*Repost* - Accidently posted as a reply instead of new after marking an
issue fixed
Now that my issue is solved for ntsecuritydescriptor. I'm having the same
issue with exchange.
So I know how to create ace entries for when a mailbox is first created,
you
use objuser.Get("m***chsecuritydescriptor")
KB310866 says that you have to dim objuser as Activeds.IADsUser and use
objuser.MailboxRights on a mailbox that already exists in the exchange
store.
However when I do that I keep getting an error "Public member
'MailboxRights' on type '_ComObject' not found"
If I dim a variable to CDOEXM.IExchangeMailbox I get the .MailboxRights
property but I cannot do anything with it.
Any help on what code to use in VB.NET 2008?
Thanks again
"Richard Mueller [MVP]" wrote:
> When I remove an ACE, I loop through all of the ACE's in the DACL until
I
> find the one I'm after, then invoke RemoveAce. In brief I use code
similar
> to:
>
> For Each objACE In objDACL
> If (UCase(objACE.Trustee) = "NT AUTHORITY\SELF" _
> Or UCase(objACE.Trustee) = "EVERYONE") _
> And (objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) _
> And (UCase(objACE.objectType) = CHANGE_PASSWORD_GUID) _
> And (objACE.AceFlags = 0) _
> And (objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS) _
> And (objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT) Then
> objDACL.RemoveAce objACE
> End If
> Next
>
> This example removes two similar ACE's for the two trustees. It's
probably
> not necessary to test for all of these properties. I assume you are not
> getting an "access denied" error or similar.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Nevin Booth" <Nevin Booth@[EMAIL PROTECTED]
> wrote in message
> news:B346AE8F-D986-45F5-8BBE-B2F1127B1F28@[EMAIL PROTECTED]
> > I've really hit a wall with this one. I can modify the
> > ntsecuritydescriptor
> > and add entries, but cannot remove any. I'm also having the same issue
> > with
> > the m***chMailboxSecurityDescriptor. I'm using VB.Net 2008
> >
> > Using the following 2 pages i've been able to add and setup my
security
> > rights but I cannot get the removeace function to work.
> >
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
> > http://sup****t.microsoft.com/kb/310866
> >
> > Here is a sample of code i'm using, it fails on dacl.RemoveAce(ace)
> >
> > Dim objUser As ActiveDs.IADsUser
> > Dim objdomain
> > Dim objdc
> > Dim objLDAP As String
> > Dim oSecurityDescriptor As New ActiveDs.SecurityDescriptor
> > Dim dacl As New ActiveDs.AccessControlList
> > Dim ace As New ActiveDs.AccessControlEntry
> > Dim objConnection As ADODB.Connection
> > Dim objCommand As ADODB.Command
> > Dim objRecordSet As ADOR.Recordset
> >
> > objCommand.CommandText = objLDAP & "(cn=" & txtUser.Text &
> > ");displayName,adspath,cn;subtree"
> > objRecordSet = objCommand.Execute
> > objUser = GetObject(objRecordSet.Fields("adspath").Value)
> >
> > ace = CreateObject("AccessControlEntry")
> >
> > oSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
> > dacl = oSecurityDescriptor.DiscretionaryAcl
> > ace.Trustee = strTrustee
> > ace.AceFlags = 0
> > ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
> > dacl.RemoveAce(ace)
> > oSecurityDescriptor.DiscretionaryAcl = dacl
> > objUser.Put("ntSecurityDescriptor", oSecurityDescriptor)
> > objUser.SetInfo()
> >
> > i've tried not referencing the ace.trustee and acetypes etc. it still
> > always
> > fails on dacl.RemoveAce(ace).
> > I know it is reading the ntsecuritydescriptor just fine as I am able
to do
> > a
> > For Each ace in dacl and list out all of the trustee's.
> >
> > Any help would be greatly appreciated, my ultimate goal is that I will
be
> > using this to update owner****p of an AD User or Group account, but
i've
> > hit a
> > wall not being able to remove an entry.
>
|
