Security Descriptor Property Type

  • Article

Properties such as nTSecurityDescriptor use the String(NT-Sec_Desc) syntax type. If a property of this type is obtained with the Properties property, this data type is represented as a COM object that can be cast to an IADsSecurityDescriptor. If a property of this type is obtained from a ResultPropertyValueCollection, this data type is represented as an array of Byte values. For more information about the nTSecurityDescriptor property, the String(NT-Sec_Desc) syntax type and the IADsSecurityDescriptor interface, see the nTSecurityDescriptor topic, the String(NT-Sec_Desc) topic and the IADsSecurityDescriptor topic in the MSDN Library at https://go.microsoft.com/fwlink/?LinkID=27252.

Beginning with .NET Framework 2.0, the security descriptor for an Active Directory Domain Services object is represented by the ActiveDirectorySecurity class and can be obtained or set with the ObjectSecurity property.

The following Visual Basic example shows how to read a security descriptor on an object.

Imports ActiveDS
Imports System.Collections

Dim ent As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com")
Dim sd As SecurityDescriptor = CType(ent.Properties("ntSecurityDescriptor").Value, SecurityDescriptor)
Dim acl As AccessControlList = CType(sd.DiscretionaryAcl, AccessControlList) 
Dim ace As AccessControlEntry
For Each ace In  CType(acl, IEnumerable)
    Console.WriteLine("Trustee: {0}", ace.Trustee)
    Console.WriteLine("AccessMask: {0}", ace.AccessMask)
    Console.WriteLine("Access Type: {0}", ace.AceType)
Next ace

using ActiveDs;
using System.Collections;

DirectoryEntry ent = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
SecurityDescriptor sd = (SecurityDescriptor) ent.Properties["ntSecurityDescriptor"].Value; 
AccessControlList acl= (AccessControlList) sd.DiscretionaryAcl;

foreach(AccessControlEntry ace in (IEnumerable) acl)
{
    Console.WriteLine("Trustee: {0}", ace.Trustee);
    Console.WriteLine("AccessMask: {0}", ace.AccessMask);
    Console.WriteLine("Access Type: {0}", ace.AceType);
}

The following Visual Basic example shows you how to write a security descriptor to an object.

Import ActiveDS

Dim usr As New DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com")
Dim newAce = New AccessControlEntryClass()
Dim usrSD As SecurityDescriptor = CType(usr.Properties("ntSecurityDescriptor").Value, SecurityDescriptor)
Dim usrAcl As AccessControlList = CType(usrSD.DiscretionaryAcl, AccessControlList)
newAce.Trustee = "AliceW"
newAce.AccessMask = - 1
newAce.AceType = 0
usrAcl.AddAce(newAce)
usrSD.DiscretionaryAcl = usrAcl
usr.Properties("ntSecurityDescriptor").Value = usrSD
usr.CommitChanges()

using ActiveDS;

DirectoryEntry usr = new DirectoryEntry("LDAP://CN=My User Name,OU=Marketing,DC=fabrikam,DC=com");
AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD = (SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value; AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
newAce.Trustee = "AliceW";
newAce.AccessMask = -1;
newAce.AceType = 0;
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl = usrAcl;
usr.Properties["ntSecurityDescriptor"].Value = usrSD;
usr.CommitChanges();

See Also

Reference

System.DirectoryServices
ActiveDirectorySecurity
DirectoryEntry
ResultPropertyValueCollection
Byte

Concepts

Property Types

Send comments about this topic to Microsoft.

Copyright © 2007 by Microsoft Corporation. All rights reserved.