Has anyone done this successfully? I've been trying via both COM and P/Invoke interop to manipulate the attribute for Active Directory user objects. I've run into dead ends with each. In the COM approach, the IADsSecurityUtility::ConvertSecurityDescriptor method gives me a valid security descriptor from the MIIS-provided byte array but I'm getting extra bits (as compared to the original byte array once the SD has been converted back). Apparently the extra bits are meaningless to Windows (the ACL is properly set after an MIIS export) but they get discarded by AD, this causes some MIIS-specific issues. In the Win32 approach the data just doesn't seem quite right. Some of the functions work, like IsValidSecurityDescriptor() and IsValidAcl(), but others, like SetSecurityDescriptorOwner, return error #1336 ERROR_INVALID_ACL. I'm hoping someone here can offer some suggestions about what might cause this condition. Hugh
