Meaning of ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED



Jan Nielsen
07-09-2005, 11:52 PM
In a C# application I'm trying to modify an ACL on a folder.
Besides the inherited ACEs I want to add one more ACE. But I'm noticing that
if I read and write the security descripter, even without modifying it, the
flag ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED in sd.Control is being reset.

If I write the SD with this code the flag is reset:
IADsSecurityDescriptor sd = securityUtility.GetSecurityDescriptor(strFolder,
ADS_PATHTYPE_ENUM.ADS_PATH_FILE, ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID) as
IADsSecurityDescriptor;
securityUtility.SetSecurityDescriptor(strFolder,
ADS_PATHTYPE_ENUM.ADS_PATH_FILE, sd, ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);

If the SD is written with other tools, including the GUI, the flag seems to
be set again.

What does this flag mean and does it matter that it's not set ?
I can't see any change in the GUI whether its set or not.
Can I write the SD in some other way that does not reset this flag ?


Thanks in advance,
Jan Nielsen

Crouchie1998
07-09-2005, 11:53 PM
You are asking the wrong newsgroup firstly, but here's the description: For
coding see the C# newsgroup (microsoft.public.dotnet.languages.csharp)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_sd_control_enum.asp

I hope this helps

Crouchie1998
BA (HONS) MCP MCSE

Jan Nielsen
07-09-2005, 11:53 PM
Ok, I'll try that group. I just thought the chance of catching an expert on
ACLs was higher in a security group.

Yes, I found the description in MSDN too. But I don't think it explains very
well the meaning of that bit. At least I don't get it.
The only other description I found was at:
http://www.fim.uni-linz.ac.at/Diplomarbeiten/diplomarbeit_helml/diplomarbeit_helml.pdf
Unfortunately it's written in German. But what I understand from it, is that
the system sets this bit automatically, and it indicates that at least one
ACEs is inherited.
If this is true I'm really confused, as this is not what I see after I've
written the SD from my code.


Jan Nielsen

Roger Abell
07-09-2005, 11:53 PM
> Unfortunately it's written in German. But what I understand from it, is
that
> the system sets this bit automatically, and it indicates that at least one
> ACEs is inherited.
That is much the sense I have come to hold, that this indicates that
there is present some ACE(s) that were inherited onto the object
by the system.
I have always had a problem with the MSDN description, which does
not seem to jive with the observed.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jan Nielsen" <janielsen@online.nospam> wrote in message
news:%23COBf7VZFHA.2996@TK2MSFTNGP10.phx.gbl...
> Ok, I'll try that group. I just thought the chance of catching an expert
on
> ACLs was higher in a security group.
>
> Yes, I found the description in MSDN too. But I don't think it explains
very
> well the meaning of that bit. At least I don't get it.
> The only other description I found was at:
>
http://www.fim.uni-linz.ac.at/Diplomarbeiten/diplomarbeit_helml/diplomarbeit_helml.pdf
> Unfortunately it's written in German. But what I understand from it, is
that
> the system sets this bit automatically, and it indicates that at least one
> ACEs is inherited.
> If this is true I'm really confused, as this is not what I see after I've
> written the SD from my code.
>
>
> Jan Nielsen
>
>


Meaning of ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED