Creating Security Descriptors
If you are creating an
object from scratch, and you don’t want it to get
the default DACL and SACL that due to inheritance would normally be
applied to objects created at that location in the tree, you can
write your own DACL and SACL for an object. As you would expect,
there are a number of properties associated with security descriptors
and ACLs that you need to set. SDs and ACLs can be manipulated with
the IADsAccessControlList (see Table 23-10) and IADsSecurityDescriptor
(see Table 23-11) interfaces. We’ll
go through these briefly now and then move on to some more examples.
Table 23-10. IADsAccessControlList methods and properties
|
IADsAccessControlList methods and properties |
Action |
|---|---|
|
AddAce method |
Adds an ACE to an ACL |
|
RemoveAce method |
Removes an ACE from an ACL |
|
CopyAccessList method |
Copies the current ACL |
|
AclRevision property |
Shows the revision of the ACL (always set to 4; see later text) |
|
AceCount property |
Indicates the number of ACEs in the ACL |
The revision level is a static version number for every ACE, ACL, and SD in Active Directory. It is defined in the ADS_SD_REVISION_ENUM enumerated type, which contains a single constant definition as follows:
Const ADS_SD_REVISION_DS = 4.
Having a revision allows Active Directory to know which elements of an ACE could exist. Later, if new properties and concepts are added to the ACE so that it has a more extended definition, the revision would increment. Active Directory would then know that old revision-4 ...
Get Active Directory, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
