Chapter 23. Permissions and Auditing

Security descriptors (SDs), access control lists (ACLs), and access control entries (ACEs) have been used for files and directories on NTFS filesystems for years. The same concepts apply to securing Active Directory objects as well. While the information in this chapter is focused on Active Directory, the principles of creating an SD that contains a discretionary access control list (DACL) and system access control list (SACL) can map exactly over to NTFS files and directories.

ADSI provides four main interfaces we can use:

IADsAccessControlEntry

Manipulates individual ACEs that represent access or audit permissions for specific users or groups to objects and properties in Active Directory.

IADsAccessControlList

Manages collections of ACEs for an object.

IADsSecurityDescriptor

Manages the different sets of ACLs to an object.

IADsSecurityUtility

Gets, sets, and retrieves security descriptors for an object.

All of the ADSI security interfaces can be found in the MSDN Library (http://msdn.microsoft.com/library/) under Networking and Directory Services Active Directory, ADSI and Directory Services SDK Documentation Directory Services Active Directory Service Interfaces Active Directory Service Interfaces Reference ADSI Interfaces Security Interfaces.

Tip

Microsoft provides a DLL (ADsSecurity.dll ) with the Platform SDK that contains several interfaces that you can use to manage security descriptors, ACLs, and ACEs. It isn’t covered in this ...

Get Active Directory, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.