Abstract classes, 20
Access Control Entries (ACEs)
access-allowed, 711
access-denied, 711
ACE AccessMask property, 626–27, 637–91
ACE Flags property, 632–35
ACE Flag Type property, 626, 635–37
ACE InheritedObjectType property, 651, 678–80
ACE ObjectType property, 648, 652–78
ACE Trustee property, 627
ACE Type property, 627–32
adding, in ADSI object model, 499–701
adding, in WMI object model, 701–3
deciphering, 626–91
defined, 545
defined in security descriptor, 624
elements, 546
Extended Rights reference, 666
inheritance, customizing, 677
inheritance control, 632
inheritance support, 625
inheritance to specific object class, 678
inherited, 624, 696, 711
properties, 626
properties, changing, 644
removing, 643, 703–10
removing, in ADSI object model, 703–7
removing, in WMI object model, 707–10
reordering, 710–15
reordering, in ADSI object model, 711–13
reordering, in WMI object model, 713–15
AccessControlEntry object, 548, 616, 701
AccessControlList object, 548
Access Control Lists (ACLs)
deciphering, 625–26
defined, 545
Discretionary (DACL), 545
editor, 710
System (SACL), 546, 551
ACE AccessMask property, 626–27, 637–91
Active Directory object, 648–80
Active Directory object values, 649–52
CIM repository namespace, 687–91
equal value, 667, 668, 670, 679
Exchange 2000 mailbox, 680–84
Exchange 2000 mailbox values, 681
files and folders, 637–44
files and folders values, 642
file system share, 644–47
file system share values, 645
inheritance, 641
registry key, 684–87
registry key values, 684
See also Access Control Entries (ACEs)
ACE Flags property, 632–35
deciphering, 632, 633–34
defined, 632
for Exchange 2000 mailbox, 682
file system share and, 646
inheritance flags, 632–33
values, 634–35
See also Access Control Entries (ACEs)
ACE FlagType property, 626
deciphering, 635–36
defined, 635
values, 636–37
See also Access Control Entries (ACEs)
ACE InheritedObjectType property, 651, 678–80
setting, 680
understanding, 678–80
ACE ObjectType property, 648
deciphering logic, 670
to grant/deny object creation/deletion, 669
GUID number, 667, 668, 670, 679
GUID number origins summary, 676
understanding, 652–78
See also Access Control Entries (ACEs)
ACE Trustee property, 627
ACE Type property, 627–32
Active Directory Extended Rights and, 630–31
for Active Directory security descriptor, 630
aim, 627
bitwise operation, 627
deciphering, 627–32
equal value, 667, 668, 670, 679
function, 627–29
for non-Active Directory security descriptor, 629
values, 670
See also Access Control Entries (ACEs)
Active Directory
classes, 373, 375, 376
creating in, 378–81
Domain Controller, 153
group memberships, monitoring, 383–86
mapping, 375
msExchMailboxSecurityDescriptor, 725
Naming Contexts, 652
objects, creating, 378–79
organizationalPerson class, 373, 374
person class, 373, 374
querying, 381
replication state, 397–99, 401–2
rights, 652
rights, deciphering, 648
schema, 373, 375
search depth, 382
searching in, 381–83
security descriptor inheritance flags, 633
top class, 373, 374
updating in, 378–81
user class, 373, 374, 376
Active Directory Extended Rights
ACE reference to, 666
ACE Type property and, 630–31
"Add/Remove self as member," 677
attributes links, 657
defined, 652
enforced by Active Directory, 653
enforced by applications, 653
enforced by system to perform extra checking, 653
example, 653, 654
GUID number, 655
list of, 658–65
location, 652
name, 666
"Personal Information," 677
"Send As," 677
understanding, 651–52
under Windows Server 2003, 658–65
validAccess attribute value, 657
Active Directory object ACE AccessMask property, 648–80
deciphering, 648
flag values, 652
