23.2 A Simple ADSI Example

All of the seven ACE properties are set using property methods of the same names as those in an ADSI interface called IADsAccessControlEntry. The ACEs that are created using this are then modified using IADsAccessControlList and IADsSecurityDescriptor.

Let's go through an example now so you can see how it all fits together. Example 23-1 shows a section of VBScript code that creates an ACE that allows ANewGroup full access to the myOU organizational unit and all its children.

Example 23-1. A simple ADSI example

'**************************************************************************
'Declare constants
'**************************************************************************
Const FULL_CONTROL = -1
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2
   
'**************************************************************************
'Declare variables
'**************************************************************************
Dim objObject    'Any object
Dim objSecDesc   'SecurityDescriptor
Dim objDACL      'AccessControlList
Dim objNewACE    'AccessControlEntry
   
'**************************************************************************
'Create the new ACE and populate it
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "AMER\ANewGroup"
objNewACE.AccessMask = FULL_CONTROL
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objNewACE.AceFlags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
   
'**************************************************************************
'Add the new ACE to the object and write it to the AD
'**************************************************************************
Set objObject = GetObject("LDAP://ou=myOU,dc=amer,dc=mycorp,dc=com")
   
'**************************************************************************
'Use IADs::Get to retrieve the SD for the object
'**************************************************************************
Set objSecDesc = objObject.Get("ntSecurityDescriptor")
   
'**************************************************************************
'Use IADsSecurityDescriptor:: DiscretionaryAcl to retrieve the existing DACL
'**************************************************************************
Set objDACL = objSecDesc.DiscretionaryAcl
   
'**************************************************************************
'Use IADsAccessControlList::AddACE to add an ACE to an existing DACL
'**************************************************************************
objDACL.AddAce objNewACE
   
'**************************************************************************
'Use IADsSecurityDescriptor:: DiscretionaryAcl to put back the modified DACL
'**************************************************************************
objSecDesc.DiscretionaryAcl = objDACL
   
'**************************************************************************
'Use IADs::Put to replace the SD for the object
'**************************************************************************
objObject.Put "ntSecurityDescriptor", Array(objSecDesc)
   
'**************************************************************************
'Write out the property cache using IADs::SetInfo
'**************************************************************************
objObject.SetInfo

First we create the new ACE. This requires use of a CreateObject function call to create a new empty instance of an ACE object. We then have to set the four fields that we need. The Trustee is the user or group that will have the permission to the myOU object. The AccessMask value set to -1 indicates that full permission is being set. To say whether the full permissions are allowed or denied, we use a 0 in the AceType field, which indicates that the ACE is a permissions-allowed ACE. Finally, the AceFlags field is set to 2 so that child objects will inherit this ACE. This means that the ACE now allows ANewGroup full access to the myOU organizational unit and all its children.

We then go through binding to the object to get the security descriptor and ultimately the DACL so that we can add the new ACE to the DACL. Once that is done, we reverse the steps and set the security descriptor for the object, writing out the property cache as the last step.