How do I: Get Security Descriptor - System.DirectoryServices RRS feed

  • Question

  • Question:
    How do I get a Security Descriptor from Active Directory Entry.

    The code below shows what I want to happen, however it does not work because the DirectoryEntry class returns a COM Ojbect, throws Exception.


    DirectoryEntry de = new DirectoryEntry("//CN=ExchangeOrganization,CN=Microsoft" href="ldap://CN=ExchangeOrganization,CN=Microsoft">LDAP://CN=ExchangeOrganization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YourDomain,DC=com");
    // This does not work, because the value is a COM Object
    ActiveDirectorySecurity ads = (ActiveDirectorySecurity)de.Properties["ntSecurityDescriptor"][0];          

    // I know how to use Interop, and get the Security Descriptor.
    // Since the ActiveDirectorySecurity exists, there must be a way to use this.


    My Environment:
    I am using July CTP Beta 2 Whidbey.

    Russell Mangel
    Las Vegas, NV

    Monday, July 25, 2005 8:40 AM


  • Hello Russell,

    The correct way to do this is to use the new ObjectSecurity property on DirectoryEntry. For backward compatibility, retrieving the “ntSecurityDescriptor” property from the property cache still returns a COM object. Also, one thing to be aware of is that the ObjectSecurity property and the “ntSecurityDescriptor” property, although constructed from the same information obtained from the directory, are independent of each other and changes made to one do not affect the other.

    The code would look like

    DirectoryEntry de = new DirectoryEntry("//CN=ExchangeOrganization,CN=Microsoft/" href="ldap://CN=ExchangeOrganization,CN=Microsoft/">LDAP://CN=ExchangeOrganization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YourDomain,DC=com");
    ActiveDirectorySecurity ads = de.ObjectSecurity;


    Hope that helps, and please feel free to post back to this forum if this solves your problem, or you have more questions or technical details!


    Thursday, August 25, 2005 9:45 PM