I've really hit a wall with this one. I can modify the ntsecuritydescriptor
and add entries, but cannot remove any. I'm also having the same issue
with
the m***chMailboxSecurityDescriptor. I'm using VB.Net 2008
Using the following 2 pages i've been able to add and setup my security
rights but I cannot get the removeace function to work.
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
http://sup****t.microsoft.com/kb/310866
Here is a sample of code i'm using, it fails on dacl.RemoveAce(ace)
Dim objUser As ActiveDs.IADsUser
Dim objdomain
Dim objdc
Dim objLDAP As String
Dim oSecurityDescriptor As New ActiveDs.SecurityDescriptor
Dim dacl As New ActiveDs.AccessControlList
Dim ace As New ActiveDs.AccessControlEntry
Dim objConnection As ADODB.Connection
Dim objCommand As ADODB.Command
Dim objRecordSet As ADOR.Recordset
objCommand.CommandText = objLDAP & "(cn=" & txtUser.Text &
");displayName,adspath,cn;subtree"
objRecordSet = objCommand.Execute
objUser = GetObject(objRecordSet.Fields("adspath").Value)
ace = CreateObject("AccessControlEntry")
oSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
dacl = oSecurityDescriptor.DiscretionaryAcl
ace.Trustee = strTrustee
ace.AceFlags = 0
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
dacl.RemoveAce(ace)
oSecurityDescriptor.DiscretionaryAcl = dacl
objUser.Put("ntSecurityDescriptor", oSecurityDescriptor)
objUser.SetInfo()
i've tried not referencing the ace.trustee and acetypes etc. it still
always
fails on dacl.RemoveAce(ace).
I know it is reading the ntsecuritydescriptor just fine as I am able to do
a
For Each ace in dacl and list out all of the trustee's.
Any help would be greatly appreciated, my ultimate goal is that I will be
using this to update owner****p of an AD User or Group account, but i've
hit a
wall not being able to remove an entry.
|
