개체의 보안 설명자 읽기
다음 코드 예제에서는 IADs 인터페이스를 사용하여 디렉터리 개체의 보안 설명자, DACL 및 DACL의 ACE 속성을 열거합니다.
다음 코드 예제에서는 IADs.Get 메서드를 사용하여 디렉터리 개체의 nTSecurityDescriptor 속성을 검색합니다. 이 메서드의 C++ 버전은 IDispatch 포인터가 포함된 VARIANT를 반환합니다. 그런 다음, 코드 예제는 해당 IDispatch 포인터에서 QueryInterface를 호출하여 개체의 보안 설명자에 대한 IADsSecurityDescriptor 인터페이스를 가져옵니다.
그런 다음, 코드 예제에서는 IADsSecurityDescriptor 메서드를 사용하여 보안 설명자에서 데이터를 검색합니다. IADsSecurityDescriptor를 통해 사용할 수 있는 데이터는 호출자의 액세스 권한에 따라 달라집니다. 호출자가 개체에 대한 READ_CONTROL 액세스 권한이 없으면 IADsSecurityDescriptor.DiscretionaryAcl 및 IADsSecurityDescriptor.Owner 속성이 실패합니다. 마찬가지로 호출자가 SE_SECURITY_NAME 권한을 사용하도록 설정하지 않으면 get_SystemAcl 메서드 호출이 실패합니다.
Dim rootDSE As IADs
Dim dsobject As IADs
Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As IADsAccessControlEntry
Private Sub Form_Load()
On Error GoTo Cleanup
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
Set dsobject = GetObject("LDAP://cn=users," & rootDSE.Get("defaultNamingContext"))
' Read the security descriptor on the Users container.
Set sd = dsobject.Get("ntSecurityDescriptor")
Debug.Print "****SECURITY DESCRIPTOR PROPERTIES****"
Debug.Print "Revision: " & sd.Revision
SDParseControlMasks (sd.Control)
Debug.Print "Owner: " & sd.Owner
Debug.Print "Owner Defaulted: " & sd.OwnerDefaulted
Debug.Print "Group: " & sd.Group
Debug.Print "Group Defaulted: " & sd.GroupDefaulted
Debug.Print "System ACL Defaulted: " & sd.SaclDefaulted
Debug.Print "Discretionary ACL Defaulted: " & sd.DaclDefaulted
Debug.Print "****DACL PROPERTIES****"
Set dacl = sd.DiscretionaryAcl
AceCount = 0
For Each ace In dacl
AceCount = AceCount + 1
Debug.Print "**** Properties of ACE " & AceCount & " ****"
Debug.Print "Trustee: " & ace.Trustee
SDParseAccessMask (ace.AccessMask)
AceType = ace.AceType
If (AceType = &H5) Then
Debug.Print "ACE Type: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT"
ElseIf (AceType = &H6) Then
Debug.Print "ACE Type: ADS_ACETYPE_ACCESS_DENIED_OBJECT"
ElseIf (AceType = &H0) Then
Debug.Print "ACE Type: ADS_ACETYPE_ACCESS_ALLOWED"
ElseIf (AceType = &H1) Then
Debug.Print "ACE Type: ADS_ACETYPE_ACCESS_DENIED"
Else
Debug.Print "ACE Type: UNKNOWN TYPE: " & Hex(AceType)
End If
AceFlags = ace.Flags
If (AceFlags And &H1) Then
Debug.Print "Flags: ADS_FLAG_OBJECT_TYPE_PRESENT"
Debug.Print "ObjectType: " & ace.ObjectType
End If
If (AceFlags And &H2) Then
Debug.Print "Flags: ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT"
Debug.Print "InheritedObjectType: " & ace.InheritedObjectType
End If
Next ace
Cleanup:
Set rootDSE = Nothing
Set dsobject = Nothing
Set sd = Nothing
Set dacl = Nothing
Set ace = Nothing
End Sub
' SDParseControlMasks
' Print flags set in the security descriptor Control.
Sub SDParseControlMasks(lCtrl As Long)
Debug.Print "Control Mask: "
If (lCtrl And &H1) Then Debug.Print " SE_OWNER_DEFAULTED"
If (lCtrl And &H2) Then Debug.Print " SE_GROUP_DEFAULTED"
If (lCtrl And &H4) Then Debug.Print " SE_DACL_PRESENT"
If (lCtrl And &H8) Then Debug.Print " SE_DACL_DEFAULTED"
If (lCtrl And &H10) Then Debug.Print " SE_SACL_PRESENT"
If (lCtrl And &H20) Then Debug.Print " SE_SACL_DEFAULTED"
If (lCtrl And &H400) Then Debug.Print " SE_DACL_AUTO_INHERITED"
If (lCtrl And &H800) Then Debug.Print " SE_SACL_AUTO_INHERITED"
If (lCtrl And &H1000) Then Debug.Print " SE_DACL_PROTECTED"
If (lCtrl And &H2000) Then Debug.Print " SE_SACL_PROTECTED"
If (lCtrl And &H8000) Then Debug.Print " SE_SELF_RELATIVE"
End Sub
' SDParseControlMasks
' Print the access rights in an access mask.
