Taking Ownership - revisited

[Stephen Engle]

I posted this a few days ago (multiple times due to my mistake) and then had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.



I am trying to allow for user account to take ownership of an Active
Directory object. I have assigned the Modify Owner permission to the user
on the AD object - a distribution list in this case. Using Active Directory
Users and Computers, the user can take ownership of the object. But I have
not been able to get the program I am working on to do so. Whenever I try
to write the Security Descriptor back to the object, I get the
E_ACCESSDENIED error. The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege activated
that I need. But I have tried using AdjustTokenPrivilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME privileges. That does not seem
to have any effect.

Does anyone have an idea about what I am missing?


Thanks.




The test code is as follows:

void CADOwnDlg::OnBnClickedTakeownership()
{
ACL * abdacl;
DWORD abdacllen;
SID * abowner;
DWORD abownerlen;
SID * abpg;
DWORD abpglen;
ACL * absacl;
DWORD absacllen;
SECURITY_DESCRIPTOR * absd;
DWORD absdlen;
IDirectoryObject * adobject;
ADSVALUE adsvalue;
ADS_ATTR_INFO attrinfo;
LPWSTR attrstr;
DWORD buflen;
HRESULT hr;
LUID luid;
DWORD numobjattr;
ADS_ATTR_INFO * objattr;
WCHAR objectpath[256];
HANDLE prochandle;
SECURITY_DESCRIPTOR * sd;
SECURITY_DESCRIPTOR * sdsr;
unsigned char sid[256];
SID * sidnewowner;
HANDLE tokenhandle;
TOKEN_PRIVILEGES tp;

abdacl=NULL;
abdacllen=0;
abowner=NULL;
abownerlen=0;
abpg=NULL;
abpglen=0;
absacl=NULL;
absacllen=0;
absd=NULL;
absdlen=0;
adobject=NULL;
attrstr=L"nTSecurityDescriptor";
buflen=0;
DWORD numattr;
objattr=NULL;
sdsr=NULL;
memset(sid, 0, sizeof(sid));

memcpy(sid, SidVal, SidValSize);

sidnewowner=(SID *)sid;
wcscpy(objectpath, L"LDAP://CN=Test.One,OU=Client Distribution
Lists,OU=Public Distribution Lists,DC=aoins,DC=com");

hr=CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

hr=ADsOpenObject(objectpath, NULL, NULL, ADS_SECURE_AUTHENTICATION,
IID_IDirectoryObject, (void **)&adobject);

hr=adobject->GetObjectAttributes(&attrstr, 1, &objattr, &numobjattr);

sd=(SECURITY_DESCRIPTOR *)objattr->pADsValues->SecurityDescriptor.lpValue;

MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl, &absacllen,
abowner, &abownerlen, abpg, &abpglen);
absd=(SECURITY_DESCRIPTOR *)malloc(absdlen);
abdacl=(ACL *)malloc(abdacllen);
absacl=(ACL *)malloc(absacllen);
abowner=(SID *)malloc(abownerlen);
abpg=(SID *)malloc(abpglen);
MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl,
&absacllen, abowner, &abownerlen, abpg, &abpglen);

SetSecurityDescriptorOwner(absd, sidnewowner, FALSE);

MakeSelfRelativeSD(absd, sdsr, &buflen);
sdsr=(SECURITY_DESCRIPTOR *)malloc(buflen);
MakeSelfRelativeSD(absd, sdsr, &buflen);

prochandle=GetCurrentProcess();

OpenProcessToken(prochandle, TOKEN_ADJUST_PRIVILEGES, &tokenhandle);

LookupPrivilegeValue("DCH1", SE_RESTORE_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

LookupPrivilegeValue("DCH1", SE_TAKE_OWNERSHIP_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

attrinfo.dwADsType=objattr->dwADsType;
attrinfo.dwControlCode=ADS_ATTR_UPDATE;
attrinfo.dwNumValues=1;
attrinfo.pADsValues=&adsvalue;
adsvalue.dwType=objattr->dwADsType;
adsvalue.SecurityDescriptor.lpValue=(LPBYTE)sdsr;
adsvalue.SecurityDescriptor.dwLength=buflen;
attrinfo.pszAttrName=attrstr;
hr=adobject->SetObjectAttributes(&attrinfo, 1, &numattr);

FreeADsMem(objattr);
adobject->Release();
if(abdacl!=NULL) free(abdacl);
if(abowner!=NULL) free(abowner);
if(abpg!=NULL) free(abpg);
if(absacl!=NULL) free(absacl);
if(absd!=NULL) free(absd);
if(sdsr!=NULL) free(sdsr);
CoUninitialize();
}

 

[Herb Martin]

I posted this a few days ago (multiple times due to my mistake) and then
had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.

