  
 
   
  
 The ADSI Resource Tool Kit is a collection of ADSI components that may be useful to solve difficult tasks, or to resolve tasks that are impossible in the current implementation of ADSI. 
These components are unsupported and should be treated as samples. You may ,however, use and redistributed them.


THE ADSI RESOURCE KIT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.


ADSI Resource Kit Components shipping with the Solution

ADsSecurity and ADsSID
Allows you to retrieve and modify a security descriptor on Exchange, File, FileShare, or Registry. 

--------------------------------------------------------------------------------


API Documenation 

IADsSecurity and IADsSID - Setting Permissions on File, Registry, Exchange

Location: /ResourceKit/ADsSecurity.dll 

Platforms: Windows NT 4.0, Windows 2000 

Installation: regsvr32 adssecurity.dll 

Requirement: ADSI 2.5 must be installed first.


IADsSecurity  

interface IADsSecurity
{ 
HRESULT GetSecurityDescriptor( [in, optional] VARIANT varPath, [out, retval] VARIANT *pVariant);
HRESULT SetSecurityDescriptor([in] VARIANT varData, [in, optional] VARIANT varPath);
HRESULT GetSID([in] VARIANT varPath, [out, retval] VARIANT *pRet);
HRESULT GetSecurityDescriptorAs( long lFormat, [optional][in]  VARIANT varPath,[retval,out] VARIANT *pRet);
}  

Program ID: ADsSecurity
Include: ADsSecurity.h
CLISID & IIDs : ADsSecurity_i.c


HRESULT GetSecurityDescriptor( [in, optional] VARIANT varPath, [out, retval] VARIANT *pVariant);
Getting Security Descriptor (IADsSecurityDescriptor) for a given path. Valid Paths are Exchange LDAP Path, Active Directory LDAP Path, Registry Path, File System Path, IFile and IADs. More detailed information below. If no path is specified, the IADsSecurity creates a new security descriptor.  

HRESULT SetSecurityDescriptor([in] VARIANT varData, [in, optional] VARIANT varPath);
Setting the security descriptor (IADsSecurityDescriptor) to a specified path. Valid paths are the same as in GetSecurityDescriptor. If no path is specified, IADsSecurity uses the path specified in GetSecurityDescriptor.

HRESULT GetSID([in] VARIANT varPath, [out, retval] VARIANT *pRet);
Get the IADsSID pointer for a given path. Valid Paths are WinNT, LDAP (Active Directory and Exchange) ADsPaths. 

HRESULT GetSecurityDescriptorAs( long lFormat, [optional][in]  VARIANT varPath,[retval,out] VARIANT *pRet);
Similar to GetSecurityDescriptor. Only you can also specify the format you want to get back. 
The valid lFormat are:

ADS_SD_RAW -  Returns as a variant array of bytes (VT_ARRAY | VT_I1 )

ADS_SD_HEXSTRING - Return as a security descriptor hex string. Example:
FFF36040000FFFFFFFF37040000FFFFFFFF38040000FFFFFFFF39040000FF0

ADS_SD_SDDL (Windows 2000 Only)  - Returns as a security descriptor description languange.  Example: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)

ADS_SD_IID - Return the IADsSecurityDescritor 



The primary objective of this interface is to give you one common interface which allows you to retrieve and modify ADSI's IADsSecurityDescriptor on a given resource.  A resource can be either NTFS File, Registry, Exchange Directory, or Active Directory.  

It gives you the following benefits:

You don't need to deal with many different forms of security descriptor anymore (such as raw SD, Exchange's Hex String, SDDL, Variant Array of VT_I1, and so on). 
You don't need to remember the security descriptor attribute name, such as "ntSecurityDescriptor" for Active Directory, or "NT-Security-Descriptor" for Exchange.  
You don't need to know APIs for retrieving and setting the security descriptor for a given resource (that is, GetFileSecurity, RegGetKeySecurity, NetSharexxx, and so on ).  
All you need to know is how to use ADSI's IADsSecurityDescriptor, IADsAccessControlList, IADsAccessControlEntry whether you need to manipulate Exchange's, File's, File Share's and other's security descriptor. The same programming model, same security descriptor object.

Setting file permission examples

FILE://[\\serverName\]FilePath

'----Visual Basic----

Dim sec As New ADsSecurity
Dim sd As IADsSecurityDescriptor 
Dim dacl As IADsAccessControlList 
Dim ace As IADsAccessControlEntry 
Dim newAce As New AccessControlEntry 

Set sd = sec.GetSecurityDescriptor("FILE://\\srv01\public") 
Set dacl = sd.DiscretionaryAcl 

'----Show the ACEs in the DACL---- 
For Each ace In dacl
  Debug.Print ace.Trustee 
  Debug.Print ace.AccessMask 
  Debug.Print ace.AceType 
Next 

Debug.Print dacl.AceCount 

'----Add a new ace for Jsmith---- 
newAce.Trustee = "ARCADIABAY\jsmith" 
newAce.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE 
newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED 

dacl.AddAce newAce 
sd.DiscretionaryAcl = dacl 
sec.SetSecurityDescriptor sd 

'----VBS---- 

Const ADS_RIGHT_GENERIC_READ = &H80000000 
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 
Const ADS_ACETYPE_ACCESS_ALLOWED = 0 

