Chapter 23. Permissions and Auditing
Security descriptors (SDs),
access control lists (ACLs), and access control entries (ACEs)
have been used for files and directories on NTFS filesystems for
years. The same concepts apply to securing Active Directory objects
as well. While the information in this chapter is focused on Active
Directory, the principles of creating an SD that contains a
discretionary access control list (DACL) and system access control
list (SACL) can map exactly over to NTFS files and directories.
ADSI provides four main interfaces we can use:
- IADsAccessControlEntry
-
Manipulates individual ACEs that represent access or audit
permissions for specific users or groups to objects and properties in
Active Directory.
- IADsAccessControlList
-
Manages collections of ACEs for an object.
- IADsSecurityDescriptor
-
Manages the different sets of ACLs to an object.
- IADsSecurityUtility
-
Gets, sets, and retrieves security descriptors for an object.
All of the ADSI
security interfaces can be found in the MSDN Library (http://msdn.microsoft.com/library/) under
Networking and Directory Services  Active
Directory, ADSI and Directory Services SDK
Documentation Directory Services
Active Directory Service Interfaces
Active Directory Service Interfaces Reference
ADSI Interfaces Security
Interfaces.
 |
Microsoft provides a DLL
(ADsSecurity.dll)
with the Platform SDK that contains several interfaces that you can
use to manage security descriptors, ACLs, and ACEs. It
isn't covered in this chapter because it
doesn't come installed with Windows 2000 or Windows
Server 2003, but we encourage you to check it out and take a look at
the example source code that comes with it for more information.
Remember that the DLL will need to be installed and registered using
REGSVR32.EXE ADSecurity.dll on
every client that would use it.
|
|
|
