Microsoft KB Archive/317891

= How to add an access control entry to a folder item in Exchange 2000 Web Storage System by using WebDAV =

Article ID: 317891

Article Last Modified on 9/14/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q317891



IN THIS TASK
SUMMARY Requirements
 * How to add an access control entry to a Web Storage System folder item
 * How to create a Visual Basic project
 * How to copy the sample code to your project

More information Frequently asked questions Troubleshooting REFERENCES



SUMMARY
This step-by-step article describes how to add an access control entry (ACE) to a folder item in Exchange 2000 Server Web Storage System.

The Web Storage System is a database technology that you can use to store, share, and manage heterogeneous data, such as e-mail messages, Web pages, multimedia files, and Microsoft Office 2000 documents. The Web Storage System is organized similar to a conventional file system, in a hierarchy of folders. Each folder in the Web Storage System can contain any number of items, which includes other folders. You can access items in the Web Storage System by using many protocols and application programming interfaces (APIs), which include Hypertext Transfer Protocol (HTTP) and World Wide Web Distributed Authoring and Versioning (WebDAV), Microsoft ActiveX Data Objects (ADO) 2.5, OLE DB 2.5, Collaboration Data Objects for Microsoft Exchange 2000 Server (CDOEX), Messaging Application Programming Interface (MAPI), through the file system, and by using other industry-standard wire protocols.

A Microsoft Windows security descriptor defines access rights to a securable object through definition of the object's owner and through a set of access control entries (ACEs) in the descriptor's discretionary access control list (DACL). Each ACE in the DACL either grants or denies a trustee a certain set of access rights to the securable object. The set of rights granted or denied by a particular ACE is contained in its access mask. The access mask is a 32-bit number in which the upper 16 bits define standard and generic access rights and the lower 16 bits define access rights that are object specific.

back to the top

Requirements
The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:
 * Microsoft Windows 2000
 * Microsoft Exchange 2000 Server
 * Microsoft Visual Basic 6.0 with Service Pack 5 (SP5)
 * Microsoft XML 2.0

back to the top

How to add an access control entry to a Web Storage System folder item
For the purpose of this article, it is assumed that Microsoft Exchange 2000 Server is installed and that the Web Storage System functions appropriately. Therefore, the user can visit a public folder and post and edit items in the folder in Internet Explorer by typing the address in the following format:

http:// / / 

How to create a Visual Basic project

 * 1) Make sure that Microsoft Visual Basic 6.0 SP5 and Internet Explorer 5 or later are installed.
 * 2) Start Microsoft Visual Basic 6.0 SP5.
 * 3) In the New Project dialog box, double-click Standard EXE to create a new project.
 * 4) On the Project menu, click References.
 * 5) In the References dialog box, click to select the Microsoft XML, Version 2.0 check box, and then click OK.

back to the top

How to copy the sample code to your project
 On the View menu, click Code.  In the Visual Basic code window, paste the following code: Const User_AuthFldAllow = &H1208AB Const User_AuthFldDeny = &HDC914 Const User_AuthSitAllow = &H120EA9 Const User_AuthSitDeny = &H1F0716 Const Grp_AuthFldAllow = &H1208AB Const Grp_AuthFldDeny = &HDC914 Const Grp_AuthSitAllow = &H120EA9 Const Grp_AuthSitDeny = &H1F0716

Private Function AddACE(ByVal Name As String, ByVal UserType As String, ByVal Allow As Long, ByVal Deny As Long) As String Dim strXML As String strXML = &quot;   &quot; & vbCrLf & _ &quot;   &quot; & vbCrLf & _ &quot;        &quot; & vbCrLf & _ &quot;           &quot; & Hex(Allow) & &quot;&quot; & vbCrLf & _ &quot;           &quot; & vbCrLf & _ &quot;              &quot; & UserType & &quot;&quot; & vbCrLf & _ &quot;              &quot; & Name & &quot;</S:nt4_compatible_name>&quot; & vbCrLf & _ &quot;           </S:sid>&quot; & vbCrLf & _ &quot;        </S:access_allowed_ace>&quot; & vbCrLf & _ &quot;        <S:access_denied_ace S:inherited=&quot;&quot;0&quot;&quot;>&quot; & vbCrLf & _ &quot;           &quot; & Hex(Deny) & &quot;</S:access_mask>&quot; & vbCrLf & _ &quot;           <S:sid>&quot; & vbCrLf & _ &quot;              <S:nt4_compatible_name>&quot; & Name & &quot;</S:nt4_compatible_name>&quot; & vbCrLf & _ &quot;           </S:sid>&quot; & vbCrLf & _ &quot;        </S:access_denied_ace>&quot; & vbCrLf & _ &quot;   &quot; & vbCrLf AddACE = strXML End Function

Public Function AddAuthorACE(ByVal FdPath As String, ByVal NTName As String, ByVal UserType As String)

Dim xmlReq As MSXML.XMLHTTPRequest Dim query As String Dim XMLDOM As MSXML.DOMDocument Dim XMLRoot As MSXML.DOMDocument Dim strNewNode As String Dim xmlNode As MSXML.IXMLDOMNode Dim effacesnode As MSXML.IXMLDOMNode Dim subconacesnode As MSXML.IXMLDOMNode Dim subitemacesnode As MSXML.IXMLDOMNode Dim xmlNewACEDom As MSXML.DOMDocument Dim xmlNewNode As MSXML.IXMLDOMNode Set xmlReq = CreateObject(&quot;Microsoft.XMLHTTP&quot;) Set XMLDOM = CreateObject(&quot;Microsoft.XMLDOM&quot;) 'Get the current Security Descriptor of the folder xmlReq.open &quot;PROPFIND&quot;, FdPath, False xmlReq.setRequestHeader &quot;Content-Type&quot;, &quot;text/xml&quot; xmlReq.setRequestHeader &quot;Depth&quot;, &quot;0&quot; query = &quot;<?xml version='1.0'?>&quot; query = query + &quot;<a:propfind xmlns:a='DAV:'>&quot; query = query + &quot;<a:prop xmlns:ex='http://schemas.microsoft.com/exchange/security/'>&quot; query = query + &quot;<ex:descriptor/>&quot; query = query + &quot;</a:prop>&quot; query = query + &quot;</a:propfind>&quot; xmlReq.send (query) Set XMLDOM = xmlReq.responseXML 'Greate the empty Security Descriptor ready to upgrade query = &quot;&quot; query = &quot;<?xml version='1.0'?>&quot; query = query + &quot;<a:propertyupdate xmlns:a='DAV:' xmlns:e='http://schemas.microsoft.com/exchange/security/'>&quot; query = query + &quot;<a:set><a:prop><e:descriptor>&quot; query = query + &quot;</e:descriptor></a:prop></a:set></a:propertyupdate>&quot; Set XMLRoot = CreateObject(&quot;Microsoft.XMLDOM&quot;) XMLRoot.loadXML query 'Load the Security Descriptor from the current schema Set xmlNode = XMLRoot.documentElement.selectSingleNode(&quot;//e:descriptor&quot;) xmlNode.appendChild XMLDOM.documentElement.selectSingleNode(&quot;//S:security_descriptor&quot;) Set effacesnode = XMLRoot.documentElement.selectSingleNode(&quot;//S:effective_aces&quot;) Set subconacesnode = XMLRoot.documentElement.selectSingleNode(&quot;//S:subcontainer_inheritable_aces&quot;) Set subitemacesnode = XMLRoot.documentElement.selectSingleNode(&quot;//S:subitem_inheritable_aces&quot;) Set xmlNewACEDom = CreateObject(&quot;Microsoft.XMLDOM&quot;) 'Add the Access Permission for User/group If UserType = &quot;user&quot; Then strNewNode = AddACE(NTName, UserType, User_AuthFldAllow, User_AuthFldDeny) Else strNewNode = AddACE(NTName, UserType, Grp_AuthFldAllow, Grp_AuthFldDeny) End If   xmlNewACEDom.loadXML strNewNode Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_denied_ace&quot;) effacesnode.insertBefore xmlNewNode, effacesnode.firstChild Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_allowed_ace&quot;) effacesnode.insertBefore xmlNewNode, effacesnode.firstChild