Sub SDParseAccessMask(lMask As Long)
Debug.Print "AccessMask: "
If (lMask And &H10000) Then Debug.Print " ADS_RIGHT_DELETE"
If (lMask And &H20000) Then Debug.Print " ADS_RIGHT_READ_CONTROL"
If (lMask And &H40000) Then Debug.Print " ADS_RIGHT_WRITE_DAC"
If (lMask And &H80000) Then Debug.Print " ADS_RIGHT_WRITE_OWNER"
If (lMask And &H80000000) Then Debug.Print " ADS_RIGHT_GENERIC_READ"
If (lMask And &H40000000) Then Debug.Print " ADS_RIGHT_GENERIC_WRITE"
If (lMask And &H20000000) Then Debug.Print " ADS_RIGHT_GENERIC_EXECUTE"
If (lMask And &H10000000) Then Debug.Print " ADS_RIGHT_GENERIC_ALL"
If (lMask And &H1) Then Debug.Print " ADS_RIGHT_DS_CREATE_CHILD"
If (lMask And &H2) Then Debug.Print " ADS_RIGHT_DS_DELETE_CHILD"
If (lMask And &H4) Then Debug.Print " ADS_RIGHT_ACTRL_DS_LIST"
If (lMask And &H8) Then Debug.Print " ADS_RIGHT_DS_SELF"
If (lMask And &H10) Then Debug.Print " ADS_RIGHT_DS_READ_PROP"
If (lMask And &H20) Then Debug.Print " ADS_RIGHT_DS_WRITE_PROP"
If (lMask And &H40) Then Debug.Print " ADS_RIGHT_DS_DELETE_TREE"
If (lMask And &H80) Then Debug.Print " ADS_RIGHT_DS_LIST_OBJECT"
If (lMask And &H100) Then Debug.Print " ADS_RIGHT_DS_CONTROL_ACCESS"
End Sub
HRESULT ReadSecurityDescriptor( IADs *pObject )
{
HRESULT hr = E_FAIL;
VARIANT var,varACE;
VARIANT_BOOL boolVal;
IADsSecurityDescriptor *pSD = NULL;
IADsAccessControlList *pACL = NULL;
IADsAccessControlEntry *pACE = NULL;
IEnumVARIANT *pEnum = NULL;
IDispatch *pDisp = NULL;
LPUNKNOWN pUnk = NULL;
ULONG lFetch;
BSTR szObjectType = NULL;
BSTR szTrustee = NULL;
BSTR szProp = NULL;
long lRev,lControl;
long lAceType, lAccessMask, lTypeFlag;
DWORD dwAces = 0;
if (NULL == pObject)
return hr;
VariantClear(&var);
// Get the nTSecurityDescriptor.
// Type should be VT_DISPATCH - an IDispatch pointer to the security descriptor object.
hr = pObject->Get(CComBSTR("nTSecurityDescriptor"), &var);
if ( FAILED(hr) || var.vt != VT_DISPATCH ) {
wprintf(L"get nTSecurityDescriptor failed: 0x%x\n", hr);
goto Cleanup;
}
hr = V_DISPATCH( &var )->QueryInterface(IID_IADsSecurityDescriptor,(void**)&pSD);
if ( FAILED(hr) ) {
wprintf(L"QueryInterface for IADsSecurityDescriptor failed: 0x%x\n", hr);
goto Cleanup;
}
wprintf(L"****SECURITY DESCRIPTOR PROPERTIES****\n");
// Get properties using IADsSecurityDescriptor property methods.
hr = pSD->get_Revision(&lRev);
wprintf(L"Revision: %d\n", lRev);
// Print the control mask bits.