Search Google Groups for your own name or any key words you
posted in the previous messages.

 

[Stephen Engle]

Well, as far as I could tell, no one replied to that original post, so I
would like to let this question stand. I have tried using altered code
using the ADSI interfaces but get the same result. Again though, I know
that the test user id I am using has sufficient rights because the Active
Directory Users & Computers interface is able to take ownership of the
object. I can only assume that I'm missing some step in my program to allow
it to do this but cannot determine what that is. Any suggestions would be
appreciated.


Thanks.

I posted this a few days ago (multiple times due to my mistake) and then
had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.

Search Google Groups for your own name or any key words you
posted in the previous messages.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Joe Richards [MVP]]

You certainly don't need the privilege stuff.

I don't do c++ ADSI but in LDAP API you have to specify a special server control
unless you have manage audit log rights. Check out this control


http://msdn.microsoft.com/library/d.../en-us/ldap/ldap/ldap_server_sd_flags_oid.asp



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

I posted this a few days ago (multiple times due to my mistake) and then had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.



I am trying to allow for user account to take ownership of an Active
Directory object. I have assigned the Modify Owner permission to the user
on the AD object - a distribution list in this case. Using Active Directory
Users and Computers, the user can take ownership of the object. But I have
not been able to get the program I am working on to do so. Whenever I try
to write the Security Descriptor back to the object, I get the
E_ACCESSDENIED error. The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege activated
that I need. But I have tried using AdjustTokenPrivilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME privileges. That does not seem
to have any effect.

Does anyone have an idea about what I am missing?


Thanks.




The test code is as follows:

void CADOwnDlg::OnBnClickedTakeownership()
{
ACL * abdacl;
DWORD abdacllen;
SID * abowner;
DWORD abownerlen;
SID * abpg;
DWORD abpglen;
ACL * absacl;
DWORD absacllen;
SECURITY_DESCRIPTOR * absd;
DWORD absdlen;
IDirectoryObject * adobject;
ADSVALUE adsvalue;
ADS_ATTR_INFO attrinfo;
LPWSTR attrstr;
DWORD buflen;
HRESULT hr;
LUID luid;
DWORD numobjattr;
ADS_ATTR_INFO * objattr;
WCHAR objectpath[256];
HANDLE prochandle;
SECURITY_DESCRIPTOR * sd;
SECURITY_DESCRIPTOR * sdsr;
unsigned char sid[256];
SID * sidnewowner;
HANDLE tokenhandle;
TOKEN_PRIVILEGES tp;

abdacl=NULL;
abdacllen=0;
abowner=NULL;
abownerlen=0;
abpg=NULL;
abpglen=0;
absacl=NULL;
absacllen=0;
absd=NULL;
absdlen=0;
adobject=NULL;
attrstr=L"nTSecurityDescriptor";
buflen=0;
DWORD numattr;
objattr=NULL;
sdsr=NULL;
memset(sid, 0, sizeof(sid));

memcpy(sid, SidVal, SidValSize);

sidnewowner=(SID *)sid;
wcscpy(objectpath, L"LDAP://CN=Test.One,OU=Client Distribution
Lists,OU=Public Distribution Lists,DC=aoins,DC=com");

hr=CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

hr=ADsOpenObject(objectpath, NULL, NULL, ADS_SECURE_AUTHENTICATION,
IID_IDirectoryObject, (void **)&adobject);

hr=adobject->GetObjectAttributes(&attrstr, 1, &objattr, &numobjattr);

sd=(SECURITY_DESCRIPTOR *)objattr->pADsValues->SecurityDescriptor.lpValue;

MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl, &absacllen,
abowner, &abownerlen, abpg, &abpglen);
absd=(SECURITY_DESCRIPTOR *)malloc(absdlen);
abdacl=(ACL *)malloc(abdacllen);
absacl=(ACL *)malloc(absacllen);
abowner=(SID *)malloc(abownerlen);
abpg=(SID *)malloc(abpglen);
MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl,
&absacllen, abowner, &abownerlen, abpg, &abpglen);

SetSecurityDescriptorOwner(absd, sidnewowner, FALSE);

MakeSelfRelativeSD(absd, sdsr, &buflen);
sdsr=(SECURITY_DESCRIPTOR *)malloc(buflen);
MakeSelfRelativeSD(absd, sdsr, &buflen);

prochandle=GetCurrentProcess();

