Creating Security Descriptors

If you are creating an object from scratch and you don't want it to receive the default DACL and SACL that would normally be applied to objects created, you can write your own DACL and SACL for an object. As you would expect, there are a number of properties associated with security descriptors and ACLs that you need to set. SDs and ACLs can be manipulated with the IADsAccessControlList (see Table 26-10) and IADsSecurityDescriptor (see Table 26-11) interfaces. We'll go through these briefly now and then move on to some more examples.

Table 26-10. IADsAccessControlList methods and properties

IADsAccessControlList methods and properties	Action
`AddAce` method	Adds an ACE to an ACL
`RemoveAce` method	Removes an ACE from an ACL
`CopyAccessList` method	Copies the current ACL
`AclRevision` property	Shows the revision of the ACL (always set to 4; see later text)
`AceCount` property	Indicates the number of ACEs in the ACL

Table 26-11. IADsSecurityDescriptor methods and properties

IADsSecurityDescriptor methods and properties	Action
`CopySecurityDescriptor` method	A copy of an existing SD.
`Revision` property	The revision of the SD (always set to 4, as noted earlier).
`Control` property	A set of flags indicating various aspects of the SD (see later text). Generally, you will not need to set this property; instead, you can set the properties listed in this table.
`Owner` property	The SID of the owner. If this field is null, no owner is set.

Get Active Directory, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Active Directory, 3rd Edition by Joe Richards, Robbie Allen, Alistair G. Lowe-Norris

Creating Security Descriptors

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly