Edit

Share via

ADS_SECURITY_INFO_ENUM enumeration (iads.h)

  • Article

The ADS_SECURITY_INFO_ENUM enumeration specifies the available options for examining security data of an object.

Syntax

typedef enum __MIDL___MIDL_itf_ads_0001_0077_0002 {
  ADS_SECURITY_INFO_OWNER = 0x1,
  ADS_SECURITY_INFO_GROUP = 0x2,
  ADS_SECURITY_INFO_DACL = 0x4,
  ADS_SECURITY_INFO_SACL = 0x8
} ADS_SECURITY_INFO_ENUM;

Constants

 
ADS_SECURITY_INFO_OWNER
Value: 0x1
Reads or sets the owner data.
ADS_SECURITY_INFO_GROUP
Value: 0x2
Reads or sets the group data.
ADS_SECURITY_INFO_DACL
Value: 0x4
Reads or sets the discretionary access-control list data.
ADS_SECURITY_INFO_SACL
Value: 0x8
Reads or sets the system access-control list data.

Remarks

The options defined in this enumeration are bit-masks. More than one option can be set using appropriate bitwise operations.

To read the security data for an object, use the IADsObjectOptions interface, supplying the security data options listed in this enumeration.

The following list lists common flag combinations and their use.

Flag combination Description
ADS_SECURITY_INFO_OWNER, ADS_SECURITY_INFO_GROUP, and ADS_SECURITY_INFO_DACL Enable users to read the security data of the owner, group, or DACL of an object. This is the default setting when an object is created.
ADS_SECURITY_INFO_OWNER, ADS_SECURITY_INFO_GROUP, ADS_SECURITY_INFO_DACL, and ADS_SECURITY_INFO_SACL Enable users to read the SACL. The ADS_SECURITY_INFO_SACL flag cannot be used by itself.
 

Presently, such options are available for Active Directory only.

Because Visual Basic Scripting Edition (VBScript) cannot read data from a type library, an application must use the appropriate numeric constants, instead of the symbolic constants, to set the appropriate flags. To use the symbolic constants as a good programming practice, write explicit declarations of such constants, as done here.

Examples

The following code example displays the number of access control entries in a SACL.

Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8

Const ADS_OPTION_SECURITY_MASK = 3

Dim x As IADs
Dim dso As IADsOpenDSObject
Dim adsPath As String
Dim sd As IADsSecurityDescriptor
Dim sacl As IADsAccessControlList
Dim objOps As IADsObjectOptions
Dim opt As Variant
Dim canReadSacl As Variant
 
Set dso = GetObject("LDAP:")
adsPath = "LDAP://ArcSrv1/dc=Sales,dc=Fabrikam,dc=com"
Set x = dso.OpenDSObject(adsPath, vbNullString, vbNullString, 1)
Set objOps = x
 
canReadSacl = ADS_SECURITY_INFO_OWNER _
                Or ADS_SECURITY_INFO_GROUP _
                Or ADS_SECURITY_INFO_DACL _
                Or ADS_SECURITY_INFO_SACL
 
opt = objOps.GetOption(ADS_OPTION_SECURITY_MASK)
If opt <> canReadSacl Then
    objOps.SetOption ADS_OPTION_SECURITY_MASK, canReadSacl
End If
Set sd = x.Get("ntSecurityDescriptor")
Set sacl = sd.SystemAcl
Debug.Print "sacl(aceCount)= " & sacl.AceCount

The following code example displays the number of access-control entries in a system ACL. For brevity, error checking is omitted.

void TestObjectOptions()
{
    long lCanReadSACL = ADS_SECURITY_INFO_OWNER | 
        ADS_SECURITY_INFO_GROUP | 
        ADS_SECURITY_INFO_DACL | 
        ADS_SECURITY_INFO_SACL;

    HRESULT hr = S_OK;
    CComPtr<IADs> spObj;
    hr = ADsOpenObject(L"LDAP://arcSrv1/dc=Sales,dc=Fabrikam,dc=com", 
        NULL, 
        NULL,
        ADS_SECURE_AUTHENTICATION,
        IID_IADs,
        (void**)&spObj);
    if(S_OK != hr)
    {
        return;
    }

    CComPtr<IADsObjectOptions> spObjOps;
    hr = spObj->QueryInterface(IID_IADsObjectOptions, (void**)&spObjOps);
    if(S_OK != hr)
    {
        return;
    }

    CComVariant svar;
    hr = spObjOps->GetOption(ADS_OPTION_SECURITY_MASK, &svar);
    if(S_OK != hr)
    {
        return;
    }

    if(V_I4(&svar) != lCanReadSACL)
    {
        svar = lCanReadSACL;
        hr = spObjOps->SetOption(ADS_OPTION_SECURITY_MASK, svar);
    }

    hr = spObj->Get(CComBSTR("ntSecurityDescriptor"), &svar);
    if(S_OK != hr)
    {
        return;
    }

    CComPtr<IADsSecurityDescriptor> spSd;
    hr = V_DISPATCH(&svar)->QueryInterface(IID_IADsSecurityDescriptor, 
                                            (void**)&spSd);
    if(S_OK != hr)
    {
        return;
    }

    CComPtr<IDispatch> spDisp;
    hr = spSd->get_SystemAcl(&spDisp);
    if(S_OK != hr)
    {
        return;
    }

    CComPtr<IADsAccessControlList> spSacl;
    hr = spDisp->QueryInterface(IID_IADsAccessControlList, 
                                (void**)&spSacl);
    if(S_OK != hr)
    {
        return;
    }

    LONG lOptions;
    hr = spSacl->get_AceCount(&lOptions);
    if(S_OK != hr)
    {
        return;
    }

    _tprintf(TEXT("Number of ACE's in the SACL is %d\n"), lOptions);
}

Requirements

Requirement Value
Minimum supported client Windows Vista
Minimum supported server Windows Server 2008
Header iads.h

See also

ADSI Enumerations

IADsObjectOptions

IADsObjectOptions::GetOption

IADsObjectOptions::SetOption