Edit

Security Descriptors on Files and Registry Keys

  • Article

Active Directory Service Interfaces (ADSI) can be used to manage and secure file systems within an organization, including the ability to set or modify ACLs on files or file shares created by users. Security interfaces, such as IADsSecurityDescriptor, IADsAccessControlList, and IADsAccessControlEntry set ACLs on Active Directory, Exchange, file, file share, or registry key objects. Before using these interfaces, the security descriptor may need to be modified if it uses a different format from the interface, or if you do not have access rights to the SACL of the security descriptor because you are not a member of the security administrator group.

To get, set, or modify the security descriptor, use the IADsSecurityUtility interface. This interface enables you to retrieve a security descriptor from various resources in its original format, such as the ADSI format IADsSecurityDescriptor, a raw security descriptor, or as a hexadecimal string as used in Exchange 5.5. When retrieved, you can convert it to another format, for example, from a raw security descriptor to IADsSecurityDescriptor. You can then write the new format back to the resource.

Some of the IADsAccessControlEntry property values, such as AccessMask and AceFlags, will be different for different object types. For example, an Active Directory object will use the ADS_RIGHT_GENERIC_READ member of the ADS_RIGHTS_ENUM enumeration for the IADsAccessControlEntry.AccessMask property, but the equivalent access right for a file object is FILE_GENERIC_READ. It is not safe to assume that all property values will be the same for Active Directory objects and non-Active Directory objects. The following list shows the IADsAccessControlEntry properties that differ for non-Active Directory objects and where the proper values can be obtained.

AccessMask

For more information and a list of possible values for file or file share objects, see File Security and Access Rights.

For more information and a list of possible values for registry objects, see Registry Key Security and Access Rights.

AceType

For more information, see the AceType member of the ACE_HEADER structure.

AceFlags

For more information, see the AceFlags member of the ACE_HEADER structure.

Flags

Contains zero or a combination of one or more of the following values from WinNT.h.

ACE_OBJECT_TYPE_PRESENT (1)

ObjectType contains a valid value.

ACE_INHERITED_OBJECT_TYPE_PRESENT (2)

InheritedObjectType contains a valid value.

ObjectType

For more information, see the ObjectType member of the ACCESS_DENIED_OBJECT_ACE, ACCESS_ALLOWED_OBJECT_ACE, and similar structures. This property should not be set or modified for non-Active Directory objects.

InheritedObjectType

For more information, see the InheritedObjectType member of the ACCESS_DENIED_OBJECT_ACE, ACCESS_ALLOWED_OBJECT_ACE, and similar structures. This property should not be set or modified for non-Active Directory objects.

Normally, IADsSecurityUtility.GetSecurityDescriptor will retrieve all parts of the security descriptor, such as owner, group, SACL, or DACL. Similarly, IADsSecurityUtility.SetSecurityDescriptor will overwrite all parts of the security descriptor by default. You can use the IADsSecurityUtility.SecurityMask property to specify individual parts of the security descriptor to retrieve or set. For example, you can set SecurityMask to ADS_SECURITY_INFO_DACL before calling GetSecurityDescriptor to only retrieve the DACL without retrieving the other parts of the security descriptor.

For more information and a code example that uses the IADsSecurityUtility interface to add an ACE to a file, see Example Code for Adding an ACE to a File.

The following example code provides the constant identifiers for file, file share and registry objects for the AccessMask, AceType, AceFlags, and Flags properties for use with Visual Basic and Microsoft Visual Basic Scripting Edition.

' Identifiers for the IADsAccessControlEntry.AccessMask property for file,
' file share, and registry objects.
Const DELETE = &H10000
Const READ_CONTROL = &H20000
Const WRITE_DAC = &H40000
Const WRITE_OWNER = &H80000
Const SYNCHRONIZE = &H100000

Const STANDARD_RIGHTS_REQUIRED = &HF0000

Const STANDARD_RIGHTS_READ = &H20000
Const STANDARD_RIGHTS_WRITE = &H20000
Const STANDARD_RIGHTS_EXECUTE = &H20000

Const STANDARD_RIGHTS_ALL = &H1F0000

Const SPECIFIC_RIGHTS_ALL = &HFFFF

' Identifiers for the IADsAccessControlEntry.AccessMask property for file and
' file share objects.
Const FILE_READ_DATA = &H1                  '  file & pipe
Const FILE_LIST_DIRECTORY = &H1             '  directory

Const FILE_WRITE_DATA = &H2                 '  file & pipe
Const FILE_ADD_FILE = &H2                   '  directory

Const FILE_APPEND_DATA = &H4                '  file
Const FILE_ADD_SUBDIRECTORY = &H4           '  directory
Const FILE_CREATE_PIPE_INSTANCE = &H4       '  named pipe

Const FILE_READ_EA = &H8                    '  file & directory

Const FILE_WRITE_EA = &H10                  '  file & directory

Const FILE_EXECUTE = &H20                   '  file
Const FILE_TRAVERSE = &H20                  '  directory

Const FILE_DELETE_CHILD = &H40              '  directory

Const FILE_READ_ATTRIBUTES = &H80           '  all

Const FILE_WRITE_ATTRIBUTES = &H100         '  all

Const FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &H1FF

Const FILE_GENERIC_READ = STANDARD_RIGHTS_READ Or FILE_READ_DATA Or FILE_READ_ATTRIBUTES Or _
                          FILE_READ_EA Or SYNCHRONIZE

Const FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE Or FILE_WRITE_DATA Or FILE_WRITE_ATTRIBUTES Or _
                           FILE_WRITE_EA Or FILE_APPEND_DATA Or SYNCHRONIZE

Const FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE Or FILE_READ_ATTRIBUTES Or FILE_EXECUTE Or SYNCHRONIZE


' Identifiers for the IADsAccessControlEntry.AccessMask property for registry
' objects.
Const KEY_QUERY_VALUE = &H1
Const KEY_SET_VALUE = &H2
Const KEY_CREATE_SUB_KEY = &H4
Const KEY_ENUMERATE_SUB_KEYS = &H8
Const KEY_NOTIFY = &H10
Const KEY_CREATE_LINK = &H20
Const KEY_WOW64_32KEY = &H200
Const KEY_WOW64_64KEY = &H100
Const KEY_WOW64_RES = &H300

Const KEY_READ = ((STANDARD_RIGHTS_READ Or KEY_QUERY_VALUE Or KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY) And _
                  (Not SYNCHRONIZE))

Const KEY_WRITE = ((STANDARD_RIGHTS_WRITE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY) And (Not SYNCHRONIZE))

Const KEY_EXECUTE = ((KEY_READ) And (Not SYNCHRONIZE))

Const KEY_ALL_ACCESS = ((STANDARD_RIGHTS_ALL Or KEY_QUERY_VALUE Or KEY_SET_VALUE Or KEY_CREATE_SUB_KEY Or _
                         KEY_ENUMERATE_SUB_KEYS Or KEY_NOTIFY Or KEY_CREATE_LINK) And (Not SYNCHRONIZE))
    

' Identifiers for the IADsAccessControlEntry.AceFlags property for file and
' file share objects.
Const OBJECT_INHERIT_ACE = &H1
Const CONTAINER_INHERIT_ACE = &H2
Const NO_PROPAGATE_INHERIT_ACE = &H4
Const INHERIT_ONLY_ACE = &H8
Const INHERITED_ACE = &H10
    

' Identifiers for the IADsAccessControlEntry.Flags property.
Const ACE_OBJECT_TYPE_PRESENT = 1
Const ACE_INHERITED_OBJECT_TYPE_PRESENT = 2