Justin, Look here for the APIs that Gil refers to (I just happen to know these because I've been spending WAAAAY too much time in SDDL lately.... Woe is me.... :) )
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/securit y/security/security_descriptor_definition_language.asp Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, September 26, 2002 10:40 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] nTSecurityDescriptor and > defaultSecurityDescripto r > > > Justin, > > You have to resort to coding again, but I would do the following: > > For each class you've extended > Read the defaultSecurityDescriptor in SDDL > Convert it to a Win32 SD > Create an ACE containing the rights you want to grant > and the SID of the group > Insert the ACE in the appropriate place in the DACL > Convert the SD back to SDDL > Store the SDDL attribute in the classSchema object > > You have to convert the SDDL to an SD and back because the > SDDL is not easily manipulatable. There are a host of Win32 > calls for fiddling with SDs... They are documented in the > Platform SDK docs. There are also some fairly recent > additions to ADSI for manipulating SDs from VB, but I haven't > used them myself. > > -gil > > -----Original Message----- > From: Searles, Justin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 8:16 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] nTSecurityDescriptor and > defaultSecurityDescripto r > > > Thanks Gil, > > That makes sense. Do you have any insight into my second question: > > "I would like to specify that a Security Group that I have > created be added to the defaultSecurityDescriptor for all of > the classes I have extended my schema with. How would I go > about doing that?" > > -Justin > > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 10:49 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] nTSecurityDescriptor and > defaultSecurityDescripto r > > > Justin, > > The defaultSecurityDecscriptor attribute is a string encoded > in SDDL (Security Descriptor Decription Language). The > nTSecurityDescriptor attribute is a binary attribute that > contains a Win32 SD. LDIF displays binary attributes encoded > as they would be in an LDAP protocol transaction, hence the > wildly different strings. > > To compare them you'll have to write some code... At least > I'm not aware of utility that would do it for you. Probably > the easiest is to read the nTSecurityDescriptor as a binary > attribute and use the Win32 API call to translate it to SDDL. > You should find that they are the same, except that the owner > property will be set in the nTSecurityDescriptor. > > -gil > > -----Original Message----- > From: Searles, Justin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 7:27 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] nTSecurityDescriptor and > defaultSecurityDescriptor > > > Hi All, > > I know that if an nTSecurityDescriptor is not specified when > you instantiate an object in AD, it's value defaults to the > Class's defaultSecurityDescriptor. What I don't understand > is the fact that their strings differ when you print them out > in LDIF. Here is an example: > > defaultSecurityDescriptor (of class MINE-OBJ-New-Class): > D:P(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;LCRPRC;;;WD) > > nTSecurityDescriptor (of an object of class type > MINE-OBJ-New-Class generated without specifying the > nTSecurityDescriptor) : > > AQAUnHAAAACMAAAAFAAAADAAAAACABwAAQAAAALSFABrAQ0AAQEAAAAAAAEAAA > AAAgBAAAIAAAAA > AC > > QA/wEPAAEFAAAAAAAFFQAAAP4mxkiAePUxdbl1VAACAAAAABQAFAACAAEBAAAA > AAABAAAAAAEFAA > AA > AAAFFQAAAP4mxkiAePUxdbl1VAACAAABBQAAAAAABRUAAAD+JsZIgHj1MXW5dVQBAgAA > > Can anyone explain why these are represented differently? > > On the Topic of SecurityDescriptors...I would like to specify > that a Security Group that I have created be added to the > defaultSecurityDescriptor for all of the classes I have > extended my schema with. How would I go about doing that? > > Thanks for your help, > Justin > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/