Lm th? no ? s? d?ng Visual Basic v ADsSecurity.dll ? ng ACEs trong m?t ACL

D?ch tiu ? D?ch tiu ?
ID c?a bi: 269159
Bung t?t c? | Thu g?n t?t c?

? Trang ny

TM T?T

Bi vi?t ny cho th?y lm th? no ? s? d?ng ADsSecurity.dll ? c ?c m?t m t? b?o m?t (SD) cho m?t t?p tin, ?i t?ng Active Directory ho?c kha s? ng k?. Bi vi?t ny ch?ng t? lm th? no, m?t khi m?t SD ? thu ?c, ? l?y danh sch i?u khi?n truy c?p ty (ACL) t? SD v sau thm m?t m?c i?u khi?n truy c?p (ACE) ? v? tr thch h?p. Bi vi?t cung c?p m?t thu?t ton n gi?n cng v?i m?t Microsoft Visual Basic m? v d? minh ho? lm th? no ? ng cch ?t hng m?t ACL th? vi?t ACL tr? l?i ? SD.

THNG TIN THM

Phng php IADsAccessControlList::AddAce cho bi?t thm cc ACE ? ?u ACL. Trong m?t s? tr?ng h?p, thm m?t ACE ? pha trn s? t?o an ninh khng mong mu?n truy c?p. Active Directory d?ch v? giao di?n (ADSI) ti s?n cache trn Microsoft Windows Server 2003 v trn Microsoft Windows XP m?t cch chnh xc s? ?t DACL tr?c khi ghi n tr? l?i vo cc ?i t?ng. S?p x?p l?i ch? c yu c?u trn Microsoft Windows 2000. L?nh thch h?p asw trong m?t ACL l nh sau:
Truy c?p t? ch?i ACEs p d?ng cho ?i t?ng chnh n
Truy c?p t? ch?i ACEs p d?ng cho m?t ?a tr? c?a ?i t?ng, nh l m?t ti s?n t?p ho?c b?t ?ng s?n
ACEs truy c?p php p d?ng cho ?i t?ng chnh n
ACEs truy c?p php p d?ng cho m?t ?a tr? c?a ?i t?ng, nh l m?t ti s?n t?p ho?c b?t ?ng s?n
Trong cc s?n ph?m ?c li?t k trong bi vi?t ny, giao di?n IADsAccessControlList khng h? tr? m?t phng php m ng ra l?nh cho m?t ACL. Cc ACEs ph?i ?c s?p x?p vo cc nm nhm:
B? t? ch?i truy c?p vo ?i t?ng
B? t? ch?i truy c?p vo m?t ?a tr? hay b?t ?ng s?n
Cho php truy c?p vo ?i t?ng
Cho php truy c?p vo m?t ?a tr? hay b?t ?ng s?n
T?t c? th?a k? ACEs
?t hng cho ACEs ?c th?a k? khng nn ?c thay ?i. T?t c? ?c th?a k? ACEs ?c b? sung b?i h? i?u hnh v ?c ?t hng m?t cch thch h?p. M?t l?p tr?nh vin c th? ch? ?nh m?t ACE nn ?c th?a h?ng v Windows 2000 ho?c Windows NT s? chm sc c?a c?m ACE ? cc ?i t?ng con.

l m?t ngo?i l? cho quy t?c tuyn truy?n. p aCEs thm vo m?t ?i t?ng ACL s? khng t? ?ng nh?n ?c d?ng cho cc ?i t?ng hi?n c trong cy. N l trch nhi?m c?a cc l?p tr?nh vin i b? cy v tuyn truy?n cc ACE b?ng cch thm cc ACE ? cc ?i t?ng hi?n c. Cc ACE s? ?c ph? bi?n trn cc ?i t?ng m?i trong subtree.

Thu?t ton ? phn lo?i ACEs trong m?t ACL

  1. C ?c ty ACL (DACL) t? m t? b?o m?t.
  2. Ki?m tra IADsAccessControlEntry::AceFlags ? xem n?u cc ACE th?a h?ng (ki?m tra ADS_ACEFLAG_INHERITED_ACE cht).
  3. Ki?m tra IADsAccessControlEntry::AceType ? xem nh?ng g? lo?i truy c?p cc ACE c?p v nh?ng g? cc truy c?p ?c c?p cho (cc ?i t?ng ring c?a m?nh ho?c thu?c tnh c?a ?i t?ng). Danh sch sau v?ch ra cc gi tr? lo?i ACE v nh?ng g? h? c ngh?a l:
    ADS_ACETYPE_ACCESS_ALLOWED - c?p ?c php truy c?p vo ?i t?ng ton b?
    ADS_ACETYPE_ACCESS_ALLOWED_OBJECT - cho th?y ho?t ?ng truy c?p ?c cho php ? m?t ti s?n ho?c thi?t l?p b?t ?ng s?n
    ADS_ACETYPE_ACCESS_DENIED - t? ch?i truy c?p vo ?i t?ng ton b?
    ADS_ACETYPE_ACCESS_DENIED_OBJECT - t? ch?i truy c?p vo m?t ti s?n ho?c thi?t l?p b?t ?ng s?n.
  4. Ni ACE trong t?m th?i DACL thch h?p d?a trn gi tr? IADsAccessControlListEntry::AceType.
  5. Xy d?ng l?i ACL t? ACLs ring bi?t theo th? t? sau:
    ADS_ACETYPE_ACCESS_DENIED ACE lo?i
    ADS_ACETYPE_ACCESS_DENIED_OBJECT ACE lo?i
    ADS_ACETYPE_ACCESS_ALLOWED ACE lo?i
    ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ACE lo?i
    ACEs v?i ADS_ACEFLAG_INHERITED_ACE c? b?i c?nh IADsAccessControlListEntry::AceFlags
  6. Thi?t l?p ACL m?i ? s?a ?i cng c?p nh ACL c?.
  7. Thay th? ACL vo m t? b?o m?t.

B?c ? s? d?ng m? Visual Basic ?c cung c?p trong bi vi?t ny

  1. ng k? ADsSecurity.dll.

    ADsSecurity.dll l m?t ph?n c?a ho?t ?ng th m?c d?ch v? giao di?n (ADSI) 2.5 Resource Kit. ? t?i v? cc ADSI 2.5 Resource kit, gh thm Web site sau c?a Microsoft:
    http://www.Microsoft.com/technet/archive/winntas/Downloads/adsi25.mspx?MFR=True
    S? d?ng Regsvr32 ? ng k? ADsSecurity.dll. N?u ny DLL khng ng k? m?t cch chnh xc, hnh vi ny ch? ra r?ng ADSI khng ?c ci ?t. N?u b?n ang ch?y m? trn m?t my tnh d?a trn Microsoft Windows NT ho?c trn m?t my tnh d?a trn Microsoft Windows 98, ci ?t m? r?ng khch hng th m?c ho?t ?ng thch h?p. ? bi?t thm chi ti?t v? lm th? no ? c ?c cc khch hng, h?y xem ph?n "Tham kh?o".
  2. B?t ?u Visual Basic. Sau , t?o ra m?t d? n EXE tiu chu?n.
  3. Xem cc Tham khao cho d? n. ?m b?o r?ng vi?c theo ?c ch?n:
    • Th vi?n DS ki?u ho?t ?ng
    • Th vi?n ki?u ADsSecurity 2.5
  4. Lm cho m?t nt l?nh v? h?nh th?c.
  5. B?m p nt l?nh. Sau , dn o?n m? sau trong cc Command1_Click x? l? l?nh.

Visual Basic m?u m? minh ho? lm th? no ? th?c hi?n thu?t ton phn lo?i

Dim sec As New ADsSecurity
Dim sd As IADsSecurityDescriptor
Dim dacl As IADsAccessControlList
Dim ace As IADsAccessControlEntry
Dim newAce As New AccessControlEntry
'
' Declare temporary ACLs for sorting the original
' ACL
'
Dim newdacl As New AccessControlList
Dim ImpDenyDacl As New AccessControlList
Dim ImpDenyObjectDacl As New AccessControlList
Dim InheritedDacl As New AccessControlList
Dim ImpAllowDacl As New AccessControlList
Dim impAllowObjectDacl As New AccessControlList

