This is a classic problem of trying to use the wrong Access Mask and Access
Flags for the wrong ACL type. The IADsSecurityDescriptor and its
associated interfaces were created for Active Directory objects. The
constants in the ADS* enumeration types used by the security interfaces are
for Active Directory objects.
The really cool thing is that these interfaces are scriptable and they may
things humanly readible and they can be easily adapted to other security
descriptors. It is very important to realize that their many different
types of security descriptors, each with their own specific sets of Access
Masks and Ace Flags. Below is a short list of the SDs I am aware of (
their may be more)
Active Directory Objects
Each with their own ACLUI that allow you to create the appropriate ACEs for
that SD. If the ACL UI ( Access Control list UI) does not check the boxes
for a specific checkboxes for an ACE, the UI does not recognize the ACE as
one for that item. True, the ACE will work in most cases, however, in the
log term it can have some unintended consequenses. I had a customer that
was using the ADS* enumeration types to add ACEs to NTFS files. The ACEs
appeared to apply the appropriate permissions. Over time, these NTFS
Volume became corrupted and they had to reset the ACLs on the files. We
changed thier code to add aces for files that the ACLUI for NTFS files
recognized, and they have not had any additional NTFS volume corruption.
We could not direclty tie the old way of making aces to the probem, but
changing their code made the problem go away.
If you are using the ADSI to add ACEs to an ACL, make sure that you ace is
marked appropriatly in the ACLUI of the target object. In you case, the
NTFS ACLUI should recognize the ACE you are adding programmatically.
For a list of NTFS file Acess masks and Ace Flags, take a look at the
WinNT.H header file.
Generally, when I want to add an ACE programmatically for a specific set of
permissions, I add the test ACE through the ACLUI for the object, then I
dump the ACL and locate the ACE the UI created. I then use the information
from that dumped ACE to as a template to write my code for the ACE I want
Hope this helps...
Max Vaughn [MS]
Microsoft Developer Support
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.