Share via

Reordering a DACL

  • Article

Reordering a DACL

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

The following example reorders a discretionary access control list (DACL).

Visual Basic

'//////////////////////////////////////////////////////////////////////
'
' Function: ReorderACL(objDACL)
'
' Purpose: Reorders a DACL properly.
' Input:   objDACL- Discretionary Access Control List (Object)
'
' Output:  Object-  Reordered DACL
'
' Note:  In order for this example to function correctly, it may be necessary to include
' references to the following libraries: Active DS Type Library, Microsoft CDO for
' Exchange Management Library, Microsoft Cluster Service Automation Classes,
' Microsoft CDO for Windows 2000 Library.
'//////////////////////////////////////////////////////////////////////
Function ReorderACL(objDacl)
    ' Dim Objects.

    Dim ImpDenyDacl As AccessControlList
    Dim ImpDenyObjectDacl As AccessControlList
    Dim ImpAllowDacl As AccessControlList
    Dim ImpAllowObjectDacl As AccessControlList
    Dim objSD As SecurityDescriptor
    Dim newDACL As AccessControlList

    ' Dim Other Variables.
    Dim ace As AccessControlEntry

    ' Set Constants.
    Const ADS_ACETYPE_ACCESS_DENIED = &H1
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACEFLAG_INHERITED_ACE = &H10

    ' Create the New DACL.
    Set objSD = CreateObject("SecurityDescriptor")

    ' Create the ACL Objects.
    Set newDACL = CreateObject("AccessControlList")
    Set ImpDenyDacl = CreateObject("AccessControlList")
    Set ImpDenyObjectDacl = CreateObject("AccessControlList")
    Set ImpAllowDacl = CreateObject("AccessControlList")
    Set ImpAllowObjectDacl = CreateObject("AccessControlList")

    For Each ace In objDacl
        Select Case ace.AceType
            Case ADS_ACETYPE_ACCESS_DENIED
                ImpDenyDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
                ImpDenyObjectDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_ALLOWED
                ImpAllowDacl.AddAce ace
            Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
                ImpAllowObjectDacl.AddAce ace
            Case Else
                'bad ace, bad bad ace..
        End Select
    Next
    '
    ' Combine the ACEs in the Proper Order
    '   Implicit Deny
    '   Implicit Deny Object
    '   Implicit Allow
    '   Implicit Allow Object
    '

    ' Implicit Deny.
        For Each ace In ImpDenyDacl
            newDACL.AddAce ace
        Next

    ' Implicit Deny Object.
        For Each ace In ImpDenyObjectDacl
            newDACL.AddAce ace
        Next

    ' Implicit Allow.
        For Each ace In ImpAllowDacl
            newDACL.AddAce ace
        Next

    ' Implicit Allow Object.
        For Each ace In ImpAllowObjectDacl
            newDACL.AddAce ace
        Next


    'Set the Appropriate revision level for the DACL.
    newDACL.AclRevision = objDacl.AclRevision

    ' Return Properly Ordered DACL.
    Set ReorderACL = newDACL

    ' Clean up.
    Set newDACL = Nothing
    Set ImpAllowObjectDacl = Nothing
    Set ImpAllowDacl = Nothing
    Set ImpDenyObjectDacl = Nothing
    Set ImpDenyDacl = Nothing
    Set objSD = Nothing

End Function

Send us your feedback about the Microsoft Exchange Server 2003 SDK.

Build: June 2007 (2007.618.1)

© 2003-2006 Microsoft Corporation. All rights reserved. Terms of use.