Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: create mailbox NT-Security-Descriptor property
The error I get is a 1026: the security id structure is invalid. This is produced on the last line.
Just to make sure I've passed in the right parameters, what is the domain variable supposed to define? The W2K domain, or the site or org of the exchange ds?
;Create an ace that allows the user to set properties, send and receive mail. ace = dsCreatSecObj(sMailBoxPath, 3) dsSetSecProp(ace, "Trustee", "%domain%\%sAlias%") AccessMask = EXCH_MODIFY_USER_ATT | EXCH_MAIL_SEND_AS | EXCH_MAIL_RECEIVE_AS dsSetSecProp(ace, "AccessMask", AccessMask) AceType = ACCESS_ALLOWED dsSetSecProp(ace, "AceType", AceType) ; Create discretionary ACL and Security Descriptor to hold the ACE sd = dsCreatSecObj(sMailBoxPath, 1) dsSetSecProp(sd, "Revision", 1) dsSetSecProp(sd, "owner", " %domain%\administrator") dsSetSecProp(sd, "OwnerDefaulted" ,@false) dsSetSecProp(sd, "Group", "%domain%\administrator") dsSetSecProp(sd, "GroupDefaulted", @false ) dacl = dsCreatSecObj(sMailBoxPath, 2) dsSetSecProp(dacl, "AclRevision", 2) ; Add the ACE to the ACL dsAclAddAce(dacl, ace, -1) ; Add the ACL to the SD dsSetSecProp(sd, "DiscretionaryAcl",dacl) ; Finally, set the security descriptor property. dsSetproperty(sMailBoxPath, "NT-Security-Descriptor", sd)
The trustee attribute needs to be the SID of the account in W2K.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/html/directry_9lgz.aspBefore you begin, you need to know the Windows NT account name (or SID), the name of the security domain the account will be a member of, and the permissions to be granted to the account.
If you do not already know the SID for the account in the appropriate security domain, obtain it by calling the Win32 security function LookupAccountName.
Place this SID with the appropriate rights in an access control entry (ACE) in an access control list (ACL) in a security descriptor.
In order to grant or revoke specific permissions to given Windows NT Accounts, you need to set the correct bits in the ACCESS_MASK structure in the access control entry when you build the security descriptor. For more information on the ACCESS_MASK structure, see the Win32 Structures documentation in the "Reference" section of the Microsoft Platform SDK.
Convert this security descriptor into self-relative form (so that all members of the Win32 SECURITY_DESCRIPTOR structure are located contiguously in memory) for storage on the PR_EMS_AB_NT_SECURITY_DESCRIPTOR property.
Article ID: W15033
File Created: 2003:03:14:09:23:24
Last Updated: 2003:03:14:09:23:24