A Simple ADSI Example






A Simple ADSI Example

All of the seven ACE properties are set using property methods of the same names as those in an ADSI interface called IADsAccessControlEntry. The ACEs that are created using this are then modified using IADsAccessControlList and IADsSecurityDescriptor.

Let's go through an example now so you can see how it all fits together. Figure shows a section of VBScript code that creates an ACE that allows ANewGroup full access to the myOU organizational unit and all its children.

A simple ADSI example

    '**************************************************************************
    'Declare constants
    '**************************************************************************
    Const FULL_CONTROL = -1
    Const ADS_ACETYPE_ACCESS_ALLOWED = 0
    Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2

    '**************************************************************************
    'Declare variables
    '**************************************************************************
    Dim objObject    'Any object
    Dim objSecDesc   'SecurityDescriptor
    Dim objDACL      'AccessControlList
    Dim objNewACE    'AccessControlEntry

    '**************************************************************************
    'Create the new ACE and populate it
    '**************************************************************************
    Set objNewACE = CreateObject("AccessControlEntry")
    objNewACE.Trustee = "AMER\ANewGroup"
    objNewACE.AccessMask = FULL_CONTROL
    objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
    objNewACE.AceFlags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

    '**************************************************************************
    'Add the new ACE to the object and write it to the AD
    '**************************************************************************
    Set objObject = GetObject("LDAP://ou=myOU,dc=amer,dc=mycorp,dc=com")

    '**************************************************************************
    'Use IADs::Get to retrieve the SD for the object
    '**************************************************************************
    Set objSecDesc = objObject.Get("ntSecurityDescriptor")

    '**************************************************************************
    'Use IADsSecurityDescriptor:: DiscretionaryAcl to retrieve the existing DACL
    '**************************************************************************
    Set objDACL = objSecDesc.DiscretionaryAcl

    '**************************************************************************
    'Use IADsAccessControlList::AddACE to add an ACE to an existing DACL
    '**************************************************************************
    objDACL.AddAce objNewACE

    '**************************************************************************
    'Use IADsSecurityDescriptor:: DiscretionaryAcl to put back the modified DACL
    '**************************************************************************
    objSecDesc.DiscretionaryAcl = objDACL

    '**************************************************************************
    'Use IADs::Put to replace the SD for the object
    '**************************************************************************
    objObject.Put "ntSecurityDescriptor", Array(objSecDesc)

    '**************************************************************************
    'Write out the property cache using IADs::SetInfo
    '**************************************************************************
    objObject.SetInfo

A common error seen by script writers writing their own ACL manipulation scripts is the dreaded "The security ID structure is invalid" error, or error -2147023559. The number one cause of this error is a trustee that cannot be resolved to a SID.


Discussion

First we create the new ACE. This requires use of a CreateObject function call to create a new empty instance of an ACE object. We then have to set the four fields that we need. The TRustee is the user or group that will have the permission to the myOU object. The AccessMask value set to -1 indicates that full permission is being set. To say whether the full permissions are allowed or denied, we use a 0 in the AceType field, which indicates that the ACE is a permissions-allowed ACE. Finally, the AceFlags field is set to 2 so that child objects will inherit this ACE. This means that the ACE now allows ANewGroup full access to the myOU organizational unit and all its children.

We then go through binding to the object to get the security descriptor and ultimately the DACL so that we can add the new ACE to the DACL. Once that is done, we reverse the steps and set the security descriptor for the object, writing out the property cache as the last step.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows