The nTSecurityDescriptor and the msExchMailboxSecurityDescriptor attribute values contain ACL lists that you must specify in a special way.
For example, the following shows a user form a company might use to assign a default set of permissions to each user they provision:
<Field name=’attributes[AD].nTSecurityDescriptor’ hidden=’true’> <Expansion> <list> <s>Domain Admins|983551|0|0|NULL|NULL</s> <s>NT AUTHORITY\SYSTEM|983551|0|0|NULL|NULL</s> <s>Account Operators|983551|0|0|NULL|NULL</s> <s>NT AUTHORITY\Authenticated Users|131220|0|0|NULL|NULL</s> <s>NT AUTHORITY\Authenticated Users|256|5|0| {AB721A55-1E2F-11D0-9819-00AA0040529B}|NULL</s> <s>NT AUTHORITY\SELF|131220|0|0|NULL|NULL</s> </list> </Expansion> </Field>
The entries in the nTSecurityDescriptor list are in the following format:
Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType
Where:
Trustee is the DOMAIN\Account of the user.
Mask is a flag specifying access permissions (read, write, etc. ).
aceType is a flag indicating the access-control entry (ACE) types.
ADS_ACETYPE_ACCESS_ALLOWED = 0, ADS_ACETYPE_ACCESS_DENIED = 0x1, ADS_ACETYPE_SYSTEM_AUDIT = 0x2, ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5, ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6, ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7, ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8 ADS_ACETYPE_ACCESS_ALLOWED
Where:
ADS_ACETYPE_ACCESS_ALLOWED: The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_DENIED: The ACE is of the standard system-audit type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_SYSTEM_AUDIT: The ACE is of the standard system type, where the ObjectType and InheritedObjectType fields are NULL.
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: On Windows 2000, ACE grants access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_ACCESS_DENIED_OBJECT: Windows 2000, ACE denies access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: Windows 2000, ACE audits access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property set, property, extended right, or type of child object.
ADS_ACETYPE_SYSTEM_ALARM_OBJECT: Not used on Windows 2000/XP at this time.
aceFlags is a flag specifying whether other containers or objects can inherit the ACE from the ACL owner.
ADS_ACEFLAG_INHERIT_ACE = 0x2, ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4, ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8, ADS_ACEFLAG_INHERITED_ACE = 0x10, ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1f, ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40,
Where:
ADS_ACEFLAG_FAILED_ACCESS = 0x80 ADS_ACEFLAG_INHERIT_ACE: Indicates child objects that will inherit this access-control entry (ACE).
The inherited ACE is inheritable unless you set the ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag.
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: Causes the system to clear the ADS_ACEFLAG_INHERIT_ACE flag for the inherited ACEs of child objects, which prevents the ACE from being inherited by subsequent generations of objects.
ADS_ACEFLAG_INHERIT_ONLY_ACE: Indicates an inherit-only ACE that does not exercise access control on the object to which it is attached.
If you do not set this flag, the ACE is an effective ACE that exerts access control on the object to which it is attached.
ADS_ACEFLAG_INHERITED_ACE: Indicates whether the ACE was inherited. The system sets this bit.
ADS_ACEFLAG_VALID_INHERIT_FLAGS: Indicates whether the inherited flags are valid. The system sets this bit.
ADS_ACEFLAG_SUCCESSFUL_ACCESS: Generates audit messages for successful access attempts, used with ACEs that audit the system in a system access-control list (SACL).
ADS_ACEFLAG_FAILED_ACCESS: Generates audit messages for failed access attempts, used with ACEs that audit the system in a SACL.
objectType is a flag indicating the ADSI object type. the objectType value is a GUID to a property or an object in string format.
The GUID refers to a property when you use ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE_PROP access masks.
The GUID specifies an object when you use ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD access masks.
InheritedObjectType is a flag indicating the child object type of an ADSI object. The InheritedObjectType value is a GUID to an object in string format. When you set such a GUID, the ACE applies only to the object referred to by the GUID.
The objectType and InheritedObjectType flags specify the GUID of other objects in the form:
{BF9679C0-0DE6-11D0-A285-00AA003049E2}
The object/attribute GUID is wrapped in brackets { }. This format is returned during a fetch. Within ADSI there are GUIDs to represent specific attributes to grant access and also a way to describe an inherited relationship.
The best method in which to find the correct string to pass down, is to do the following: