HOWTO: Add a User with Permissions to Exchange Server Objects

ID: Q194809

The information in this article applies to:

SUMMARY

The permissions on a particular Exchange container object like the organization, site, and/or configuration may need to be changed. For example, it may be necessary to add a specific user to the organization, site, and/or configuration containers. To accomplish this you need to use the Directory Application Program Interface (DAPI) to read and write the security descriptor. You can manipulate the security descriptor after it has been read by using Windows NT security APIs.

MORE INFORMATION

Using the DAPIRead() function, the security descriptor is read from the Exchange container object. Exchange stores the security descriptor as SelfRelative. Before modifying the security descriptor, you need to convert it to Absolute. The API to change a security descriptor from SelfRelative to Absolute is MakeAbsoluteSD(). Once the security descriptor is in an absolute form, you can add to it. There are a number of APIs that you can use to manipulate the security descriptor. Some of these APIs are in the function CreateMySecurityDescriptor() that follows.

NOTE: You can use similar code with Active Directory Service Interface (ADSI)/ Lightweight Directory Access Protocol (LDAP) to manipulate security descriptors in Exchange 5.5 and later environments.

The following code reads the security descriptor, converts it to absolute form, manipulates it, and writes it back to the organization container. The Dapi.lib is the only additional library required to compile this Win32 console application.

The command line parameters required follow:

Additional query words:
Keywords          : kbADSI kbAPI kbMsg kbEDK550 
Version           : WINDOWS:5.0,5.5
Platform          : WINDOWS
Issue type        : kbhowto

Last Reviewed: November 4, 1998