'Add the sub-container inheritable permission for user/group If UserType = &quot;user&quot; Then strNewNode = AddACE(NTName, UserType, User_AuthFldAllow, User_AuthFldDeny) Else strNewNode = AddACE(NTName, UserType, Grp_AuthFldAllow, Grp_AuthFldDeny) End If   xmlNewACEDom.loadXML strNewNode Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_denied_ace&quot;) subconacesnode.insertBefore xmlNewNode, subconacesnode.firstChild Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_allowed_ace&quot;) subconacesnode.insertBefore xmlNewNode, subconacesnode.firstChild

'Add the sub-item inheritable Permission for user/group If UserType = &quot;user&quot; Then strNewNode = AddACE(NTName, UserType, User_AuthSitAllow, User_AuthSitDeny) Else strNewNode = AddACE(NTName, UserType, Grp_AuthSitAllow, Grp_AuthSitDeny) End If   xmlNewACEDom.loadXML strNewNode Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_denied_ace&quot;) subitemacesnode.insertBefore xmlNewNode, subitemacesnode.firstChild Set xmlNewNode = xmlNewACEDom.documentElement.selectSingleNode(&quot;S:access_allowed_ace&quot;) subitemacesnode.insertBefore xmlNewNode, subitemacesnode.firstChild xmlReq.open &quot;PROPPATCH&quot;, FdPath, False xmlReq.setRequestHeader &quot;Content-Type&quot;, &quot;text/xml&quot; xmlReq.setRequestHeader &quot;Depth&quot;, &quot;0&quot; xmlReq.send (XMLRoot.documentElement.xml) End Function </li> On the View Menu, click Object, and then drag a button from the Toolbox to the Form object.</li> Double-click the button that you dragged in step 3 to trigger a function named Command1_Click.</li> Paste the following line into the function Command1_Click that you generated in step 4:

AddAuthorACE &quot;http://MyExchangeServer/Public/MyFolder&quot;, &quot;MYDOMAIN\user1&quot;, &quot;user&quot;

Note You must replace the hyperlink and account mentioned earlier to your own link and account.</li> Run the project and note that the user who you want has Author permissions on the folder.</li></ol>

back to the top

More information
<ul> The access mask for users and groups to obtain permission has been defined at the beginning of this article. The access mask is a 32-bit number in which the upper 16 bits define standard and generic access rights and the lower 16 bits define access rights that are object specific. For more information about mask Web Storage System security roles visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms998676.aspx

</li> Folder item security descriptors includes three main parts: <ul> effective_aces: contains the ACE for effective permission set on the folder.</li> subcontainer_inheritable_aces: by default, the sub folders in this folder inherits the ACE from this part.</li> subitem_inheritable_aces: by default, the sub items in this folder inherits the ACE from this part.</li></ul> </li> To prevent the user or group from accessing the folder, remove the corresponding ACEs from the folder security descriptor.</li> An ACE typically contains both access_denied_ace and access_allowed_ace so that the permission set of the user can be identified by the system clearly.</li> When new items are created in folders, the new items are secured by using the ACEs present in the subitem_inheritable_aces section of the parent folder's discretionary access control list (ACL). In a sense, the item inherits a &quot;virtual&quot; descriptor from its parent folder. If the parent folder's descriptor changes, the item automatically inherits the changes. When you set the descriptor for an item, the &quot;virtual&quot; inheritance is no longer used, and the item's descriptor is used to control access. Therefore, if you make changes to the parent folder's descriptor, items that have had their descriptors set directly do not inherit these changes.</li></ul>

back to the top

Frequently asked questions
'''Q1: What type of URL should I use? File or HTTP?'''

A1: When you use the Exchange OLE DB (ExOLEDB) provider or XML descriptor, you can use URLs from either the file or HTTP schemes.

Q2: Does MAPI still function?

A2: Yes. All forms written by using Microsoft Visual C++ and MAPI continues to function as before.

Q3: Can I change the inherited permission from the parent folder?

A3: No. You cannot change the inherited ACE on the folder level. You have to edit the subcontainer_inheritable_aces ACE in the parent folder.

back to the top

Troubleshooting
In some scenarios, it is possible that after you run the code, the ACE is still not added when you open Microsoft Outlook or Microsoft Exchange Manager to review. The security descriptor may be corrupted under such scenario. You may have to test the code on a newly created folder instead.

back to the top

<div class="references_section">