Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Sun, 30 Mar 2008 23:40:00 -0700,    group: microsoft.public.exchange.development        back       


Get exchange public folder permissions    
Hi,

I am using WebDAV to get a list of public folders on my Exchange server and 
their properties.I am interested in the permissions of the public folder. I 
get the ntSecurityDescriptor as one of the properties :

 <d:ntsecuritydescriptor b:dt="bin.base64">
CAAEAAAAAAABAASMlAAAAKAAAAAAAAAAFAAAAAIAgAAGAAAAAAkUAKkKEgABAQAAAAAABQcAAAABCRQAFgUfAAEBAAAAAAAFBwAAAAACFACrCBIAAQEAAAAAAAUHAAAAAQIUABTJDQABAQAAAAAABQcAAAAAAhQAqwgSAAEBAAAAAAABAAAAAAAJFACpChIAAQEAAAAAAAEAAAAAAQEAAAAAAAUSAAAAAQIAAAAAAAUgAAAAIAIAAA==
 </d:ntsecuritydescriptor>

My questions :

1. Is ntSecurityDescriptor the right way to get the permissions of a public 
folder in Exchange Server
2. If so, how do I interpret this ntSecurityDescriptor. I tried to decode it 
in base64 but could not get ACL from decoded string  as well. I undertstand 
that i should use IAdsSecurityDescriptor, but I dont really know how to.

Thanks,
Ramya
date: Sun, 30 Mar 2008 23:40:00 -0700   author:   Ramya

Re: Get exchange public folder permissions    
Hello,

>
> 1. Is ntSecurityDescriptor the right way to get the permissions of a 
> public
> folder in Exchange Server

You can use the binary descriptor - If you are using .NET 2.0 or later I 
would suggest this approach because you can leverage the built-in support 
for ACL in .NET. Otherwise, the XML format is more suited (see the Exchange 
SDK for more info on this).

But you need to order the ACEs correctly - that's very tricky.

I have a .NET implementation of this on my website (with source) 
(www.infinitec.de, look for the InfiniTec.Exchange package).

> 2. If so, how do I interpret this ntSecurityDescriptor. I tried to decode 
> it
> in base64 but could not get ACL from decoded string  as well. I 
> undertstand
> that i should use IAdsSecurityDescriptor, but I dont really know how to.

The binary security descriptor is prepended with an 8 byte header. It's 
always in the form of 08 00 03 00 00 00 00 00. At least, I haven't seen any 
other values. The first two bytes specify the length of the header. I don't 
know what the rest means.

Kind regards,
Henning Krause
date: Mon, 31 Mar 2008 13:01:38 +0200   author:   Henning Krause [MVP - Exchange]

Re: Get exchange public folder permissions    
Hi,

Sorry about basic nature of the question, but is the ntSecurityDescriptor 
the binary descriptor you are talking about. Else, how must I get the binary 
security attribute. Must I decode this ntSecurityDescriptor in base 64 and 
then use some Win 32 API to get the security object.

Thanks,
Ramya


"Henning Krause [MVP - Exchange]" wrote:

> Hello,
> 
> >
> > 1. Is ntSecurityDescriptor the right way to get the permissions of a 
> > public
> > folder in Exchange Server
> 
> You can use the binary descriptor - If you are using .NET 2.0 or later I 
> would suggest this approach because you can leverage the built-in support 
> for ACL in .NET. Otherwise, the XML format is more suited (see the Exchange 
> SDK for more info on this).
> 
> But you need to order the ACEs correctly - that's very tricky.
> 
> I have a .NET implementation of this on my website (with source) 
> (www.infinitec.de, look for the InfiniTec.Exchange package).
> 
> > 2. If so, how do I interpret this ntSecurityDescriptor. I tried to decode 
> > it
> > in base64 but could not get ACL from decoded string  as well. I 
> > undertstand
> > that i should use IAdsSecurityDescriptor, but I dont really know how to.
> 
> The binary security descriptor is prepended with an 8 byte header. It's 
> always in the form of 08 00 03 00 00 00 00 00. At least, I haven't seen any 
> other values. The first two bytes specify the length of the header. I don't 
> know what the rest means.
> 
> Kind regards,
> Henning Krause 
> 
>
date: Mon, 31 Mar 2008 05:10:01 -0700   author:   Ramya

Re: Get exchange public folder permissions    
Hi Ramya,

> Sorry about basic nature of the question, but is the ntSecurityDescriptor
> the binary descriptor you are talking about. Else, how must I get the 
> binary

Yes, it is.

> security attribute. Must I decode this ntSecurityDescriptor in base 64 and
> then use some Win 32 API to get the security object.

you get it as a base64 encoded string. So the next step is decoding it into 
a byte array. Then have a look at the first two bytes. This is the length of 
the header you need to strip (AFAIK always 08 00 - so strip 8 bytes). The 
rest is the security descriptor.

You can now parse that using the Win32 GetSecurityDescriptorDacl methods and 
its siblings. Of course, this is far easier in .NET where you can load that 
byte array into a RawSecurityDescriptor instance.

Now you can manipulate the DACL and whatever. But if you change anything, 
you must reorder the ACL according to 
http://msdn2.microsoft.com/en-us/library/ms879383(EXCHG.65).aspx. NOT DOING 
THIS WILL BREAK EXCHANGE at some point - at least Outlook and certainly the 
Exchange System manager.

As I said - have a look at my implementation of this stuff. It's all 
implemented there.

Kind regards,
Henning Krause
date: Mon, 31 Mar 2008 22:10:25 +0200   author:   Henning Krause [MVP - Exchange]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us