By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,274 Members | 2,229 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,274 IT Pros & Developers. It's quick & easy.

Writing ACL dont work

P: n/a
Hello NG!

Iam trying to write Access Control Settings for Users in Active Dir.
First what i do is to delegate a Trustee in a Container, with
permissions. This works fine. Lets take Guests as Trustee. Setting
rights like "Full Control" or "Read" or "Write" is not the issue, my
problem ar the Subrights like "Read logon time" or write "logon time"
i cannot achieve this. Ok heres some code:

using ActiveDs;

AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD =
(SecurityDescriptor)src.Properties["ntSecurityDescriptor"].Value;
AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
ADsSecurityUtilityClass asu = new ADsSecurityUtilityClass();
asu.SecurityMask=(int)(ADS_SECURITY_INFO_ENUM.ADS_ SECURITY_INFO_DACL);
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_F LAG_INHERITED_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TY PE_PRESENT;
newAce.AceType=aceType;
newAce.AccessMask=accessMask;
newAce.AceFlags=aceFlags;

//Problems must be here! or the newAce.Flags Attribute!
newAce.ObjectType="{28630ebf-41d5-11d1-a9c1-0000f80367c1}";
newAce.InheritedObjectType="{bf967aba-0de6-11d0-a285-00aa003049e2}";
//Here we go with the SubRights like "Lockout Time"
//here i set "Lockout time", wich dont work, no error, no exception!
newAce.Trustee=GetTextualSID(de);
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl=usrAcl;
src.Properties["ntSecurityDescriptor"].Value=usrSD;
src.CommitChanges();


OK everything works except those lines:
1.newAce.Flags....
2.newAce.ObjectType...
3.newAce.InheritedObjectType...

I have tried same stuff in VB wich worked without a Problem!!!!! ( ???
)
Here is the VB Code wich works fine! :

(Mention: not posted the declaration of the ADS variables!)

' ADS_FLAG_OBJECTS
Public Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Public Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
' Delegation der Admin-OU
Set ou = GetObject("LDAP://ou=123,ou=agis,dc=adtsfbbd3,dc=adtsfbb,dc=net")
Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
' You can also use Set ace = new ADsAccessControlEntry.

' Grant access to the object.
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

' Create and delete child objects.
ace.AccessMask = ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP

' Attribute LockOutTime
ace.ObjectType = "{28630ebf-41d5-11d1-a9c1-0000f80367c1}"

' User object class of the schema IDGUID.
ace.InheritedObjectType = "{bf967aba-0de6-11d0-a285-00aa003049e2}"

' Propagate the ACE down.
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE

' Provide an option that notifies that the objectType is filled.
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT or
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

' Show the beneficiary of this ACE.
ace.Trustee = "adtsfbbd3\test123"
acl.AddAce ace

sec.DiscretionaryAcl = acl
ou.Put "ntSecurityDescriptor", Array(sec)
' Use SetInfo to commit the data to Active Directory.
ou.SetInfo
If Err.number<>0 Then
MsgBox "Delegation nicht eingerichtet.",48
Wscript.Quit
End If

' Release the objects.
Set ace = Nothing
Set acl = Nothing
Set sec = Nothing
MsgBox "Delegation von LockOutTime der Gruppe " & strGroup & "
durchgefuehrt.
So why this works under VB but doesnt work under C#? What iam doing
wrong??
Thank u all very much !

Regards Sebastian
Nov 15 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
On 2 Sep 2003 01:28:51 -0700, se*************@dregis.com (Sebastian
Sosna) wrote:
' Show the beneficiary of this ACE.
ace.Trustee = "adtsfbbd3\test123"
acl.AddAce ace


try to alter the Trustee to @"adtsfddb3\test123"; <=Place a '@' before
the string
C# uses \ for escape characters in strings...:
\t = tab
\n = newline
...
Usage of @ in front of the string (like this: @"my\nstring") will
disable excape chars for that string (the result here will be
'my\nstring' instead of - for vb: "my" & vbCrLf & "string")

that might be it...
--
NULL

Nov 15 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.