Directory Services

Example Code for Setting Permissions on a Group of Properties

The following code example contains a function that creates an ACE that assigns read and write access to the attributes of the Personal Information property set of user objects to the specified trustee.

[C++]
/***************************************************************************

	CreateAceChangePersonalInfoPropGroupOfUsers()

	Create an ACE that assigns change (Read/Write) property rights to the 
	attributes of the Personal Information property set for user objects. 
	For this function, the ACE is inherited only; therefore, it is not an 
	effective right on the current object.

***************************************************************************/

HRESULT CreateAceChangePersonalInfoPropGroupOfUsers(LPWSTR pwszTrustee, 
													BOOL fAllowed, 
													IDispatch **ppDispACE)
{
	if(!pwszTrustee || !ppDispACE)
	{
		return E_INVALIDARG;
}

	HRESULT hr;
	CComPtr<IADsAccessControlEntry> spACE;

	// Create the COM object for the new ACE.
	hr = spACE.CoCreateInstance(CLSID_AccessControlEntry);
	if(FAILED(hr))
	{
		return hr;
}

	// Set the properties of the new ACE.

	/*
	Set the access mask containing the rights to assign. This function assigns 
	ADS_RIGHT_DS_READ_PROP | ADS_RIGHT_DS_WRITE_PROP to control change.
	*/
	hr = spACE->put_AccessMask(ADS_RIGHT_DS_READ_PROP | ADS_RIGHT_DS_WRITE_PROP);
	if(FAILED(hr))
	{
		return hr;
}

	// Set the trustee.
	hr = spACE->put_Trustee(CComBSTR(pwszTrustee));
	if(FAILED(hr))
	{
		return hr;
}

	// AceType must be ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or ADS_ACETYPE_ACCESS_DENIED_OBJECT.
	if(fAllowed)
	{
		hr = spACE->put_AceType(ADS_ACETYPE_ACCESS_ALLOWED_OBJECT);
}
	else
	{
		hr = spACE->put_AceType(ADS_ACETYPE_ACCESS_DENIED_OBJECT);
}
	if(FAILED(hr))
	{
		return hr;
}

	/*
	Set Flags to ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT 
	so that the right applies only to a specific property of the specified 
	object class.
	*/
	hr = spACE->put_Flags(ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT);
	if(FAILED(hr))
	{
		return hr;
}

	// Set ObjectType to the rightsGUID of the Personal Information controlAccessRight object. 
	hr = spACE->put_ObjectType(CComBSTR("{77B5B886-944A-11d1-AEBD-0000F80367C1}"));
	if(FAILED(hr))
	{
		return hr;
}

	/*
	For this function, set AceFlags so that ACE is inherited by child objects 
	but not effective on the current object. Set AceFlags to ADS_ACEFLAG_INHERIT_ACE 
	and ADS_ACEFLAG_INHERIT_ONLY_ACE.
	*/
	hr = spACE->put_AceFlags(ADS_ACEFLAG_INHERIT_ACE | ADS_ACEFLAG_INHERIT_ONLY_ACE);
	if(FAILED(hr))
	{
		return hr;
}

	// Set InheritedObjectType to schemaIDGUID of the user class.
	hr = spACE->put_InheritedObjectType(CComBSTR("{BF967ABA-0DE6-11D0-A285-00AA003049E2}"));
	if(FAILED(hr))
	{
		return hr;
}

	// Need to QI for the IDispatch pointer to pass to the AddAce method.
	hr = spACE->QueryInterface(IID_IDispatch, (void**)ppDispACE);
	if(FAILED(hr))
	{
		return hr;
}

	return hr;
}