Modifying Active Directory Object Permissions

[JahDW]

Hai2u! Wasn;t sure wether to post this here of in the Windows 2000 server thread, but here goes:

I have an ASP.NET (VB.NET) web app that does various things related to file share administration... blah blah blah.

One of the things this tool does is creates AD groups, and adds groups and users as members of the newly created groups. This is all fine and dandy until I actually need to modify the permissions (security tab) of the AD object (group) that I just created. I want to give one AD group read, write, etc permissions on another AD group.

This does not seem to be an easy task based on my incessant googling.

I've come across this:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;269159

...along with a few other drawn out methods of modifying ACLs, ACEs, dACLs, Security Descriptors, etc.

My feeling is that there must be an easier way to do this, and I'm hoping one of you knows it.

I read somewhere that MSFT hadn't created an API/connector/whatever for this in the .NET 1.1 framework... but is it now accessable in 2.0?

ANY info would be greatly appreciated.

-Dan

 

[JahDW]

Here's some working code I stole and converted to vb.net. It seems to work for setting some permissions for child objects, usewrs, groups, etc... but I haven't been able to set permissions on "this object only"... All of the ones I create fall into the advanced, more granular permissions of the object. Again, any help would be awesome.

Const ACL_REVISION_DS = &H4

Public Function SetRight(ByVal objectDN As String, _
ByVal accessrights As Long, _
ByVal accesstype As Long, _
ByVal aceinheritflags As Long, _
ByVal objectGUID As String, _
ByVal inheritedObjectGUID As String, _
ByVal trustee As String) As Boolean

'Dim dsobject As IADs
Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim newace As New AccessControlEntry
Dim lflags As Long

' Bind to the specified object.
'dsobject = GetObject(objectDN)

Try
Dim entry As DirectoryEntry = New DirectoryEntry(objectDN, usernmae, password)

Dim dsObject As ActiveDs.IADs = CType(entry.NativeObject, ActiveDs.IADs)

' Read the security descriptor on the object.
sd = CType(dsObject.Get("ntSecurityDescriptor"), ActiveDs.IADsSecurityDescriptor)

' Get the DACL from the security descriptor.
dacl = sd.DiscretionaryAcl

' Set the properties of the new ACE.
newace.AccessMask = accessrights
newace.AceType = accesstype
newace.AceFlags = aceinheritflags
newace.Trustee = trustee

' Set the GUID for the object type or inherited object type.
lflags = 0

If Not objectGUID = vbNullString Then
newace.ObjectType = objectGUID
lflags = lflags Or &H1 'ADS_FLAG_OBJECT_TYPE_PRESENT
End If

If Not inheritedObjectGUID = vbNullString Then
newace.InheritedObjectType = inheritedObjectGUID
lflags = lflags Or &H2 'ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
End If

If Not (lflags = 0) Then newace.Flags = lflags

' Set the ACL Revision.
dacl.AclRevision = ACL_REVISION_DS

' Add the ACE to the DACL and to the security descriptor.
dacl.AddAce(newace)
sd.DiscretionaryAcl = dacl

' Apply it to the object.
dsObject.Put("ntSecurityDescriptor", sd)
dsObject.SetInfo()

SetRight = True
Exit Function
Catch ex As Exception
Response.Write(ex.ToString)
End Try
End Function