Set sec = CreateObject("ADsSecurity") 
Set sd = sec.GetSecurityDescriptor("FILE://c:\public\specs") 
Set dacl = sd.DiscretionaryAcl 

'-- Show the ACEs in the DACL ---- 
For Each ace In dacl 
   wscript.echo ace.Trustee
   wscript.echo ace.AccessMask
   wscript.echo ace.AceType 
Next 

'--- Add a new ACE so that JSmith can read/execute this file 
Set ace = CreateObject("AccessControlEntry") 
ace.Trustee = "ARCADIABAY\jsmith" 
ace.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE 
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED 

dacl.AddAce ace 
sd.DiscretionaryAcl = dacl 
sec.SetSecurityDescriptor sd 

'----File System Object---- 
Const ADS_RIGHT_GENERIC_READ = &H80000000 
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 
Const ADS_ACETYPE_ACCESS_ALLOWED = 0 

Set sec = CreateObject("ADsSecurity") 

Getting File System Security Descriptor from FSO
Set fso = CreateObject("Scripting.FileSystemObject")
Set fs = fso.GetFile(c:\public\specs\movetree.doc) 

Set sd = sec.GetSecurityDescriptor(fs)
Set dacl = sd.DiscretionaryAcl 

'----Show the ACEs in the DACL---- 
For Each ace In dacl 
   wscript.echo ace.Trustee
   wscript.echo ace.AccessMask
   wscript.echo ace.AceType 
Next 

'----Add a new ACE so that JSmith can read and execute this file---- 

Set ace = CreateObject("AccessControlEntry") 
ace.Trustee = "ARCADIABAY\jsmith" 
ace.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE 
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED 

dacl.AddAce ace 
sd.DiscretionaryAcl = dacl 
sec.SetSecurityDescriptor sd 

Setting Registry Permission Examples

RGY://[serverName]/RegistryLocation 

----Modifying the Local Registry Key's ACL---- 

Const ADS_RIGHTS_RGY_KEY_READ = &H20019 

Set sec = CreateObject("ADsSecurity") 
Set sd = sec.GetSecurityDescriptor("RGY://HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MyKey") 

'Displaying the ACE in the DACL --- it's the same you way you display aces for File, FileShare, Registry, Exchange, and Active Directory's ACL. 

Set dacl = sd.DiscretionaryAcl 

For Each ace In dacl 
   Debug.Print ace.Trustee 
   Debug.Print ace.AccessMask 
   Debug.Print ace.AceType 
Next 

Debug.Print dacl.AceCount 

 '----Allow James Smith to read this registry key: 

Set newAce = CreateObject("AccessControlEntry") 
newAce.Trustee = "ARCADIABAY\jsmith" 
newAce.AccessMask = ADS_RIGHTS_RGY_KEY_READ 
newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED 

dacl.AddAce newAce 
sd.DiscretionaryAcl = dacl 
sec.SetSecurityDescriptor sd 


'----You can also connect to a remote registry---- 
Set sd = sec.GetSecurityDescriptor("RGY://mycomp03/HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MyKey"

 

IADsSID 

IADsSID allows you to retrieve a different type of security principal format. Its useful for converting and searching a security principal. 

  

Interface Definition:
    

interface IADsSID : IDispatch 

{ 

        HRESULT SetAs([in] long lFormat, [in] VARIANT varData); 

        HRESULT GetAs([in] long lFormat, [out, retval] VARIANT *pVar); 

};

Program ID: ADsSID
Include: ADsSecurity.h
CLISID & IIDs : ADsSecurity_i.c 

  

HRESULT GetAs([in] long lFormat, [out, retval] VARIANT *pVar) 

Get the SID as one of the supported formats. The return value depends on the specified format. 

Parameters: 

[in] long lFormat 

lFormat it can be one of the following:

ADS_SID_RAW ( VT_ARRAY | VT_U1 ) 

ADS_SID_HEXSTRING (VT_BSTR), for example, 010500000000000515000000093A2A24358A021ADBEB0C508E040000 

ADS_SID_SAM (VT_BSTR ), for example, ARCADIABAY\jsmith 

ADS_SID_UPN (VT_BSTR), for example, jsmith@arcadiabay.com ( Windows 2000 Only ) 

ADS_SID_SDDL (VT_BSTR), for example, S-1-5-21-606747145-436374069-1343024091-1166  (Windows 2000 Only) 

ADS_SID_WINNT_PATH (VT_BSTR), for example, WinNT://ARCADIABAY/jsmith 

ADS_SID_ACTIVE_DIRECTORY_PATH (VT_BSTR), for example, LDAP://CN=John Smith,OU=NTDSys,DC=ArcadiaBay,DC=com 

ADS_SID_SID_BINDING (VT_BSTR), for example, GC://<SID=010500000000000515000000093A2A24358A021ADBEB0C508E040000> 

  

[out, retval] VARIANT *pVar 

Return value, its variant type depends on the specified format.






  




 
 
  
