Directory Services

IADsAccessControlList::RemoveAce

The IADsAccessControlList::RemoveAce method removes an access-control entry (ACE) from the access-control list (ACL).

HRESULT RemoveAce( 
  IDispatch* pAccessControlEntry
);

Parameters

pAccessControlEntry
[in] Pointer to the IDispatch interface of the ACE to be removed from the ACL.

Return Values

This method returns the standard return values.

For more information, and other return values, see ADSI Error Codes.

Return Code Description
S_OK The ACEs were successfully removed.
E_FAIL The operation failed.

Example Code [Visual Basic]

The following Visual Basc code example shows how to remove entries from a discretionary access-control list.

Dim x As IADs
Dim sd As IADsSecurityDescriptor
Dim Dacl As IADsAccessControlList

On Error GoTo Cleanup
 
Set x = GetObject("LDAP://OU=Sales,DC=mydomain,DC=fabrikam,DC=com")
Set sd = x.Get("ntSecurityDescriptor")
Set Dacl = sd.DiscretionaryAcl
 
'--Remove ACEs that belong to jeff--
For Each ace In Dacl
  If (LCase(ace.trustee) = LCase("FABRIKAM\jeff")) Then
	Dacl.RemoveAce ace
  End If
Next

sd.DiscretionaryAcl = Dacl
x.Put "ntSecurityDescriptor", Array(sd)
x.SetInfo

Cleanup:
	If (Err.Number<>0) Then
		MsgBox("An error has occurred. " & Err.Number)
	End If
	Set x = Nothing
	Set sd = Nothing
	Set Dacl = Nothing

Example Code [C++]

The following C++ code example removes the ACEs with the specified trustee.

HRESULT removeAcesFrom(IADsAccessControlList *pAcl, BSTR szTrustee)
{
	IEnumVARIANT *pEnum = NULL;
	LPUNKNOWN pUnk = NULL;
	ULONG  lFetch = 0;
	BSTR bstr = NULL;
	IADsAccessControlEntry *pACE = NULL;
	VARIANT var;
	VariantInit(&var);
	IDispatch *pDisp = NULL;
 
	HRESULT hr = pAcl->get__NewEnum(&pUnk);
	if(FAILED(hr))
	{
		goto Cleanup;
}
 
	hr = pUnk->QueryInterface(IID_IEnumVARIANT, (void**)&pEnum);
	if(FAILED(hr))
	{
		goto Cleanup;
}
 
	hr = pEnum->Next(1, &var, &lFetch);

	while(hr == S_OK)
	{
	 if(lFetch == 1)
	 {
		 if (VT_DISPATCH != V_VT(&var))
		 { 		 
			 goto Cleanup;
		 }

		 pDisp = V_DISPATCH(&var);
		 ///////////////////////////
		 // Get the individual ACE.
		 ///////////////////////////
		 hr = pDisp->QueryInterface( IID_IADsAccessControlEntry,
									 (void**)&pACE ); 
		 if ( SUCCEEDED(hr) )
		 {
			 pACE->get_Trustee(&bstr);
			 printf("ACE trustee: %S:\n", bstr);

			 // ACE manipulation.
			 SysFreeString(bstr);
			 if(wcscmp(bstr, szTrustee) == 0) 
			 {
				 pACE->QueryInterface(IID_IDispatch, (void**)&pDisp);
				 hr = pAcl->RemoveAce(pDisp);
				 pDisp->Release();
				 if(FAILED(hr))
				 {
					 goto Cleanup;
				 }
			 }
			 pACE->Release();
		 }
		 VariantClear(&var);
	 }
	 hr = pEnum->Next( 1, &var, &lFetch );
}
Cleanup:
	VariantClear(&var);
	if(pEnum)
	{
		pEnum->Release();
}
	if(pACE)
	{
		pACE->Release();
}
	if(pUnk)
	{
		pUnk->Release();
}
	if(bstr)
	{
		SysFreeString(bstr);
}
	return hr;
}

Requirements

Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

IADsAccessControlEntry, IADsSecurityDescriptor