Why use ADSI for this when .NET as of 2.0 has native sup****t for ACLs,
including in AD?
The perf hit comes from when ADSI attempts to translate the SIDs in the SD
into friendly names, which sometimes causes timeouts.
In .NET, the architecture is more flexible and no SIDs are translated
unless
you specifically ask to have them translated.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Philipp Foeckeler" <philipp.foeckeler@[EMAIL PROTECTED]
> wrote in message
news:%23WCfYM55IHA.1204@[EMAIL PROTECTED]
> Hi, here is my problem:
>
> i'm using VB.NET 2005 and i'm trying to decode a ntSecurityDescriptor
for
> AD objects in a foreign untrusted domain. To achieve this, i get the raw
> octet data for this atribute from an object with ADSI-LDAP and convert
it
> to a IADsSecurityDescriptor with the IADsSecurityUtility Interface:
>
> Dim sUtil As New ADsSecurityUtility()
> Dim sd As ActiveDs.SecurityDescriptor
> Dim rawData As Byte() ....<- i fill this with the LDAP data from
> ntSecurityDescriptor attributes...
> ...
> sd = sUtil.ConvertSecurityDescriptor(data,
> ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW,
> ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID)
>
> The output security descriptor object is filled correctly after this,
BUT
> sometimes this is REALLY SLOW (10 sec...), far to slow for checking many
> DACLs in the directory. Maybe this is because the
> ConvertSecurityDescriptor method tries to resolve the SIDs in the
security
> descriptor to friendly names and cannot because these are SIDs from a
> foreign untrusted domain? How can i speed up this? Is there any other
> possibility to decode the raw data or is there any do***entation of the
> data structure of an ntSecurityDescriptor so that i could decode this by
> myself without SID-account-resolving???
>
> Thank you alot for hints,
> Philipp
>
>
>
>
|