OpenProcessToken(prochandle, TOKEN_ADJUST_PRIVILEGES, &tokenhandle);

LookupPrivilegeValue("DCH1", SE_RESTORE_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

LookupPrivilegeValue("DCH1", SE_TAKE_OWNERSHIP_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

attrinfo.dwADsType=objattr->dwADsType;
attrinfo.dwControlCode=ADS_ATTR_UPDATE;
attrinfo.dwNumValues=1;
attrinfo.pADsValues=&adsvalue;
adsvalue.dwType=objattr->dwADsType;
adsvalue.SecurityDescriptor.lpValue=(LPBYTE)sdsr;
adsvalue.SecurityDescriptor.dwLength=buflen;
attrinfo.pszAttrName=attrstr;
hr=adobject->SetObjectAttributes(&attrinfo, 1, &numattr);

FreeADsMem(objattr);
adobject->Release();
if(abdacl!=NULL) free(abdacl);
if(abowner!=NULL) free(abowner);
if(abpg!=NULL) free(abpg);
if(absacl!=NULL) free(absacl);
if(absd!=NULL) free(absd);
if(sdsr!=NULL) free(sdsr);
CoUninitialize();
}

 

[Herb Martin]

Well, as far as I could tell, no one replied to that original post, so I
would like to let this question stand. I have tried using altered code
using the ADSI interfaces but get the same result. Again though, I know
that the test user id I am using has sufficient rights because the Active
Directory Users & Computers interface is able to take ownership of the
object. I can only assume that I'm missing some step in my program to
allow
it to do this but cannot determine what that is. Any suggestions would be
appreciated.

You might do best to just repost then.

Once a message goes more than about 3 days -- no one knows
(or perhaps no one cares) about the topic.

Asking for a repost would likely have cause THIS post to get
bypassed.

And in general you might be better off asking in a PROGRAMMING
group than in the main AD group which tends to be "admin stuff".

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks.

I posted this a few days ago (multiple times due to my mistake) and then
had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.

Search Google Groups for your own name or any key words you
posted in the previous messages.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Stephen Engle]

Well, that's definitely a different approach. I must say I hope not to have
to do this that way. That'll take some getting used to if I do. But thanks
anyway.

You certainly don't need the privilege stuff.

I don't do c++ ADSI but in LDAP API you have to specify a special server control
unless you have manage audit log rights. Check out this control


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/l
dap_server_sd_flags_oid.asp



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

I posted this a few days ago (multiple times due to my mistake) and then had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and if
so, could they repost. Thanks.



I am trying to allow for user account to take ownership of an Active
Directory object. I have assigned the Modify Owner permission to the user
on the AD object - a distribution list in this case. Using Active Directory
Users and Computers, the user can take ownership of the object. But I have
not been able to get the program I am working on to do so. Whenever I try
to write the Security Descriptor back to the object, I get the
E_ACCESSDENIED error. The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege activated
that I need. But I have tried using AdjustTokenPrivilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME privileges. That does not seem
to have any effect.

Does anyone have an idea about what I am missing?


Thanks.




The test code is as follows:

void CADOwnDlg::OnBnClickedTakeownership()
{
ACL * abdacl;
DWORD abdacllen;
SID * abowner;
DWORD abownerlen;
SID * abpg;
DWORD abpglen;
ACL * absacl;
DWORD absacllen;
SECURITY_DESCRIPTOR * absd;
DWORD absdlen;
IDirectoryObject * adobject;
ADSVALUE adsvalue;
ADS_ATTR_INFO attrinfo;
LPWSTR attrstr;
DWORD buflen;
HRESULT hr;
LUID luid;
DWORD numobjattr;
ADS_ATTR_INFO * objattr;
WCHAR objectpath[256];
HANDLE prochandle;
SECURITY_DESCRIPTOR * sd;
SECURITY_DESCRIPTOR * sdsr;
unsigned char sid[256];
SID * sidnewowner;
HANDLE tokenhandle;
TOKEN_PRIVILEGES tp;

abdacl=NULL;
abdacllen=0;
abowner=NULL;
abownerlen=0;
abpg=NULL;
abpglen=0;
absacl=NULL;
absacllen=0;
absd=NULL;
absdlen=0;
adobject=NULL;
attrstr=L"nTSecurityDescriptor";
buflen=0;
DWORD numattr;
objattr=NULL;
sdsr=NULL;
memset(sid, 0, sizeof(sid));

memcpy(sid, SidVal, SidValSize);

sidnewowner=(SID *)sid;
wcscpy(objectpath, L"LDAP://CN=Test.One,OU=Client Distribution
Lists,OU=Public Distribution Lists,DC=aoins,DC=com");

hr=CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

hr=ADsOpenObject(objectpath, NULL, NULL, ADS_SECURE_AUTHENTICATION,
IID_IDirectoryObject, (void **)&adobject);

hr=adobject->GetObjectAttributes(&attrstr, 1, &objattr, &numobjattr);

sd=(SECURITY_DESCRIPTOR *)objattr->pADsValues->SecurityDescriptor.lpValue;

MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl, &absacllen,
abowner, &abownerlen, abpg, &abpglen);
absd=(SECURITY_DESCRIPTOR *)malloc(absdlen);
abdacl=(ACL *)malloc(abdacllen);
absacl=(ACL *)malloc(absacllen);
abowner=(SID *)malloc(abownerlen);
abpg=(SID *)malloc(abpglen);
MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl,
&absacllen, abowner, &abownerlen, abpg, &abpglen);

SetSecurityDescriptorOwner(absd, sidnewowner, FALSE);

MakeSelfRelativeSD(absd, sdsr, &buflen);
sdsr=(SECURITY_DESCRIPTOR *)malloc(buflen);
MakeSelfRelativeSD(absd, sdsr, &buflen);

prochandle=GetCurrentProcess();

OpenProcessToken(prochandle, TOKEN_ADJUST_PRIVILEGES, &tokenhandle);

LookupPrivilegeValue("DCH1", SE_RESTORE_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

LookupPrivilegeValue("DCH1", SE_TAKE_OWNERSHIP_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

attrinfo.dwADsType=objattr->dwADsType;
attrinfo.dwControlCode=ADS_ATTR_UPDATE;
attrinfo.dwNumValues=1;
attrinfo.pADsValues=&adsvalue;
adsvalue.dwType=objattr->dwADsType;
adsvalue.SecurityDescriptor.lpValue=(LPBYTE)sdsr;
adsvalue.SecurityDescriptor.dwLength=buflen;
attrinfo.pszAttrName=attrstr;
hr=adobject->SetObjectAttributes(&attrinfo, 1, &numattr);

FreeADsMem(objattr);
adobject->Release();
if(abdacl!=NULL) free(abdacl);
if(abowner!=NULL) free(abowner);
if(abpg!=NULL) free(abpg);
if(absacl!=NULL) free(absacl);
if(absd!=NULL) free(absd);
if(sdsr!=NULL) free(sdsr);
CoUninitialize();
}

 

[Stephen Engle]

And in general you might be better off asking in a PROGRAMMING

group than in the main AD group which tends to be "admin stuff".

That's kind of funny since the programming group suggested Active Directory.
Ah well - I'll keep looking.


Thanks.

Well, as far as I could tell, no one replied to that original post, so I
would like to let this question stand. I have tried using altered code
using the ADSI interfaces but get the same result. Again though, I know
that the test user id I am using has sufficient rights because the Active
Directory Users & Computers interface is able to take ownership of the
object. I can only assume that I'm missing some step in my program to
allow
it to do this but cannot determine what that is. Any suggestions would be
appreciated.

You might do best to just repost then.

Once a message goes more than about 3 days -- no one knows
(or perhaps no one cares) about the topic.

Asking for a repost would likely have cause THIS post to get
bypassed.

And in general you might be better off asking in a PROGRAMMING
group than in the main AD group which tends to be "admin stuff".

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks.

I posted this a few days ago (multiple times due to my mistake) and then
had
to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question

and
if

so, could they repost. Thanks.



Search Google Groups for your own name or any key words you
posted in the previous messages.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Joe Richards [MVP]]

Can you do it from vbscript and adsi?

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Well, that's definitely a different approach. I must say I hope not to have
to do this that way. That'll take some getting used to if I do. But thanks
anyway.

You certainly don't need the privilege stuff.

I don't do c++ ADSI but in LDAP API you have to specify a special server
control

unless you have manage audit log rights. Check out this control



http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/l
dap_server_sd_flags_oid.asp



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

I posted this a few days ago (multiple times due to my mistake) and then

had

to take a leave of absence so I missed any replies that might have been
posted. I was wondering if anyone had an answer for this question and

if

so, could they repost. Thanks.



