Reading a Control Access Right Set in an Object's ACL

Using ADSI, you read a control access right ACE just as you would any other ACE in an ACL. Be aware that you can also use the Win32 security APIs to read ACLs on directory objects. However, control access rights use the properties of the IADsAccessControlEntry interface in a manner that is specific to granting and denying control access rights:

  • AccessMask must contain ADS_RIGHT_DS_CONTROL_ACCESS.
  • Flags value is ADS_FLAG_OBJECT_TYPE_PRESENT.
  • ObjectType is the string form of the rightsGUID attribute of the control access right. The string format of the GUID is the same string format as the StringFromGUID2 COM Library function.
  • AceType is either ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the control access right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the trustee the control access right.
  • Trustee is the security principal; that is the user, group, computer, and so on, to which the ACE applies.

Use the following procedure to read an ACE for an ADSI object. The following procedure applies to C and C++ applications.

To read an ACE for an ADSI object

  1. Get an IADs interface pointer to the object.
  2. Use the IADs::Get method to get the security descriptor of the object. The name of the property that contains the security descriptor is "nTSecurityDescriptor". The property will be returned as a VARIANT that contains an IDispatch pointer. Be aware that the vt member is VT_DISPATCH. Call QueryInterface on that IDispatch pointer to get an IADsSecurityDescriptor interface to use the methods on that interface to access the security descriptor ACL.
  3. Use the IADsSecurityDescriptor::get_DiscretionaryAcl method to get the ACL. The method returns an IDispatch pointer. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlList interface to use the methods on that interface to access the individual ACEs in the ACL.
  4. Use the IADsAccessControlList::get__NewEnum method to enumerate the ACEs. The method returns an IUnknown pointer. Call QueryInterface on that IUnknown pointer to get an IEnumVARIANT interface.
  5. Use the IEnumVARIANT::Next method to enumerate the ACEs in the ACL. The property is returned as a VARIANT that contains an IDispatch pointer. Be aware that the vt member is VT_DISPATCH. Call QueryInterface on that IDispatch pointer to get an IADsAccessControlEntry interface to read the ACE.
  6. Call the IADsAccessControlEntry::get_AccessMask method to get the AccessMask and verify that the AccessMask value for the ADS_RIGHT_DS_CONTROL_ACCESS flag. If it has this flag, the ACE contains a control access right.
  7. Call the IADsAccessControlEntry::get_Flags method to get the flag for the object type.
  8. Check Flags value for ADS_FLAG_OBJECT_TYPE_PRESENT flag. If Flags is set to ADS_FLAG_OBJECT_TYPE_PRESENT, call the IADsAccessControlEntry::get_ObjectType method to get a string that contains the rightsGUID of the control access right that the ACE applies to.
  9. Call the IADsAccessControlEntry::get_AceType method to get the ACE type. The type will be an ADS_ACETYPE_ACCESS_ALLOWED_OBJECT to grant the trustee the control access right or ADS_ACETYPE_ACCESS_DENIED_OBJECT to deny the control access right.
  10. Call the IADsAccessControlEntry::get_Trustee method to get the security principal; that is user, group, computer, and so on to which the ACE applies.
  11. When finished with the ObjectType and Trustee strings, use SysFreeString to free the memory for those strings.
  12. When finished with the interfaces, call Release to decrement or release all the interface references.