Article
08/21/2009
Reordering a DACL

Topic Last Modified: 2006-06-11
The following example reorders a discretionary access control list (DACL).
Example

Visual Basic
'//////////////////////////////////////////////////////////////////////
'
' Function: ReorderACL(objDACL)
'
' Purpose: Reorders a DACL properly.
' Input:   objDACL- Discretionary Access Control List (Object)
'
' Output:  Object-  Reordered DACL
'
' Note:  In order for this example to function correctly, it may be necessary to include
' references to the following libraries: Active DS Type Library, Microsoft CDO for
' Exchange Management Library, Microsoft Cluster Service Automation Classes,
' Microsoft CDO for Windows 2000 Library.
'//////////////////////////////////////////////////////////////////////
Function ReorderACL(objDacl)
    ' Dim Objects.

    Dim ImpDenyDacl As AccessControlList
    Dim ImpDenyObjectDacl As AccessControlList
    Dim ImpAllowDacl As AccessControlList
    Dim ImpAllowObjectDacl As AccessControlList
    Dim objSD As SecurityDescriptor
    Dim newDACL As AccessControlList

    ' Dim Other Variables.
    Dim ace As AccessControlEntry

    ' Set Constants.
    Const ADS_ACETYPE_ACCESS_DENIED = &H1
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACEFLAG_INHERITED_ACE = &H10

    ' Create the New DACL.
    Set objSD = CreateObject("SecurityDescriptor")

    ' Create the ACL Objects.
    Set newDACL = CreateObject("AccessControlList")
    Set ImpDenyDacl = CreateObject("AccessControlList")
    Set ImpDenyObjectDacl = CreateObject("AccessControlList")
    Set ImpAllowDacl = CreateObject("AccessControlList")
    Set ImpAllowObjectDacl = CreateObject("AccessControlList")

    For Each ace In objDacl
        Select Case ace.AceType
            Case ADS_ACETYPE_ACCESS_DENIED
                ImpDenyDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
                ImpDenyObjectDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_ALLOWED
                ImpAllowDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                ImpAllowObjectDacl.AddAce ace
            Case Else
                'bad ace, bad bad ace..
        End Select
    '
    ' Combine the ACEs in the Proper Order
    '   Implicit Deny
    '   Implicit Deny Object
    '   Implicit Allow
    '   Implicit Allow Object
    '

    ' Implicit Deny.
        For Each ace In ImpDenyDacl
            newDACL.AddAce ace

    ' Implicit Deny Object.
        For Each ace In ImpDenyObjectDacl
            newDACL.AddAce ace

    ' Implicit Allow.
        For Each ace In ImpAllowDacl
            newDACL.AddAce ace

    ' Implicit Allow Object.
        For Each ace In ImpAllowObjectDacl
            newDACL.AddAce ace


    'Set the Appropriate revision level for the DACL.
    newDACL.AclRevision = objDacl.AclRevision

    ' Return Properly Ordered DACL.
    Set ReorderACL = newDACL

    ' Clean up.
    Set newDACL = Nothing
    Set ImpAllowObjectDacl = Nothing
    Set ImpAllowDacl = Nothing
    Set ImpDenyObjectDacl = Nothing
    Set ImpDenyDacl = Nothing
    Set objSD = Nothing

End Function
Partager via

Reordering a DACL

Example

Ressources supplémentaires
