[Visual Basic .NET]
Import ActiveDS
...
Dim usr As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com")
Dim newAce = New AccessControlEntryClass()
Dim usrSD As SecurityDescriptor = CType(usr.Properties("ntSecurityDescriptor").Value, SecurityDescriptor)
Dim usrAcl As AccessControlList = CType(usrSD.DiscretionaryAcl, AccessControlList)
newAce.Trustee = "AliceW"
newAce.AccessMask = - 1
newAce.AceType = 0
usrAcl.AddAce(newAce)
usrSD.DiscretionaryAcl = usrAcl
usr.Properties("ntSecurityDescriptor").Value = usrSD
usr.CommitChanges()

[C#]
using ActiveDS;
...
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD = (SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value; AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
newAce.Trustee = "AliceW";
newAce.AccessMask = -1;
newAce.AceType = 0;
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl = usrAcl;
usr.Properties["ntSecurityDescriptor"].Value = usrSD;
usr.CommitChanges();