Security Descriptor Property Type
In ADSI, this property type is called ADSTYPE_NT_SECURITY_DESCRIPTOR. To read or write this property value, install COM Interop.
Note In the Active Directory Schema, the syntax name used for security descriptors is called String(NT-Sec_Desc) and is represented in the Syntax row of attribute tables with the Syntax ID: 2.5.5.15.
The following code example shows how to read a security descriptor on an object.
[Visual Basic .NET]
Import ActiveDS Import System.Collections ... Dim ent As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com") Dim sd As SecurityDescriptor = CType(ent.Properties("ntSecurityDescriptor").Value, SecurityDescriptor) Dim acl As AccessControlList = CType(sd.DiscretionaryAcl, AccessControlList) Dim ace As AccessControlEntry For Each ace In CType(acl, IEnumerable) Console.WriteLine("Trustee: {0}", ace.Trustee) Console.WriteLine("AccessMask: {0}", ace.AccessMask) Console.WriteLine("Access Type: {0}", ace.AceType) Next ace
[C#]
using ActiveDs; using System.Collections; ... DirectoryEntry ent = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com"); SecurityDescriptor sd = (SecurityDescriptor) ent.Properties["ntSecurityDescriptor"].Value; AccessControlList acl= (AccessControlList) sd.DiscretionaryAcl; foreach(AccessControlEntry ace in (IEnumerable) acl) { Console.WriteLine("Trustee: {0}", ace.Trustee); Console.WriteLine("AccessMask: {0}", ace.AccessMask); Console.WriteLine("Access Type: {0}", ace.AceType); }
The following code example shows you how to write a security descriptor to an object.
[Visual Basic .NET]
Import ActiveDS ... Dim usr As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com") Dim newAce = New AccessControlEntryClass() Dim usrSD As SecurityDescriptor = CType(usr.Properties("ntSecurityDescriptor").Value, SecurityDescriptor) Dim usrAcl As AccessControlList = CType(usrSD.DiscretionaryAcl, AccessControlList) newAce.Trustee = "AliceW" newAce.AccessMask = - 1 newAce.AceType = 0 usrAcl.AddAce(newAce) usrSD.DiscretionaryAcl = usrAcl usr.Properties("ntSecurityDescriptor").Value = usrSD usr.CommitChanges()
[C#]
using ActiveDS; ... DirectoryEntry usr = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com"); AccessControlEntry newAce = new AccessControlEntryClass(); SecurityDescriptor usrSD = (SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value; AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl; newAce.Trustee = "AliceW"; newAce.AccessMask = -1; newAce.AceType = 0; usrAcl.AddAce(newAce); usrSD.DiscretionaryAcl = usrAcl; usr.Properties["ntSecurityDescriptor"].Value = usrSD; usr.CommitChanges();