Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How To Deny a User Read Permissions on a Mail Item

How To Deny a User Read Permissions on a Mail Item

View products that this article applies to.

This article was previously published under Q289879

↑ Back to the top

Summary

This article demonstrates how to modify the discretionary access-control list (DACL) of a security descriptor of a mail item to deny read privileges to a user.

↑ Back to the top

More information

The following code sample denies read permissions to User1 for the Test.eml mail item that is located in Public Folders\Testfolder.

To deny read privileges to a user, follow these steps:
  1. In the Public Folders folder, create a new folder and name it TestFolder.
  2. In TestFolder, create a new mail item and make the subject of that item "test".
  3. Log on as User1 and make sure that you can see the item.
  4. In Microsoft visual Basic, create a new Standard EXE project.
  5. Add a reference to the ActiveX Data Objects 2.5 Library.
  6. Add a button and name it Deny.
  7. Paste the following code in the button's Click event:
        Dim strDomainName As String
    Dim strLocalPath As String
    Dim strURL As String
    Dim rec As ADODB.Record
    Dim fld As ADODB.Field
    Dim strXML As String
    Dim NTAlias As String
    Dim Allow As String
    Dim Deny as String
   
    'TO DO:Change the following 2 variables to reflect your environment and     'the user whose permissions you are changing.
    strDomainName = "YourDomainName"
    NTAlias  = "YourDomainName\user1"  
    
    'Below you are setting the access mask for User1 to
    'deny him read permissions.
    'For more about access masks, refer to the link below.

    Allow = "1FF000"
    Deny = "10FFFF"
    strLocalPath = "public folders\testflolder\test.eml"
    strURL = "file://./backofficestorage/" & strDomainName 
    strURL = strURL & "/" & strLocalPath
    
    On Error GoTo err:
    
    Set rec = New ADODB.Record
    rec.Open strURL, , adModeReadWrite

    'Modify SD.
    strXML = "<S:security_descriptor " & _
          "xmlns:S=""http://schemas.microsoft.com/security/""" & _
          "xmlns:D=""urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/""" & _
          "D:dt=""microsoft.security_descriptor"">"
    strXML = strXML + " <S:dacl>"
    strXML = strXML + "  <S:effective_aces>"
    strXML = strXML + "   <S:access_allowed_ace>"
    strXML = strXML + "   <S:access_mask>" + Allow + "</S:access_mask>"
    strXML = strXML + "    <S:sid>"

    'If you are denying to the group, the line below will be
    'strXML = strXML + "     <S:type>group</S:type>"

    strXML = strXML + "     <S:type>user</S:type>"
    strXML = strXML + "     <S:nt4_compatible_name>" + NTAlias
    strXML = strXML + "</S:nt4_compatible_name>"
    strXML = strXML + "    </S:sid>"
    strXML = strXML + "   </S:access_allowed_ace>"
    strXML = strXML + "   <S:access_denied_ace>"
    strXML = strXML + "    <S:access_mask>" + Deny + "</S:access_mask>"
    strXML = strXML + "    <S:sid>"

    'If you are denying to the group, the line below will be
    'strXML = strXML + "     <S:type>group</S:type>"

    strXML = strXML + "     <S:type>user</S:type>"
    strXML = strXML + "     <S:nt4_compatible_name>" + NTAlias
    strXML = strXML + "</S:nt4_compatible_name>"
    strXML = strXML + "    </S:sid>"
    strXML = strXML + "   </S:access_denied_ace>"
    strXML = strXML + "  </S:effective_aces>"
    strXML = strXML + " </S:dacl>"
    strXML = strXML + "</S:security_descriptor>"

   rec.Fields.Append _
    "http://schemas.microsoft.com/exchange/security/descriptor", _
    adBSTR, Len(strXML), , strXML

    rec.Fields.Update
    
    'Close it.
    rec.Close
    Set rec = Nothing

err:
    If err.Number Then
       msgbox err.Number & ": " & err.Description & "::" & err.Source
        err.Clear
    End If
  8. Modify the lines of code that are marked "TO DO" according to your situation.
  9. Run the project and click Deny.
  10. Log on as User1 and locate TestFolder. You are now unable to view the item that you created.

↑ Back to the top

References

For information related to Exchange Web Store related rights you can use to generate the mask, see the following Microsoft Developer Network (MSDN) Web site:
Item Access Rights
http://msdn.microsoft.com/en-us/library/ms879450(EXCHG.65).aspx
For Information about the access mask structure and generic access rights available, see the following MSDN Web site:
Access Rights and Access Masks
http://msdn.microsoft.com/en-us/library/aa374902(VS.85).aspx

↑ Back to the top

Keywords: KB289879, kbmsg, kbhowto

↑ Back to the top

Article Info
Article ID : 289879
Revision : 8
Created on : 2/22/2007
Published on : 2/22/2007
Exists online : False
Views : 315