Microsoft KB Archive/289879

= How To Deny a User Read Permissions on a Mail Item =

Article ID: 289879

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Visual Basic 6.0 Enterprise Edition
 * Microsoft Visual Basic 6.0 Professional Edition

-



This article was previously published under Q289879



SUMMARY
This article demonstrates how to modify the discretionary access-control list (DACL) of a security descriptor of a mail item to deny read privileges to a user.



MORE INFORMATION
The following code sample denies read permissions to User1 for the Test.eml mail item that is located in Public Folders\Testfolder.

To deny read privileges to a user, follow these steps:  In the Public Folders folder, create a new folder and name it TestFolder. In TestFolder, create a new mail item and make the subject of that item &quot;test&quot;. Log on as User1 and make sure that you can see the item. In Microsoft visual Basic, create a new Standard EXE project. Add a reference to the ActiveX Data Objects 2.5 Library. Add a button and name it Deny.  Paste the following code in the button's Click event: Dim strDomainName As String Dim strLocalPath As String Dim strURL As String Dim rec As ADODB.Record Dim fld As ADODB.Field Dim strXML As String Dim NTAlias As String Dim Allow As String Dim Deny as String 'TO DO:Change the following 2 variables to reflect your environment and    'the user whose permissions you are changing. strDomainName = &quot;YourDomainName&quot; NTAlias = &quot;YourDomainName\user1&quot; 'Below you are setting the access mask for User1 to   'deny him read permissions. 'For more about access masks, refer to the link below.

Allow = &quot;1FF000&quot; Deny = &quot;10FFFF&quot; strLocalPath = &quot;public folders\testflolder\test.eml&quot; strURL = &quot;file://./backofficestorage/&quot; & strDomainName strURL = strURL & &quot;/&quot; & strLocalPath On Error GoTo err: Set rec = New ADODB.Record rec.Open strURL,, adModeReadWrite

'Modify SD. strXML = &quot;<S:security_descriptor &quot; & _ &quot;xmlns:S=&quot;&quot;http://schemas.microsoft.com/security/&quot;&quot;&quot; & _ &quot;xmlns:D=&quot;&quot;urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/&quot;&quot;&quot; & _ &quot;D:dt=&quot;&quot;microsoft.security_descriptor&quot;&quot;>&quot; strXML = strXML + &quot; <S:dacl>&quot; strXML = strXML + &quot; <S:effective_aces>&quot; strXML = strXML + &quot;  <S:access_allowed_ace>&quot; strXML = strXML + &quot;  <S:access_mask>&quot; + Allow + &quot;</S:access_mask>&quot; strXML = strXML + &quot;   <S:sid>&quot;

'If you are denying to the group, the line below will be   'strXML = strXML + &quot;     <S:type>group</S:type>&quot;

strXML = strXML + &quot;    <S:type>user</S:type>&quot; strXML = strXML + &quot;    <S:nt4_compatible_name>&quot; + NTAlias strXML = strXML + &quot;</S:nt4_compatible_name>&quot; strXML = strXML + &quot;   </S:sid>&quot; strXML = strXML + &quot;  </S:access_allowed_ace>&quot; strXML = strXML + &quot;  <S:access_denied_ace>&quot; strXML = strXML + &quot;   <S:access_mask>&quot; + Deny + &quot;</S:access_mask>&quot; strXML = strXML + &quot;   <S:sid>&quot;

'If you are denying to the group, the line below will be   'strXML = strXML + &quot;     <S:type>group</S:type>&quot;

strXML = strXML + &quot;    <S:type>user</S:type>&quot; strXML = strXML + &quot;    <S:nt4_compatible_name>&quot; + NTAlias strXML = strXML + &quot;</S:nt4_compatible_name>&quot; strXML = strXML + &quot;   </S:sid>&quot; strXML = strXML + &quot;  </S:access_denied_ace>&quot; strXML = strXML + &quot; </S:effective_aces>&quot; strXML = strXML + &quot; </S:dacl>&quot; strXML = strXML + &quot;</S:security_descriptor>&quot;

rec.Fields.Append _ &quot;http://schemas.microsoft.com/exchange/security/descriptor&quot;, _ adBSTR, Len(strXML),, strXML

rec.Fields.Update 'Close it. rec.Close Set rec = Nothing

err: If err.Number Then msgbox err.Number & &quot;: &quot; & err.Description & &quot;::&quot; & err.Source err.Clear End If                   </li> Modify the lines of code that are marked &quot;TO DO&quot; according to your situation.</li> Run the project and click Deny.</li> Log on as User1 and locate TestFolder. You are now unable to view the item that you created.</li></ol>

<div class="references_section">