Can I use the JWSCL to check whether the current user has a specific extended right on an Active Directory object?

[亡魂溺海] 提交于 2019-12-11 05:54:46

问题


[This is a slightly more specific version of the question I already asked here: How do I query effective permissions on an Active Directory Object? - Hopefully the answers I receive here will help me better understand and judge the answer(s) I received there.]

Very specifically, I'm currently looking for a way to verify whether the current user has the Exchange-specific "Send As" permission (this is a so-called "extended right") on a given Active Directory object such as another user (i.e. a mailbox), a mail-enabled Public Folder or a distribution list. It's important that permissions granted (or denied) indirectly via group membership are taken into account as well. In the mid- to long-term I'd very much like to learn more about the Windows security model and its APIs. This task is just my jumping-off point.

While researching how best to implement some of the available C++ examples in Delphi, I stumbled across the JWSCL (JEDI Windows Security Code Library). But even though it seems there have been recent contributions of some AD-related code, several documents on the JWSCL blog and wiki still note that "Active Directory support" has yet to be added.

However, could this maybe just be an issue of outdated documentation? And even if not, do I really need that for this particular task? I am already able to retrieve the SECURITY_DESCRIPTOR attribute of the objects I want to check using IDirectoryObject.GetAttributes. Once I've got that SD, does it still make a difference that I'm checking permissions on an AD object? Couldn't I just use that with the code that's already there despite the supposedly missing AD support?
If so, how?

I already tried modifying the GetEffectiveRightsFromAclWithAuthZ example that ships with the JWSCL but I already fail at creating a TJwSecurityDescriptor object from my PSECURITY_DESCRIPTOR pointer. Simply passing it to TJwSecurityDescriptor.Create() fails with an EJwsclInvalidSIDException.

Any ideas? Am I even remotely on the right track?

来源:https://stackoverflow.com/questions/8524507/can-i-use-the-jwscl-to-check-whether-the-current-user-has-a-specific-extended-ri

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!