management, 648
values (advanced view), 651
values (standard view), 649–50
Active Directory object security descriptors, 571–75
with ADSI connection, 573–75
connecting to, 571–75
registry keys retrieval with, 600–602
retrieving, 594–97
retrieving with ADSI, 596–97
retrieving with WMI, 594–96
updating, 721–24
updating, with ADSI, 723–24
updating, with WMI, 721–23
with WMI connection, 571–73
Active Directory providers, 211
activity in log file, 391
capabilities, 372
classes, 377
debugging, 391–94
defined, 212
DS_LDAP_Class_Containment class, 376, 377
DS_LDAP_Instance_Containment class, 376, 377
Level registry key for, 392
RootDSE class, 377
trace logging of, 391
See also WMI providers
Active Directory Replication provider, 394–405
capabilities, 394
classes, 394
defined, 394
implementation, 395
location, 394
MSAD_DomainController class, 395, 400
MSAD_NamingContext class, 399
MSAD_ReplCursor class, 400
MSAD_ReplNeighbor class, 401
MSAD_ReplPendingOp class, 399
Active Directory Service Interfaces. See ADSI
Active Directory Trust Monitoring provider, 211
Active Server Page. See ASP scripts
AddAce() function, 564, 571, 699–701
AccessMask parameter, 700
ACEFlags parameter, 700
ACEType parameter, 700
ACLType parameter, 700, 701, 702
InheritedObjectType parameter, 700
ObjectType parameter, 700
objSD parameter, 699
objWMIServices parameter, 699
Password parameter, 699
SDType parameter, 700
SIDResolutionDC parameter, 699
Trustee parameter, 700
UserID parameter, 699
ADSIHelper object, 595, 598
ActiveX DLL, 608, 609
defined, 608
methods, 608
ADSI object model
adding ACEs in, 699–701
removing ACEs in, 703–7
reordering ACEs in, 711–13
ADSI security descriptor representation, 544, 547–49
ACLs, deciphering, 626
Active Directory objects connection with, 573–75
Active Directory objects retrieval with, 596–97
Active Directory update with, 723–24
CIM repository namespaces connection with, 585
conversion, 607–9
deciphering, 616–19
Exchange 2000 mailbox connection with, 578–79
Exchange 2000 mailbox retrieval with, 598–99
Exchange 2000 mailbox update with, 727–28
file/folder connection with, 565–67
file/folder retrieval with, 587–92
file/folder update with, 718–19
file system share connection with, 569–71
file system share retrieval with, 593–94
file system share update with, 720–21
logical structure, 548
registry keys connection with, 581–83
ADSI WMI Extension, 737–38
ADsSecurity.DLL, 589, 618, 729
ADsSecurity object, 565, 566, 573, 581
GetSecurityDescriptor method, 602
SecurityMask property, 601
ADsSecurityUtility object, 565, 569, 570, 581, 587, 589
bug, 602, 719
ConvertSecurityDescriptor method, 608
for security descriptor conversion, 608
SecurityMask property, 597
ADSUTIL.VBS script, 781
Application WMI providers, 741–860
Cluster, 747–49
Exchange 2000, 785–802
IIS, 776–85
Internet Explorer, 811–13
Microsoft Office, 809–11
Network Load-Balancing, 741–47
OVOW, 825–43
SQL Server 2000, 802–9
Terminal Server, 749–71
WDM, 771–75
See also WMI providers
Arrays
intKeyTypes, 239
strSubKeys, 236, 239
ASP scripts
anonymous/basic authentication, 538
authentication settings, 536–39
configuration under Windows 2000+, 537–38
configuration under Windows NT, 536–37
running, 536
Association view classes
creation, 516
defined, 509
listing, 514–15
output, 517
Win32_DiskQuota class and, 516
Asynchronous event notification, 883–84
Asynchronous scripting, 732–37
access checks and, 734
precautions, 734
AttributeSchema object, 655–56
Authentication
anonymous/basic, 538
definition locations, 539
passport/digest, 537–38
settings, 536–38
WIA, 537
See also Security
AutoDiscovery/AutoPurge (ADAP), 492