Directory Services

Example Code for Checking for a Control Access Right in an ACE

The following code example is a function that verifies a specified control access right in an ACE in the ACL of the specified object.

/***************************************************************************

	ReadExtendedRight()

	DESCRIPTION: ReadExtendedRight verifies the specified control access 
	right on the specified object. If an ACE with that control access right 
	exists, it displays (using wprintf) the trustee and ACE type for the 
	control access right.
	 
	FLOW: Get the security descriptor of an object, get the ACL, 
	enumerate the ACEs, check for control access rights ACEs,
	verify the specified right, and display the trustee and ACE type.

	The pszRightsGUID UNICODE string should be a string that
	contains the rightsGUID property value of the control access right 
	and the string should have the same format as the COM Library 
	function StringFromGUID2. 

	For example:
	LPCWSTR pszRightsGUID = L"{8186e976-4d8a-11d2-95dd-0000f875b660}";
	The pfExists parameter specifies a BOOL that will receive
	TRUE if an ACE with the specified right exists; otherwise, FALSE.
 
***************************************************************************/

HRESULT ReadExtendedRight(IADs *pObject,
						LPCWSTR pszRightsGUID,
						BOOL *pfExists)
 
{
	if(!pObject || !pszRightsGUID || IsBadWritePtr(pfExists, sizeof(BOOL)))
	{
		return E_INVALIDARG;
}

	HRESULT hr = E_FAIL;
	BOOL fExists = FALSE;
	CComVariant svar;
	 
	// Get the nTSecurityDescriptor
	hr = pObject->Get(CComBSTR("nTSecurityDescriptor"), &svar);
	if(SUCCEEDED(hr) && (VT_DISPATCH == svar.vt))
	{
		CComPtr<IADsSecurityDescriptor> spSD;
	
		// QI for IADsSecurityDescriptor ptr.
		hr = svar.pdispVal->QueryInterface(IID_IADsSecurityDescriptor, (void**)&spSD);
		if (SUCCEEDED(hr))
		{
			CComPtr<IDispatch> spDisp;

			// Get the DACL
			hr = spSD->get_DiscretionaryAcl(&spDisp);
			if (SUCCEEDED(hr))
			{
				CComPtr<IADsAccessControlList> spACL;

				// QI for IADsAccessControlList interface
				hr = spDisp->QueryInterface(IID_IADsAccessControlList, (void**)&spACL);
				if (SUCCEEDED(hr))
				{
					CComPtr<IUnknown> spUnk;

					// Enumerate the ACEs in the ACL.
					hr = spACL->get__NewEnum(&spUnk);
					if (SUCCEEDED(hr))
					{
						CComPtr<IEnumVARIANT> spEnum;

						hr = spUnk->QueryInterface(IID_IEnumVARIANT, (void**) &spEnum);
						if (SUCCEEDED(hr))
						{
							CComVariant svarACE;
							ULONG lFetch;

							hr = spEnum->Next(1, &svarACE, &lFetch);
							// Loop to read all ACEs on the object.
							while(S_OK == hr)
							{
								// Verify that 1 item is returned and returned item is an IDispatch pointer.
								if ((lFetch == 1) && (VT_DISPATCH == svarACE.vt))
								{
									CComPtr<IADsAccessControlEntry> spACE;

									// QI for IADsAccessControlEntry to use to read the ACE.
									hr = svarACE.pdispVal->QueryInterface(IID_IADsAccessControlEntry, (void**)&spACE);
									if (SUCCEEDED(hr))
									{
										long lAccessMask;

										hr = spACE->get_AccessMask(&lAccessMask);
										// Verify that control access right flag to see if this is an ACE for a control access right.
										if (lAccessMask & ADS_RIGHT_DS_CONTROL_ACCESS)
										{
											long lTypeFlag;

											spACE->get_Flags(&lTypeFlag);
											// Verify that this ACE applies to an object.
											if (lTypeFlag & ADS_FLAG_OBJECT_TYPE_PRESENT)
											{
												CComBSTR sbstrObjectType;

												// Get the object type GUID and print it.
												spACE->get_ObjectType(&sbstrObjectType);
												if ( _wcsicmp(sbstrObjectType, pszRightsGUID) == 0 )
												{
													long lAceType;
													CComBSTR sbstrTrustee;
												
													fExists = TRUE;

													wprintf(L"\nObjectType: %S\n", sbstrObjectType);

													spACE->get_AceType(&lAceType);
													if (lAceType == ADS_ACETYPE_ACCESS_ALLOWED_OBJECT)
													{
														wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT\n");
												}
													else if (lAceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT)
													{
														wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_DENIED_OBJECT\n");
												}

													// Get the trustee (who the right applies to) and print it.
													spACE->get_Trustee(&sbstrTrustee);
													wprintf(L"Trustee: %S\n", sbstrTrustee);
											}
										}
									}
								}
							}

								//Get the next ACE
								hr = spEnum->Next(1, &svarACE, &lFetch);
						}//End of While loop
					}
				}
			}
		}
	}
}

	*pfExists = fExists;

	return hr;
}