APIs for Working with Security Descriptors

Each object in Active Directory Domain Services has an nTSecurityDescriptor attribute that contains the object security descriptor. There are two primary ways to read and manipulate a directory object security descriptor:

• Use the IADs::Get method to retrieve the security descriptor as an ADSI COM object with an IADsSecurityDescriptor interface. The IADsSecurityDescriptor, IADsAccessControlList, and IADsAccessControlEntry interfaces can be used to handle the security descriptor and its components (ACLs, ACEs, and so on). For more information and a code example, see Using IADs to Get a Security Descriptor.
• Use the IDirectoryObject::GetObjectAttributes method to retrieve an object security descriptor as a pointer to a SECURITY_DESCRIPTOR structure. Use this pointer with a Win32 access-control function, such as AccessCheck or BuildSecurityDescriptor. For more information and a code example, see Using IDirectoryObject to Get a Security Descriptor.

The recommended technique, and the one used by most of the code examples in this guide, is to use the IADs* interfaces because they simplify handling security descriptors, ACLs, and ACEs. For Visual Basic programmers, the IADs* interfaces are the most efficient way to handle security descriptors.

The IDirectoryObject technique is useful when a SECURITY_DESCRIPTOR structure is required. For example, the code example in Checking a Control Access Right in an Object's ACL uses this method to retrieve a security descriptor to pass to the AccessCheckByTypeResultList function.

For more information, see:

• Using IADs to Get a Security Descriptor
• Using IDirectoryObject to Get a Security Descriptor
• Security Descriptor Components
• Retrieving an Object's DACL
• Retrieving an Object's SACL
• Reading an Object's Security Descriptor
• Example Code for Creating a Security Descriptor
• Example Code for Enumerating the ACL of an Object in Active Directory Domain Services