Directory Services

IADsAccessControlEntry Property Methods

The property methods of the IADsAccessControlEntry interface get or set the properties described in the following table. For more information, see Interface Property Methods.

Properties

Property Description
AccessMask

[Visual Basic]
Access: Read/Write
DataType: LONG

[C++]
HRESULT get_AccessMask
([out] LONG* plnAccessMask);
HRESULT put_AccessMask
([in] LONG lnAccessMask);

A flag that specifies access privileges. Valid values are defined in ADS_RIGHTS_ENUM.
AceType

[Visual Basic]
Access: Read/Write
DataType: LONG

[C++]
HRESULT get_AceType
([out] LONG* plAceType);
HRESULT put_AceType
([in] LONG lnAceType);

A flag that indicates ACE types. Valid values are defined in ADS_ACETYPE_ENUM.
AceFlags

[Visual Basic]
Access: Read/Write
DataType: LONG

[C++]
HRESULT get_AceFlags
([out] LONG* plnAceFlags);
HRESULT put_AceFlags
([in] LONG lnAceFlags);

A flag that specifies if other containers or objects can inherit the ACE from the owner of the ACL. Valid values are defined in ADS_ACEFLAG_ENUM.
Flags

[Visual Basic]
Access: Read/Write
DataType: LONG

[C++]
HRESULT get_Flags
([out] LONG* lnflags);
HRESULT put_Flags
([in] LONG lnflags);

A flag that indicates if the ACE has an object type or inherited object type. Valid flags are defined in ADS_FLAGTYPE_ENUM.
ObjectType

[Visual Basic]
Access: Read/Write
DataType: BSTR

[C++]
HRESULT get_ObjectType
([out] BSTR* bstrObjectType);
HRESULT put_ObjectType
([in] BSTR bstrObjectType);

A flag that indicates the type of an ADSI object. Its value is a GUID to a property or an object in string format. The GUID refers to a property when ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks are used. The GUID specifies an object when ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks are used.
InheritedObjectType

[Visual Basic]
Access: Read/Write
DataType: BSTR

[C++]
HRESULT get_InheritedObjectType
([out] BSTR* bstrInheritedObjectType);
HRESULT put_InheritedObjectType
([in] BSTR bstrInheritedObjectType);

A flag that indicates the type of a child object of an ADSI object. Its value is a GUID to an object in string format. When such a GUID is set, the ACE applies only to the object referred to by the GUID.
Trustee

[Visual Basic]
Access: Read/Write
DataType: BSTR

[C++]
HRESULT get_Trustee
([out] BSTR* pbstrSecurityId);
HRESULT put_Trustee
([in] BSTR bstrSecurityId);

A user path who is granted access privileges as set in the ACE of the object.

Example Code [Visual Basic]

The following code example shows how to add entries to a discretionary ACL using the IADsAccessControlEntry property methods.

Dim x As IADs
Dim sd As IADsSecurityDescriptor
Dim ace As IADsAccessControlEntry
Dim Dacl As IADsAccessControlList
Dim Ace1 As New AccessControlEntry
Dim Ace2 As New AccessControlEntry

On Error GoTo Cleanup
 
Set x = GetObject("LDAP://OU=Sales, DC=Fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Set Dacl = sd.DiscretionaryAcl
 
' Show the existing ACEs.
For Each ace In Dacl
  Debug.Print ace.Trustee
Next
 
 
' Set up the first ACE.
Ace1.AccessMask = -1 'Full Permission (Allowed)
Ace1.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Ace1.AceFlags = ADS_ACEFLAG_INHERIT_ACE
Ace1.Trustee = "ACTIVED\Administrator"
 
' Set up the 2nd ACE.
Ace2.AccessMask = -1 'Full Permission (Denied)
Ace2.AceType = ADS_ACETYPE_ACCESS_DENIED
Ace2.AceFlags = ADS_ACEFLAG_INHERIT_ACE
Ace2.Trustee = "ACTIVED\Andyhar"
 
' Add the ACEs to the Discretionary ACL.
Dacl.AddAce Ace1
Dacl.AddAce Ace2
 
sd.DiscretionaryAcl = Dacl
x.Put "ntSecurityDescriptor", Array(sd)
x.SetInfo

Cleanup:
	If (Err.Number<>0) Then
		MsgBox("An error has occurred. " & Err.Number)
	End If

	Set x = Nothing
	Set sd = Nothing
	Set ace = Nothing
	Set Dacl = Nothing
	Set Ace1 = Nothing
	Set Ace2 = Nothing
	Set obj = Nothing
	Set cls = Nothing

Example Code [C++]

The following code example displays access-control entries.

IADs *pADs = NULL;
IDispatch *pDisp = NULL;
IADsSecurityDescriptor *pSD = NULL;
VARIANT var;
HRESULT hr = S_OK;
 
VariantInit(&var);

hr = ADsOpenObject(L"LDAP://OU=Sales, DC=Fabrikam,DC=com",NULL,NULL,
				 ADS_SECURE_AUTHENTICATION, IID_IADs,(void**)&pADs);
if(FAILED(hr)) {goto Cleanup;}

hr = pADs->Get(CComBSTR("ntSecurityDescriptor"),&var);
if(FAILED(hr)) {goto Cleanup;}

pDisp = V_DISPATCH(&var);

hr = pDisp->QueryInterface(IID_IADsSecurityDescriptor,(void**)&pSD);
if(FAILED(hr)) {goto Cleanup;}
pDisp->Release();


pSD->get_DiscretionaryAcl(&pDisp);

hr = pDisp->QueryInterface(IID_IADsAccessControlList,(void**)&pACL);
if(FAILED(hr)) {goto Cleanup;}

hr = DisplayAccessInfo(pSD);
if(FAILED(hr)) {goto Cleanup;}
VariantClear(&var);

Cleanup:
	if(pADs) pADs->Release();
	if(pDisp) pDisp->Release();
	if(pSD) pSD->Release();
	return hr;



HRESULT DisplayAccessInfo(IADsSecurityDescriptor *pSD)
{
	LPWSTR lpszFunction = L"DisplayAccessInfo";
	IDispatch *pDisp = NULL;
	IADsAccessControlList *pACL = NULL;
	IADsAccessControlEntry *pACE = NULL;
	IEnumVARIANT *pEnum = NULL;
	IUnknown *pUnk = NULL;
	HRESULT hr = S_OK;
	ULONG nFetch = 0;
	BSTR bstrValue = NULL;
	VARIANT var;
	LPWSTR lpszOutput = NULL;
	LPWSTR lpszMask = NULL;
	size_t nLength = 0;

	VariantInit(&var);

	hr = pSD->get_DiscretionaryAcl(&pDisp);
	if(FAILED(hr)){goto Cleanup;}
	hr = pDisp->QueryInterface(IID_IADsAccessControlList,(void**)&pACL);
	if(FAILED(hr)){goto Cleanup;}

	hr = pACL->get__NewEnum(&pUnk);
	if(FAILED(hr)){goto Cleanup;}

	hr = pUnk->QueryInterface(IID_IEnumVARIANT,(void**)&pEnum);

	if(FAILED(hr)){goto Cleanup;}
	hr = pEnum->Next(1,&var,&nFetch);

	while(hr == S_OK)
	{
		if(nFetch==1)
		{
			if(VT_DISPATCH != V_VT(&var))
			{
				goto Cleanup;
		}
		
			pDisp = V_DISPATCH(&var);
			hr = pDisp->QueryInterface(IID_IADsAccessControlEntry,(void**)&pACE);
		
			if(SUCCEEDED(hr))
			{
				lpszMask = L"Trustee: %s";
				hr = pACE->get_Trustee(&bstrValue);
				nLength = wcslen(lpszMask) + wcslen(bstrValue) + 1;
				lpszOutput = new WCHAR[nLength];
				swprintf(lpszOutput,lpszMask,bstrValue);
				printf(lpszOutput);
				delete [] lpszOutput;
				SysFreeString(bstrValue);
			
				pACE->Release();
				pACE = NULL;
				pDisp->Release();
				pDisp = NULL;
		}	 
		
			VariantClear(&var);
	}	 
		hr = pEnum->Next(1,&var,&nFetch);
}

Cleanup:
	if(pDisp) pDisp->Release();
	if(pACL) pACL->Release();
	if(pACE) pACE->Release();
	if(pEnum) pEnum->Release();
	if(pUnk) pUnk->Release();
	if(szValue) SysFreeString(szValue);
	return hr;
}

Requirements

Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

IADsAccessControlList, IADsSecurityDescriptor