Chapter 25. Permissions and Auditing
Security descriptors (SDs), access control lists (ACLs), and access control entries (ACEs) have been used for files and directories on NTFS filesystems for years. The same concepts apply to securing Active Directory objects as well. While the information in this chapter is focused on Active Directory, the principles of creating a SD that contains a discretionary access control list (DACL) and system access control list (SACL) can map over to NTFS files and directories.
ADSI provides four main interfaces we can use:
-
IADsAccessControlEntry
Manipulates individual ACEs that represent access or audit permissions for specific users or groups to objects and properties in Active Directory
-
IADsAccessControlList
Manages collections of ACEs for an object
-
IADsSecurityDescriptor
Manages the different sets of ACLs to an object
-
IADsSecurityUtility
Gets, sets, and retrieves security descriptors for an object
All of the ADSI security interfaces can be found in the MSDN Library at http://msdn.microsoft.com/en-us/library/aa746481.aspx.
Warning
If you haven’t read Chapter 13 in its entirety, you may find this chapter a little confusing.
How to Create an ACE Using ADSI
Microsoft has a habit of calling a shovel a ground insertion earth management device (GIEMD for short); that is, they like to give names that are not always intuitive to the average person. The contents of the five properties of the ACE object are not all immediately obvious from the names. In addition, ...
Get Active Directory, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.