Private Sub Command1_Click()
'
' Be sure to register ADsSecurity.Dll using RegSvr32 and
' adding the ADsSecurity2.5 Type Library to you references for
' the project.
'
' Using the ADsSecurity object, retrieve a SD for an object.  Just
' Replace the LDAP:// path with the path of an object that contains a
' SD.  For additional details on valid path strings, review
' the information stored in the Platform SDK ADSI samples starting with
' "<Platform SDK Root>\Samples\NetDs\ADSI\rtk.htm"
'
Set sec = CreateObject("ADsSecurity")<BR/>
' TODO :  replace the servername and DN of the object you want to modify.
Set sd = sec.GetSecurityDescriptor("LDAP://MyDCname/cn=MyUser,cn=Users,dc=MyDom,dc=com")

'Displaying the ACE in the DACL --- it's the same way you display ACEs for File, File Share, Registry, Exchange, and Active Directory's ACL.

Set dacl = sd.DiscretionaryAcl
Debug.Print Date & Time & "Initial Values of DACL"
For Each ace In dacl
   Debug.Print ace.Trustee
   Debug.Print Hex(ace.AccessMask)
   Debug.Print Hex(ace.AceType)
   Debug.Print Hex(ace.AceFlags)
   Debug.Print Hex(ace.Flags)
Next

Debug.Print dacl.AceCount

'
' Initialize all of the new ACLs
'
' If you are doing this in VBSscript you will need to use
' The following methods of creating the ACL bins instead of
' using the Dim As New statements above. 
'
'Set newAce = CreateObject("AccessControlEntry")
'Set newdacl = CreateObject("AccessControlList")
'Set InheritedDacl = CreateObject("AccessControlList")
'Set ImpAllowDacl = CreateObject("AccessControlList")
'Set InhAllowDacl = CreateObject("AccessControlList")
'Set ImpDenyObjectDacl = CreateObject("AccessControlList")
'Set ImpAllowObjectDacl = CreateObject("AccessControlList")
'
'
' Create a new ace, this one
' sets an extended right on the user object that allows the
' trustee to read and write the userAccountControl property of an
' user object.
'
' TODO : Replace the trustee with an appropriate trustee on the domain
' in question.
'
newAce.Trustee = "MyDomain\Myuser"
newAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
newAce.ObjectType = "{BF967A68-0DE6-11D0-A285-00AA003049E2}"
newAce.AccessMask = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_WRITE_PROP
newAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
newAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
'
' Place the new ace in the DACL
'
dacl.AddAce newAce
'
' Sift the DACL into 5 bins:
' Inherited Aces
' Implicit Deny Aces
' Implicit Deny Object Aces
' Implicit Allow Aces
' Implicit Allow object aces
'
For Each ace In dacl
  '
  ' Sort the original ACEs into their appropriate
  ' ACLs
  '
  Debug.Print ace.Trustee
  If ((ace.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then
     '
     ' Do not really care about the order of inherited aces. Since we are
     ' adding them to the top of a new list, when they are added back
     ' to the Dacl for the object, they will be in the same order as
     ' they were originally. Just a positive side effect of adding items
     ' of a LIFO (Last In First Out) type list.
     '
     InheritedDacl.AddAce ace
  Else
     '
     ' We have an Implicit ACE, let's put it the proper pool
     '
     Select Case ace.AceType
     Case ADS_ACETYPE_ACCESS_ALLOWED
        '
        ' We have an implicit allow ace
        '
        ImpAllowDacl.AddAce ace
     Case ADS_ACETYPE_ACCESS_DENIED
        '
        ' We have an implicit Deny ACE
        '
        ImpDenyDacl.AddAce ace
     Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
        '
        ' We have an object allowed ace
        ' Does it apply to a property? or an Object?
        '
        impAllowObjectDacl.AddAce ace
     Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
        '
        ' We have an object Deny ace
        '
        ImpDenyObjectDacl.AddAce ace
     Case Else
        '
        ' Missed a bin?
        '
        Debug.Print "Bad ace...." & Hex(ace.AceType)
     End Select
  End If
Next
'
' Combine the ACEs in the proper order
' Implicit Deny
' Implicit Deny Object
' Implicit Allow
' Implicit Allow Object
' Inherited aces
'
' Implicit Deny
'
For Each ace In ImpDenyDacl
  newdacl.AddAce ace
Next
'
' Implicit Deny Object
'
For Each ace In ImpDenyObjectDacl
  newdacl.AddAce ace
Next
'
' Implicit Allow
'
For Each ace In ImpAllowDacl
  newdacl.AddAce ace
Next
'
' Implicit Allow Object
'
For Each ace In impAllowObjectDacl
  newdacl.AddAce ace
Next
'
' Inherited Aces
'
For Each ace In InheritedDacl
  newdacl.AddAce ace
Next

