I have posted this to exchange2000.development and server.scripting without
success. Forgive me if I'm being pushy but I have a deadline rushing at
me(like I'm the only one!).

This doesn't seem to me to be an overly difficult question though I admit
that I cannot figure it out. The fact that it can be done manually with the
ADUC makes me believe that it is scriptable.

********************************************************

I need to give users the ability to update specific properties on AD objects
but am having trouble retrieving security descriptors on individual AD
object attributes.

I am using ADSI (of course) and ADsSecurity.dll to do this. My best attempt
thus far (which failed with a "catastrophic failure") is below.

A pointer would be greatly appreciated.

thanks,
bob

---------------------------------------------
Public Sub grant ( ByVal iadObj As IADs, _
ByVal dnTrustee As String, _
ByVal strAttribute as String )

Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As AccessControlEntry

Dim propList As IADsPropertyList
Dim propEntry As IADsPropertyEntry

' create new ace
Set ace = New AccessControlEntry
With ace
.AceType = ADS_ACETYPE_ACCESS_ALLOWED
.Trustee = dnTrustee
.AccessMask = ADS_RIGHT_GENERIC_WRITE
End With

' retrieve the attribute object
Set propList = iadObj
propList.GetInfo
Set propEntry = propList.GetPropertyItem ( _
strAttribute, _
ADSTYPE_CASE_IGNORE_STRING )

' set the acl on that property
Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
Set dacl = sd.DiscretionaryAcl
dacl.AddAce ace
Set sd.DiscretionaryAcl = dacl
ADsSecure.SetSecurityDescriptor sd

End Sub
---------------------------------------------

Hello bob, do you have the error code that it fails with?

that might help us out further

tx

Jeromy Statia [MSFT]

"Bob Weiner" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have posted this to exchange2000.development and server.scripting
without
> success. Forgive me if I'm being pushy but I have a deadline rushing at
> me(like I'm the only one!).
>
> This doesn't seem to me to be an overly difficult question though I admit
> that I cannot figure it out. The fact that it can be done manually with
the
> ADUC makes me believe that it is scriptable.
>
> ********************************************************
>
> I need to give users the ability to update specific properties on AD
objects
> but am having trouble retrieving security descriptors on individual AD
> object attributes.
>
> I am using ADSI (of course) and ADsSecurity.dll to do this. My best
attempt
> thus far (which failed with a "catastrophic failure") is below.
>
> A pointer would be greatly appreciated.
>
> thanks,
> bob
>
> ---------------------------------------------
> Public Sub grant ( ByVal iadObj As IADs, _
> ByVal dnTrustee As String, _
> ByVal strAttribute as String )
>
> Dim sd As IADsSecurityDescriptor
> Dim dacl As IADsAccessControlList
> Dim ace As AccessControlEntry
>
> Dim propList As IADsPropertyList
> Dim propEntry As IADsPropertyEntry
>
> ' create new ace
> Set ace = New AccessControlEntry
> With ace
> .AceType = ADS_ACETYPE_ACCESS_ALLOWED
> .Trustee = dnTrustee
> .AccessMask = ADS_RIGHT_GENERIC_WRITE
> End With
>
> ' retrieve the attribute object
> Set propList = iadObj
> propList.GetInfo
> Set propEntry = propList.GetPropertyItem ( _
> strAttribute, _
> ADSTYPE_CASE_IGNORE_STRING )
>
> ' set the acl on that property
> Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
> Set dacl = sd.DiscretionaryAcl
> dacl.AddAce ace
> Set sd.DiscretionaryAcl = dacl
> ADsSecure.SetSecurityDescriptor sd
>
> End Sub
> ---------------------------------------------
>
>
>
>
>

Does this mean it should be working? Am I at least on the right track?

The "Boom!!!" line is terminating with Runtime Error 430, "Class does not
support automation or does not support expected interface." Can you get a
security descriptor on an IADsPropertyEntry object? I didn't see that in
the documentation, it just seemed like a reasonable thing to try.

The problem is actually worse. After getting the runtime error, if I chose
to debug, Visual Studio crashes with the Application error:
*** The instruction at "0x773be416" referenced memory at "0x000000019".
The memory could not be "read". ***
I have also seen a different intstruction address which failed trying to
write.