hr = pSD->get_Control(&lControl);
wprintf(L"Control Mask: \n");
SDParseControlMasks(lControl);
hr = pSD->get_Owner(&szProp);
wprintf(L"Owner: %s\n", szProp);
if (szProp)
SysFreeString(szProp);
hr = pSD->get_OwnerDefaulted(&boolVal);
wprintf(L"Owner Defaulted: %s\n", boolVal ? L"True" : L"False");
hr = pSD->get_Group(&szProp);
wprintf(L"Group: %s\n", szProp);
if (szProp)
SysFreeString(szProp);
hr = pSD->get_GroupDefaulted(&boolVal);
wprintf(L"Group Defaulted: %s\n", boolVal ? L"True" : L"False");
hr = pSD->get_SaclDefaulted(&boolVal);
wprintf(L"System ACL Defaulted: %s\n", boolVal ? L"True" : L"False");
hr = pSD->get_DaclDefaulted(&boolVal);
wprintf(L"Discretionary ACL Defaulted: %s\n", boolVal ? L"True" : L"False");
// Get the DACL.
wprintf(L"****DACL PROPERTIES****\n");
hr = pSD->get_DiscretionaryAcl(&pDisp);
if (SUCCEEDED(hr))
{
hr = pDisp->QueryInterface(IID_IADsAccessControlList, (void**)&pACL);
if (SUCCEEDED(hr))
{
hr = pACL->get__NewEnum( &pUnk );
if (SUCCEEDED(hr))
{
hr = pUnk->QueryInterface( IID_IEnumVARIANT, (void**) &pEnum );
}
}
}
if ( FAILED(hr) ) {
wprintf(L"Could not get DACL: 0x%x\n", hr);
goto Cleanup;
}
// Loop to read all ACEs on the object.
hr = pEnum->Next( 1, &varACE, &lFetch );
while ( (hr == S_OK) && (lFetch == 1) && (varACE.vt==VT_DISPATCH))
{
// QueryInterface for an IADsAccessControlEntry to use to read the ACE.
hr = V_DISPATCH(&varACE)->QueryInterface(
IID_IADsAccessControlEntry, (void**)&pACE );
if ( FAILED(hr) ) {
wprintf(L"QI for IADsAccessControlEntry failed: 0x%x\n", hr);
break;
}
wprintf(L"**** Properties of ACE %u ****\n", ++dwAces);
// Get the trustee that the ACE applies to and print it.
hr = pACE->get_Trustee(&szTrustee);
if (SUCCEEDED(hr))
{
wprintf(L"Trustee: %s\n", szTrustee);
if (szTrustee)
SysFreeString(szTrustee);
}
// Get the AceMask.
hr = pACE->get_AccessMask(&lAccessMask);
if (SUCCEEDED(hr))
{
wprintf(L"AccessMask: \n");
SDParseAccessMask(lAccessMask);
}
// Get the AceType.
hr = pACE->get_AceType(&lAceType);
if (SUCCEEDED(hr))
{
if (lAceType == ADS_ACETYPE_ACCESS_ALLOWED_OBJECT)
wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT\n");
else if (lAceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT)
wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_DENIED_OBJECT\n");
else if (lAceType == ADS_ACETYPE_ACCESS_ALLOWED)
wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_ALLOWED\n");
else if (lAceType == ADS_ACETYPE_ACCESS_DENIED)
wprintf(L"ACE Type: ADS_ACETYPE_ACCESS_DENIED\n");
else
wprintf(L"ACE Type: UNKNOWN TYPE: %x\n", lAceType);
}
// Get the flags. Based on flags, get objecttype and inheritedobjecttype.
hr = pACE->get_Flags(&lTypeFlag);
if (SUCCEEDED(hr))
{
// If the object type GUID is present, print it.
if (lTypeFlag & ADS_FLAG_OBJECT_TYPE_PRESENT)
{
wprintf(L"Flags: ADS_FLAG_OBJECT_TYPE_PRESENT\n");
hr = pACE->get_ObjectType(&szObjectType);
if (SUCCEEDED(hr))
{
wprintf(L"ObjectType: %s\n", szObjectType);
if (szObjectType)
SysFreeString(szObjectType);
}
}
// If the inherited object type GUID is present, print it.
if (lTypeFlag & ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT)
{
wprintf(L"Flags: ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT\n");
hr = pACE->get_InheritedObjectType(&szObjectType);
if (SUCCEEDED(hr))
{
wprintf(L"InheritedObjectType: %s\n", szObjectType);
if (szObjectType)
SysFreeString(szObjectType);
}
}
}
// Cleanup the enumerated ACE item.
if (pACE)
pACE->Release();
// Cleanup the VARIANT for the ACE item.
VariantClear(&varACE);
// Get the next ACE.
hr = pEnum->Next( 1, &varACE, &lFetch );
} // End of While loop
Cleanup:
if (pEnum)
pEnum->Release();
if (pUnk)
pUnk->Release();
if (pACL)
pACL->Release();
if (pDisp)
pDisp->Release();
if (pSD)
pSD->Release();
VariantClear(&var);
return hr;
}
// ******************************************************************
// SDParseControlMasks
// Function to print Control flags.
