Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How To Deny a User Read Permissions on a Mail Item


View products that this article applies to.

This article was previously published under Q289879

↑ Back to the top


Summary

This article demonstrates how to modify the discretionary access-control list (DACL) of a security descriptor of a mail item to deny read privileges to a user.

↑ Back to the top


More information

The following code sample denies read permissions to User1 for the Test.eml mail item that is located in Public Folders\Testfolder.

To deny read privileges to a user, follow these steps:
  1. In the Public Folders folder, create a new folder and name it TestFolder.
  2. In TestFolder, create a new mail item and make the subject of that item "test".
  3. Log on as User1 and make sure that you can see the item.
  4. In Microsoft visual Basic, create a new Standard EXE project.
  5. Add a reference to the ActiveX Data Objects 2.5 Library.
  6. Add a button and name it Deny.
  7. Paste the following code in the button's Click event:
        Dim strDomainName As String
        Dim strLocalPath As String
        Dim strURL As String
        Dim rec As ADODB.Record
        Dim fld As ADODB.Field
        Dim strXML As String
        Dim NTAlias As String
        Dim Allow As String
        Dim Deny as String
       
        'TO DO:Change the following 2 variables to reflect your environment and     'the user whose permissions you are changing.
        strDomainName = "YourDomainName"
        NTAlias  = "YourDomainName\user1"  
        
        'Below you are setting the access mask for User1 to
        'deny him read permissions.
        'For more about access masks, refer to the link below.
    
        Allow = "1FF000"
        Deny = "10FFFF"
        strLocalPath = "public folders\testflolder\test.eml"
        strURL = "file://./backofficestorage/" & strDomainName 
        strURL = strURL & "/" & strLocalPath
        
        On Error GoTo err:
        
        Set rec = New ADODB.Record
        rec.Open strURL, , adModeReadWrite
    
        'Modify SD.
        strXML = "<S:security_descriptor " & _
              "xmlns:S=""http://schemas.microsoft.com/security/""" & _
              "xmlns:D=""urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/""" & _
              "D:dt=""microsoft.security_descriptor"">"
        strXML = strXML + " <S:dacl>"
        strXML = strXML + "  <S:effective_aces>"
        strXML = strXML + "   <S:access_allowed_ace>"
        strXML = strXML + "   <S:access_mask>" + Allow + "</S:access_mask>"
        strXML = strXML + "    <S:sid>"
    
        'If you are denying to the group, the line below will be
        'strXML = strXML + "     <S:type>group</S:type>"
    
        strXML = strXML + "     <S:type>user</S:type>"
        strXML = strXML + "     <S:nt4_compatible_name>" + NTAlias
        strXML = strXML + "</S:nt4_compatible_name>"
        strXML = strXML + "    </S:sid>"
        strXML = strXML + "   </S:access_allowed_ace>"
        strXML = strXML + "   <S:access_denied_ace>"
        strXML = strXML + "    <S:access_mask>" + Deny + "</S:access_mask>"
        strXML = strXML + "    <S:sid>"
    
        'If you are denying to the group, the line below will be
        'strXML = strXML + "     <S:type>group</S:type>"
    
        strXML = strXML + "     <S:type>user</S:type>"
        strXML = strXML + "     <S:nt4_compatible_name>" + NTAlias
        strXML = strXML + "</S:nt4_compatible_name>"
        strXML = strXML + "    </S:sid>"
        strXML = strXML + "   </S:access_denied_ace>"
        strXML = strXML + "  </S:effective_aces>"
        strXML = strXML + " </S:dacl>"
        strXML = strXML + "</S:security_descriptor>"
    
       rec.Fields.Append _
        "http://schemas.microsoft.com/exchange/security/descriptor", _
        adBSTR, Len(strXML), , strXML
    
        rec.Fields.Update
        
        'Close it.
        rec.Close
        Set rec = Nothing
    
    err:
        If err.Number Then
           msgbox err.Number & ": " & err.Description & "::" & err.Source
            err.Clear
        End If
    					
  8. Modify the lines of code that are marked "TO DO" according to your situation.
  9. Run the project and click Deny.
  10. Log on as User1 and locate TestFolder. You are now unable to view the item that you created.

↑ Back to the top


References

For information related to Exchange Web Store related rights you can use to generate the mask, see the following Microsoft Developer Network (MSDN) Web site: For Information about the access mask structure and generic access rights available, see the following MSDN Web site:

↑ Back to the top


Keywords: KB289879, kbmsg, kbhowto

↑ Back to the top

Article Info
Article ID : 289879
Revision : 8
Created on : 2/22/2007
Published on : 2/22/2007
Exists online : False
Views : 423