I am trying to allow for user account to take ownership of an Active
Directory object. I have assigned the Modify Owner permission to the

user

on the AD object - a distribution list in this case. Using Active

Directory

Users and Computers, the user can take ownership of the object. But I

have

not been able to get the program I am working on to do so. Whenever I

try

to write the Security Descriptor back to the object, I get the
E_ACCESSDENIED error. The program code works fine if ran as a domain
administrator. So I am thinking that I do not have a privilege

activated

that I need. But I have tried using AdjustTokenPrivilege to grant the
SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME privileges. That does not

seem

to have any effect.

Does anyone have an idea about what I am missing?


Thanks.




The test code is as follows:

void CADOwnDlg::OnBnClickedTakeownership()
{
ACL * abdacl;
DWORD abdacllen;
SID * abowner;
DWORD abownerlen;
SID * abpg;
DWORD abpglen;
ACL * absacl;
DWORD absacllen;
SECURITY_DESCRIPTOR * absd;
DWORD absdlen;
IDirectoryObject * adobject;
ADSVALUE adsvalue;
ADS_ATTR_INFO attrinfo;
LPWSTR attrstr;
DWORD buflen;
HRESULT hr;
LUID luid;
DWORD numobjattr;
ADS_ATTR_INFO * objattr;
WCHAR objectpath[256];
HANDLE prochandle;
SECURITY_DESCRIPTOR * sd;
SECURITY_DESCRIPTOR * sdsr;
unsigned char sid[256];
SID * sidnewowner;
HANDLE tokenhandle;
TOKEN_PRIVILEGES tp;

abdacl=NULL;
abdacllen=0;
abowner=NULL;
abownerlen=0;
abpg=NULL;
abpglen=0;
absacl=NULL;
absacllen=0;
absd=NULL;
absdlen=0;
adobject=NULL;
attrstr=L"nTSecurityDescriptor";
buflen=0;
DWORD numattr;
objattr=NULL;
sdsr=NULL;
memset(sid, 0, sizeof(sid));

memcpy(sid, SidVal, SidValSize);

sidnewowner=(SID *)sid;
wcscpy(objectpath, L"LDAP://CN=Test.One,OU=Client Distribution
Lists,OU=Public Distribution Lists,DC=aoins,DC=com");

hr=CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

hr=ADsOpenObject(objectpath, NULL, NULL, ADS_SECURE_AUTHENTICATION,
IID_IDirectoryObject, (void **)&adobject);

hr=adobject->GetObjectAttributes(&attrstr, 1, &objattr, &numobjattr);

sd=(SECURITY_DESCRIPTOR

*)objattr->pADsValues->SecurityDescriptor.lpValue;

MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl,

&absacllen,

abowner, &abownerlen, abpg, &abpglen);
absd=(SECURITY_DESCRIPTOR *)malloc(absdlen);
abdacl=(ACL *)malloc(abdacllen);
absacl=(ACL *)malloc(absacllen);
abowner=(SID *)malloc(abownerlen);
abpg=(SID *)malloc(abpglen);
MakeAbsoluteSD(sd, absd, &absdlen, abdacl, &abdacllen, absacl,
&absacllen, abowner, &abownerlen, abpg, &abpglen);

SetSecurityDescriptorOwner(absd, sidnewowner, FALSE);

MakeSelfRelativeSD(absd, sdsr, &buflen);
sdsr=(SECURITY_DESCRIPTOR *)malloc(buflen);
MakeSelfRelativeSD(absd, sdsr, &buflen);

prochandle=GetCurrentProcess();

OpenProcessToken(prochandle, TOKEN_ADJUST_PRIVILEGES, &tokenhandle);

LookupPrivilegeValue("DCH1", SE_RESTORE_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

LookupPrivilegeValue("DCH1", SE_TAKE_OWNERSHIP_NAME, &luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenhandle, FALSE, &tp, 0, NULL, NULL);

attrinfo.dwADsType=objattr->dwADsType;
attrinfo.dwControlCode=ADS_ATTR_UPDATE;
attrinfo.dwNumValues=1;
attrinfo.pADsValues=&adsvalue;
adsvalue.dwType=objattr->dwADsType;
adsvalue.SecurityDescriptor.lpValue=(LPBYTE)sdsr;
adsvalue.SecurityDescriptor.dwLength=buflen;
attrinfo.pszAttrName=attrstr;
hr=adobject->SetObjectAttributes(&attrinfo, 1, &numattr);

FreeADsMem(objattr);
adobject->Release();
if(abdacl!=NULL) free(abdacl);
if(abowner!=NULL) free(abowner);
if(abpg!=NULL) free(abpg);
if(absacl!=NULL) free(absacl);
if(absd!=NULL) free(absd);
if(sdsr!=NULL) free(sdsr);
CoUninitialize();
}