Share via

Removing Permissions from the Default Global Address List

  • Article

Removing Permissions from the Default Global Address List

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

The following example resets the default Global Address List (GAL). This example uses functions for Deleting an ACE From an ACL and Reordering a DACL.

Visual Basic

'//////////////////////////////////////////////////////////////////////
' Function: resetDefaultGAL()
' Purpose:  Removes the "Everyone" and "Authenticated Users" ACLs from the Default GAL.
'
' Input:    szDomainName:         Domain of the Exchange org
'           szOrganizationName:   Name of Exchange org
'           szUserName:           admin username
'           szUserPwd:            admin password
'           szDirectoryServer:    Name of the Directory Server
'
' Output:   resetDefaultGAL:   Contains Error code (if any)
'
' Note:  In order for this example to function correctly, it may be necessary to include
' references to the following libraries: Active DS Type Library, Microsoft CDO for
' Exchange Management Library, Microsoft Cluster Service Automation Classes,
' Microsoft CDO for Windows 2000 Library.
'//////////////////////////////////////////////////////////////////////
Public Function resetDefaultGAL(ByVal szDomainName As String, _
                                ByVal szOrganizationName As String, _
                                ByVal szUserName As String, _
                                ByVal szUserPwd As String, _
                                ByVal szDirectoryServer) As Integer

    Dim objLdap As IADsOpenDSObject
    Dim objgal As IADs
    Dim objGalContainer As IADs
    Dim szGALConnString As String
    Dim szGALContainerConnString As String
    Dim objSecurityDescriptor As SecurityDescriptor
    Dim objParentSD As SecurityDescriptor
    Dim objParentDACL As AccessControlList
    Dim objCopyDACL As AccessControlList
    Dim objNewDACL As AccessControlList
    Dim iCurrentControl As Variant
    Dim szLdapDomain As String
    Dim szaDomTokens() As String
    Dim szDomainDN As String

    On Error GoTo errhandler

    ' Puts the domain specified into an ldap domain string.
    szaDomTokens = Split(szDomainName, ".", -1, 1)
    szDomainDN = Join(szaDomTokens, ",dc=")
    szDomainDN = "dc=" & szDomainDN
    szLdapDomain = szDomainDN

    ' Build the ldap connection string.

    szGALConnString = "LDAP://" + szDirectoryServer + "/" + _
                      "cn=Default Global Address List,cn=All Global Address Lists,cn=Address Lists Container,cn=" + _
                      szOrganizationName + ",cn=microsoft exchange,cn=services,cn=configuration," + _
                      szLdapDomain

    szGALContainerConnString = "LDAP://" + szDirectoryServer + "/" + _
                               "cn=All Global Address Lists,cn=Address Lists Container,cn=" + _
                               szOrganizationName + ",cn=microsoft exchange,cn=services,cn=configuration," + _
                               szLdapDomain

    Set objLdap = GetObject("LDAP:")

    ' Get a container object from the connection string.

    Set objGalContainer = objLdap.OpenDSObject(szGALContainerConnString, _
                                               szUserName, _
                                               szUserPwd, _
                                               ADS_SECURE_AUTHENTICATION)

    Set objgal = objLdap.OpenDSObject(szGALConnString, _
                                    szUserName, _
                                    szUserPwd, _
                                    ADS_SECURE_AUTHENTICATION)

    ' Get a handle to the security descriptor object on the GAL.

    Set objSecurityDescriptor = objgal.Get("ntSecurityDescriptor")

    ' Get the security control object.

    iCurrentControl = objSecurityDescriptor.Control

    ' Turn off inheritance.

    objSecurityDescriptor.Control = iCurrentControl Or SE_DACL_PROTECTED

    ' Get the Security Descriptor for the parent object.

    Set objParentSD = objGalContainer.Get("ntSecurityDescriptor")

    ' Get the access control list for the parent security descriptor.

    Set objParentDACL = objParentSD.DiscretionaryAcl

    ' Make a copy of the ACL that is on the parent object (replicate it to the new GAL).

    Set objCopyDACL = objParentDACL.CopyAccessList()

    ' Delete the "Everyone" and "Authenticated Users" ACLs.

    DeleteAce objCopyDACL, "NT AUTHORITY\Authenticated Users"
    DeleteAce objCopyDACL, "Everyone"

    ' Reorder the ACLs.

    Set objNewDACL = ReorderACL(objCopyDACL)

    ' Set the new ACL.

    objSecurityDescriptor.DiscretionaryAcl = objNewDACL

    ' Save changes.

    objgal.Put "ntSecurityDescriptor", objSecurityDescriptor
    objgal.SetInfo

    resetDefaultGAL = 0

    ' Clean up.
    Set objLdap = Nothing
    Set objgal = Nothing
    Set objGalContainer = Nothing
    Set objSecurityDescriptor = Nothing
    Set objParentSD = Nothing
    Set objParentDACL = Nothing
    Set objCopyDACL = Nothing
    Set objNewDACL = Nothing
    Exit Function

    ' Error handling.
errhandler:

    Set objLdap = Nothing
    Set objgal = Nothing
    Set objGalContainer = Nothing
    Set objSecurityDescriptor = Nothing
    Set objParentSD = Nothing
    Set objParentDACL = Nothing
    Set objCopyDACL = Nothing
    Set objNewDACL = Nothing
    resetDefaultGAL = 1
    ' Implement error logging here.

End Function

Send us your feedback about the Microsoft Exchange Server 2003 SDK.

Build: June 2007 (2007.618.1)

© 2003-2006 Microsoft Corporation. All rights reserved. Terms of use.