Where ACL Data Is Stored?
You may wonder where public folder ACL data is stored. It is stored in
PR_ACL_DATA property of the folder object. It is a binary object. Being binary
reminds of a Windows NT DACL, but instead of security identifiers public folder
ACL deals with MAPI ENTRYIDs, which are usually bigger in size.
Reading Public Folder ACL with IExchangeModifyTable
A few comments about the code. Notice that I obtain IExchangeModifyTable
interface via the IMAPIFolder::OpenProperty call requesting PR_ACL_TABLE. This
property is of type PT_OBJECT. However, if you examine properties of the folder
with a tool such as mdbvu32.exe, it may not be there. For example, for a folder
I am experimenting with now PR_ACL_TABLE is not available, but PR_ACL_DATA is.
This is how these properties are defined in EdkMdb.pas:
const pidExchangeXmitReservedMin $3FE0
const PR_ACL_TABLE PROP_TAG( PT_OBJECT,
pidExchangeXmitReservedMin)
const PR_ACL_DATA PROP_TAG( PT_BINARY,
pidExchangeXmitReservedMin)
Mdbvu32.exe does not know their names and displays PR_ACL_DATA as $3FE0.
It turns out that it is still possible to use the OpenProperty specifying PR_ACL_DATA. Exchange creates IExchangeModifyTable interface and gives it back to us for use. Binary table data is actually stored in PR_ACL_DATA. Using IExchangeModifyTable interface is just a more convenient way of working with this data. Having obtained the interface with the OpenProperty call I then use its GetTable method to get a MAPI table filled with data. I scan this table looking for member names and their access rights.
If you run this code you will see that the Default and Anonymous accounts
actually have their names listed in the table. Remember that when we were using
the IExchangeFolderACLs the names and ENTRYIDs were NULLs. This is a nice
advantage of using IExchangeModifyTable interface.
Modifying Public Folder ACL with IExchangeModifyTable
Modifying ACL with IExchangeModifyTable is tricky. If you are trying to
accomplish this - be prepared to spend some time guessing how it is supposed to
work. IExchangeFolderACLs interface is implemented on top of
IExchangeModifyTable. If you examine CFolderACLs class implementation in
aclclsf.cpp file in your build environment samples\dbmsg\Exchange\libsrc\aclcls
project, you will see that for yourself. Apparently, it was designed to simplify
working with IExchangeModifyTable. Pay attention to comments, they reveal
important details about how IExchangeModifyTable is supposed to be used. For
example, you need to drop PR_MEMBER_NAME property when modifying the table. I
have spent a few hours trying to modify a single row in the table with no luck
(ERROR_INVALID_PARAMETER was returned by the ModifyTable method). Apparently, I
was doing something wrong. Anyway, the best algorithm I could suggest here now
would be as follows: study libsrc code and do it as they do.