I am working with VS 6.0. The program I am using tonight is not fully
patched so I will apply sp5 and try again. This may correct the VS problem
though I doubt it will help my code.

thanks,
bob


"Jeromy Statia [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello bob, do you have the error code that it fails with?
>
> that might help us out further
>
> tx
>
> Jeromy Statia [MSFT]
>
> "Bob Weiner" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have posted this to exchange2000.development and server.scripting
> without
> > success. Forgive me if I'm being pushy but I have a deadline rushing at
> > me(like I'm the only one!).
> >
> > This doesn't seem to me to be an overly difficult question though I
admit
> > that I cannot figure it out. The fact that it can be done manually with
> the
> > ADUC makes me believe that it is scriptable.
> >
> > ********************************************************
> >
> > I need to give users the ability to update specific properties on AD
> objects
> > but am having trouble retrieving security descriptors on individual AD
> > object attributes.
> >
> > I am using ADSI (of course) and ADsSecurity.dll to do this. My best
> attempt
> > thus far (which failed with a "catastrophic failure") is below.
> >
> > A pointer would be greatly appreciated.
> >
> > thanks,
> > bob
> >
> > ---------------------------------------------
> > Public Sub grant ( ByVal iadObj As IADs, _
> > ByVal dnTrustee As String, _
> > ByVal strAttribute as String )
> >
> > Dim sd As IADsSecurityDescriptor
> > Dim dacl As IADsAccessControlList
> > Dim ace As AccessControlEntry
> >
> > Dim propList As IADsPropertyList
> > Dim propEntry As IADsPropertyEntry
> >
> > ' create new ace
> > Set ace = New AccessControlEntry
> > With ace
> > .AceType = ADS_ACETYPE_ACCESS_ALLOWED
> > .Trustee = dnTrustee
> > .AccessMask = ADS_RIGHT_GENERIC_WRITE
> > End With
> >
> > ' retrieve the attribute object
> > Set propList = iadObj
> > propList.GetInfo
> > Set propEntry = propList.GetPropertyItem ( _
> > strAttribute, _
> > ADSTYPE_CASE_IGNORE_STRING )
> >
> > ' set the acl on that property
> > Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
> > Set dacl = sd.DiscretionaryAcl
> > dacl.AddAce ace
> > Set sd.DiscretionaryAcl = dacl
> > ADsSecure.SetSecurityDescriptor sd
> >
> > End Sub
> > ---------------------------------------------
> >
> >
> >
> >
> >
>
>

FYI: VS6 SP5 still crashes at the same line with the same application
error.

I'm not concerned with the VS problem; hopefully, I'll be moving on to
VS.Net after this project is off my desk.

bob



"Jeromy Statia [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello bob, do you have the error code that it fails with?
>
> that might help us out further
>
> tx
>
> Jeromy Statia [MSFT]
>
> "Bob Weiner" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have posted this to exchange2000.development and server.scripting
> without
> > success. Forgive me if I'm being pushy but I have a deadline rushing at
> > me(like I'm the only one!).
> >
> > This doesn't seem to me to be an overly difficult question though I
admit
> > that I cannot figure it out. The fact that it can be done manually with
> the
> > ADUC makes me believe that it is scriptable.
> >
> > ********************************************************
> >
> > I need to give users the ability to update specific properties on AD
> objects
> > but am having trouble retrieving security descriptors on individual AD
> > object attributes.
> >
> > I am using ADSI (of course) and ADsSecurity.dll to do this. My best
> attempt
> > thus far (which failed with a "catastrophic failure") is below.
> >
> > A pointer would be greatly appreciated.
> >
> > thanks,
> > bob
> >
> > ---------------------------------------------
> > Public Sub grant ( ByVal iadObj As IADs, _
> > ByVal dnTrustee As String, _
> > ByVal strAttribute as String )
> >
> > Dim sd As IADsSecurityDescriptor
> > Dim dacl As IADsAccessControlList
> > Dim ace As AccessControlEntry
> >
> > Dim propList As IADsPropertyList
> > Dim propEntry As IADsPropertyEntry
> >
> > ' create new ace
> > Set ace = New AccessControlEntry
> > With ace
> > .AceType = ADS_ACETYPE_ACCESS_ALLOWED
> > .Trustee = dnTrustee
> > .AccessMask = ADS_RIGHT_GENERIC_WRITE
> > End With
> >
> > ' retrieve the attribute object
> > Set propList = iadObj
> > propList.GetInfo
> > Set propEntry = propList.GetPropertyItem ( _
> > strAttribute, _
> > ADSTYPE_CASE_IGNORE_STRING )
> >
> > ' set the acl on that property
> > Set sd = ADsSecure.GetSecurityDescriptor(propEntry) ' BOOM!!!
> > Set dacl = sd.DiscretionaryAcl
> > dacl.AddAce ace
> > Set sd.DiscretionaryAcl = dacl
> > ADsSecure.SetSecurityDescriptor sd
> >
> > End Sub
> > ---------------------------------------------
> >
> >
> >
> >
> >
>
>