sd.DiscretionaryAcl = newdacl
Debug.Print Date
For Each ace In newdacl
   Debug.Print ace.Trustee
   Debug.Print "Ace Mask: " & Hex(ace.AccessMask)
   Debug.Print "Ace Type: " & Hex(ace.AceType)
   Debug.Print "Ace Flags: " & Hex(ace.AceFlags)
   Debug.Print "Object Type value: " & Hex(ace.Flags)
   Debug.Print "Object Guid : " & ace.ObjectType
Next
'
' Set the appropriate revision level
' for the DACL
'
newdacl.AclRevision = dacl.AclRevision
'
' Replace the Security Descriptor
'
sec.SetSecurityDescriptor sd
' If this generates the error -214023559 or 80070539 check your TODO
' strings.  This error is most likely a problem with DNS name resolution.
				

THAM KH?O

? bi?t thm chi ti?t, nh?p vo s? bi vi?t sau ? xem cc bi vi?t trong c s? ki?n th?c Microsoft:
269175Lm th? no ? s? d?ng Visual c ++ ? ng ACEs trong m?t ACL
279682 Lm th? no ? s? d?ng ADsSecurity.dll ? thm m?t m?c nh?p ki?m sot truy c?p vo m?t th m?c NTFS
? bi?t thm chi ti?t v? lm th? no ? ci ?t th m?c khch hng m? r?ng ho?t ?ng, nh?p vo s? bi vi?t sau ? xem bi vi?t trong c s? ki?n th?c Microsoft:
288358Lm th? no ? ci ?t ph?n m? r?ng ho?t ?ng th m?c khch hng

Thu?c tnh

ID c?a bi: 269159 - L?n xem xt sau cng: 22 Thang Tam 2011 - Xem xt l?i: 2.0
T? kha:
kbdswadsi2003swept kbhowto kbmt KB269159 KbMtvi
My d?ch
QUAN TRONG: Bi vi?t ny ?c d?ch b?ng ph?n m?m d?ch my c?a Microsoft ch? khng ph?i do con ng?i d?ch. Microsoft cung c?p cc bi vi?t do con ng?i d?ch v c? cc bi vi?t do my d?ch ? b?n c th? truy c?p vo t?t c? cc bi vi?t trong C s? Ki?n th?c c?a chng ti b?ng ngn ng? c?a b?n. Tuy nhin, bi vi?t do my d?ch khng ph?i lc no c?ng hon h?o. Lo?i bi vi?t ny c th? ch?a cc sai st v? t? v?ng, c php ho?c ng? php, gi?ng nh m?t ng?i n?c ngoi c th? m?c sai st khi ni ngn ng? c?a b?n. Microsoft khng ch?u trch nhi?m v? b?t k? s? thi?u chnh xc, sai st ho?c thi?t h?i no do vi?c d?ch sai n?i dung ho?c do ho?t ?ng s? d?ng c?a khch hng gy ra. Microsoft c?ng th?ng xuyn c?p nh?t ph?n m?m d?ch my ny.
Nh?p chu?t vo y ? xem b?n ti?ng Anh c?a bi vi?t ny:269159
Khc t Ni dung trong C s Kin thc Khng con c h tr
Bi vi?t ny ni v? cc s?n ph?m m Microsoft khng c?n h? tr? n?a. Do , bi vi?t ny ?c cung c?p "nguyn b?n" v s? khng ?c c?p nh?t.

Cung cp Phan hi

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com