// ******************************************************************
int SDParseControlMasks( long lCtrl )
{
int iReturn = TRUE;
if (lCtrl & SE_OWNER_DEFAULTED)
wprintf(L" SE_OWNER_DEFAULTED\n");
if (lCtrl & SE_GROUP_DEFAULTED)
wprintf(L" SE_GROUP_DEFAULTED\n");
if (lCtrl & SE_DACL_PRESENT)
wprintf(L" SE_DACL_PRESENT\n");
if (lCtrl & SE_DACL_DEFAULTED)
wprintf(L" SE_DACL_DEFAULTED\n");
if (lCtrl & SE_SACL_PRESENT)
wprintf(L" SE_SACL_PRESENT\n");
if (lCtrl & SE_SACL_DEFAULTED)
wprintf(L" SE_SACL_DEFAULTED\n");
if (lCtrl & SE_DACL_AUTO_INHERIT_REQ)
wprintf(L" SE_DACL_AUTO_INHERIT_REQ\n");
if (lCtrl & SE_SACL_AUTO_INHERIT_REQ)
wprintf(L" SE_SACL_AUTO_INHERIT_REQ\n");
if (lCtrl & SE_DACL_AUTO_INHERITED)
wprintf(L" SE_DACL_AUTO_INHERITED\n");
if (lCtrl & SE_SACL_AUTO_INHERITED)
wprintf(L" SE_SACL_AUTO_INHERITED\n");
if (lCtrl & SE_DACL_PROTECTED)
wprintf(L" SE_DACL_PROTECTED\n");
if (lCtrl & SE_SACL_PROTECTED)
wprintf(L" SE_SACL_PROTECTED\n");
if (lCtrl & SE_SELF_RELATIVE)
wprintf(L" SE_OWNER_DEFAULTED\n");
return iReturn;
}
// ******************************************************************
// SDParseAccessMask
// Function to print AccessMask flags.
// ******************************************************************
int SDParseAccessMask( long lCtrl )
{
int iReturn = TRUE;
if (lCtrl & ADS_RIGHT_DELETE)
wprintf(L" ADS_RIGHT_DELETE\n");
if (lCtrl & ADS_RIGHT_READ_CONTROL)
wprintf(L" ADS_RIGHT_READ_CONTROL\n");
if (lCtrl & ADS_RIGHT_WRITE_DAC)
wprintf(L" ADS_RIGHT_WRITE_DAC\n");
if (lCtrl & ADS_RIGHT_WRITE_OWNER)
wprintf(L" ADS_RIGHT_WRITE_OWNER\n");
if (lCtrl & ADS_RIGHT_GENERIC_READ)
wprintf(L" ADS_RIGHT_GENERIC_READ\n");
if (lCtrl & ADS_RIGHT_GENERIC_WRITE)
wprintf(L" ADS_RIGHT_GENERIC_WRITE\n");
if (lCtrl & ADS_RIGHT_GENERIC_EXECUTE)
wprintf(L" ADS_RIGHT_GENERIC_EXECUTE\n");
if (lCtrl & ADS_RIGHT_GENERIC_ALL)
wprintf(L" ADS_RIGHT_GENERIC_ALL\n");
if (lCtrl & ADS_RIGHT_DS_CREATE_CHILD)
wprintf(L" ADS_RIGHT_DS_CREATE_CHILD\n");
if (lCtrl & ADS_RIGHT_DS_DELETE_CHILD)
wprintf(L" ADS_RIGHT_DS_DELETE_CHILD\n");
if (lCtrl & ADS_RIGHT_ACTRL_DS_LIST)
wprintf(L" ADS_RIGHT_ACTRL_DS_LIST\n");
if (lCtrl & ADS_RIGHT_DS_SELF)
wprintf(L" ADS_RIGHT_DS_SELF\n");
if (lCtrl & ADS_RIGHT_DS_READ_PROP)
wprintf(L" ADS_RIGHT_DS_READ_PROP\n");
if (lCtrl & ADS_RIGHT_DS_WRITE_PROP)
wprintf(L" ADS_RIGHT_DS_WRITE_PROP\n");
if (lCtrl & ADS_RIGHT_DS_DELETE_TREE)
wprintf(L" ADS_RIGHT_DS_DELETE_TREE\n");
if (lCtrl & ADS_RIGHT_DS_LIST_OBJECT)
wprintf(L" ADS_RIGHT_DS_LIST_OBJECT\n");
if (lCtrl & ADS_RIGHT_DS_CONTROL_ACCESS)
wprintf(L" ADS_RIGHT_DS_CONTROL_ACCESS\n");
return iReturn;
}