binding to a property within ad AD object for setting permissions?

  • Thread starter Thread starter Bob Weiner
  • Start date Start date
B

Bob Weiner

I have posted this to exchange2000.development and server.scripting without
success. Forgive me if I'm being pushy but I have a deadline rushing at
me(like I'm the only one!).

This doesn't seem to me to be an overly difficult question though I admit
that I cannot figure it out. The fact that it can be done manually with the
ADUC makes me believe that it is scriptable.

********************************************************

I need to give users the ability to update specific properties on AD objects
but am having trouble retrieving security descriptors on individual AD
object attributes.

I am using ADSI (of course) and ADsSecurity.dll to do this. My best attempt
thus far (which failed with a "catastrophic failure") is below.

A pointer would be greatly appreciated.

thanks,
bob

---------------------------------------------
Public Sub grant ( ByVal iadObj As IADs, _
ByVal dnTrustee As String, _
ByVal strAttribute as String )

Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As AccessControlEntry

Dim propList As IADsPropertyList
Dim propEntry As IADsPropertyEntry

' create new ace
Set ace = New AccessControlEntry
With ace
.AceType = ADS_ACETYPE_ACCESS_ALLOWED
.Trustee = dnTrustee
.AccessMask = ADS_RIGHT_GENERIC_WRITE
End With

' retrieve the attribute object
Set propList = iadObj
propList.GetInfo
Set propEntry = propList.GetPropertyItem ( _
strAttribute, _
ADSTYPE_CASE_IGNORE_STRING )

' set the acl on that property
Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
Set dacl = sd.DiscretionaryAcl
dacl.AddAce ace
Set sd.DiscretionaryAcl = dacl
ADsSecure.SetSecurityDescriptor sd

End Sub
---------------------------------------------
 
Hello bob, do you have the error code that it fails with?

that might help us out further

tx

Jeromy Statia [MSFT]
 
Does this mean it should be working? Am I at least on the right track?

The "Boom!!!" line is terminating with Runtime Error 430, "Class does not
support automation or does not support expected interface." Can you get a
security descriptor on an IADsPropertyEntry object? I didn't see that in
the documentation, it just seemed like a reasonable thing to try.

The problem is actually worse. After getting the runtime error, if I chose
to debug, Visual Studio crashes with the Application error:
*** The instruction at "0x773be416" referenced memory at "0x000000019".
The memory could not be "read". ***
I have also seen a different intstruction address which failed trying to
write.

I am working with VS 6.0. The program I am using tonight is not fully
patched so I will apply sp5 and try again. This may correct the VS problem
though I doubt it will help my code.

thanks,
bob


Jeromy Statia said:
Hello bob, do you have the error code that it fails with?

that might help us out further

tx

Jeromy Statia [MSFT]

Bob Weiner said:
I have posted this to exchange2000.development and server.scripting without
success. Forgive me if I'm being pushy but I have a deadline rushing at
me(like I'm the only one!).

This doesn't seem to me to be an overly difficult question though I admit
that I cannot figure it out. The fact that it can be done manually with the
ADUC makes me believe that it is scriptable.

********************************************************

I need to give users the ability to update specific properties on AD objects
but am having trouble retrieving security descriptors on individual AD
object attributes.

I am using ADSI (of course) and ADsSecurity.dll to do this. My best attempt
thus far (which failed with a "catastrophic failure") is below.

A pointer would be greatly appreciated.

thanks,
bob

---------------------------------------------
Public Sub grant ( ByVal iadObj As IADs, _
ByVal dnTrustee As String, _
ByVal strAttribute as String )

Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As AccessControlEntry

Dim propList As IADsPropertyList
Dim propEntry As IADsPropertyEntry

' create new ace
Set ace = New AccessControlEntry
With ace
.AceType = ADS_ACETYPE_ACCESS_ALLOWED
.Trustee = dnTrustee
.AccessMask = ADS_RIGHT_GENERIC_WRITE
End With

' retrieve the attribute object
Set propList = iadObj
propList.GetInfo
Set propEntry = propList.GetPropertyItem ( _
strAttribute, _
ADSTYPE_CASE_IGNORE_STRING )

' set the acl on that property
Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
Set dacl = sd.DiscretionaryAcl
dacl.AddAce ace
Set sd.DiscretionaryAcl = dacl
ADsSecure.SetSecurityDescriptor sd

End Sub
Click to expand...
Click to expand...
 
FYI: VS6 SP5 still crashes at the same line with the same application
error.

I'm not concerned with the VS problem; hopefully, I'll be moving on to
VS.Net after this project is off my desk.

bob



Jeromy Statia said:
Hello bob, do you have the error code that it fails with?

that might help us out further

tx

Jeromy Statia [MSFT]

Bob Weiner said:
I have posted this to exchange2000.development and server.scripting without
success. Forgive me if I'm being pushy but I have a deadline rushing at
me(like I'm the only one!).

This doesn't seem to me to be an overly difficult question though I admit
that I cannot figure it out. The fact that it can be done manually with the
ADUC makes me believe that it is scriptable.

********************************************************

I need to give users the ability to update specific properties on AD objects
but am having trouble retrieving security descriptors on individual AD
object attributes.

I am using ADSI (of course) and ADsSecurity.dll to do this. My best attempt
thus far (which failed with a "catastrophic failure") is below.

A pointer would be greatly appreciated.

thanks,
bob

---------------------------------------------
Public Sub grant ( ByVal iadObj As IADs, _
ByVal dnTrustee As String, _
ByVal strAttribute as String )

Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As AccessControlEntry

Dim propList As IADsPropertyList
Dim propEntry As IADsPropertyEntry

' create new ace
Set ace = New AccessControlEntry
With ace
.AceType = ADS_ACETYPE_ACCESS_ALLOWED
.Trustee = dnTrustee
.AccessMask = ADS_RIGHT_GENERIC_WRITE
End With

' retrieve the attribute object
Set propList = iadObj
propList.GetInfo
Set propEntry = propList.GetPropertyItem ( _
strAttribute, _
ADSTYPE_CASE_IGNORE_STRING )

' set the acl on that property
Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
Set dacl = sd.DiscretionaryAcl
dacl.AddAce ace
Set sd.DiscretionaryAcl = dacl
ADsSecure.SetSecurityDescriptor sd

End Sub
Click to expand...
Click to expand...
 
Back
Top