问题
[This is a slightly more specific version of the question I already asked here: How do I query effective permissions on an Active Directory Object? - Hopefully the answers I receive here will help me better understand and judge the answer(s) I received there.]
Very specifically, I'm currently looking for a way to verify whether the current user has the Exchange-specific "Send As" permission (this is a so-called "extended right") on a given Active Directory object such as another user (i.e. a mailbox), a mail-enabled Public Folder or a distribution list. It's important that permissions granted (or denied) indirectly via group membership are taken into account as well. In the mid- to long-term I'd very much like to learn more about the Windows security model and its APIs. This task is just my jumping-off point.
While researching how best to implement some of the available C++ examples in Delphi, I stumbled across the JWSCL (JEDI Windows Security Code Library). But even though it seems there have been recent contributions of some AD-related code, several documents on the JWSCL blog and wiki still note that "Active Directory support" has yet to be added.
However, could this maybe just be an issue of outdated documentation? And even if not, do I really need that for this particular task? I am already able to retrieve the SECURITY_DESCRIPTOR
attribute of the objects I want to check using IDirectoryObject.GetAttributes
. Once I've got that SD, does it still make a difference that I'm checking permissions on an AD object? Couldn't I just use that with the code that's already there despite the supposedly missing AD support?
If so, how?
I already tried modifying the GetEffectiveRightsFromAclWithAuthZ example that ships with the JWSCL but I already fail at creating a TJwSecurityDescriptor
object from my PSECURITY_DESCRIPTOR
pointer. Simply passing it to TJwSecurityDescriptor.Create()
fails with an EJwsclInvalidSIDException
.
Any ideas? Am I even remotely on the right track?
来源:https://stackoverflow.com/questions/8524507/can-i-use-the-jwscl-to-check-whether-the-current-user-has-a-specific-extended-ri