Re: WEBDAV Exchange Item Based Security - Not Updating

From: Glen Scales [MVP] (gscales_at_outlookexchange.com)
Date: 12/22/04 

Date: Wed, 22 Dec 2004 11:49:28 +1100

You might want to grab a copy of pf-davadmin which is a gui based tool that
uses WebDAV to modify permissions you can get it from
ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/PFDavAdmin/ .
The great thing about this tool is that you can use the "current xml' button
to see what the correct XML syntax is to make an update to a folder. Just
compare this with what you trying to do programmatically and this may show
you where your going wrong..

Cheers
Glen

"Ben Donneghaille" <ben_angelina@yahoo.com.au> wrote in message
news:9d964860.0412191625.5adec4bc@posting.google.com...
>I have been attempting to use WEBDAV to update item level security on
> public folder items in exchange.
>
> The code I am using adds nodes to the security descriptor and each
> submission to alter the ACLs on the item are returned with a 207
> Multi-Status OK status. Which would suggest that my update was
> successful.
>
> The XML I am getting off the item using PROPFIND is below
>
> <?xml version="1.0"?><a:multistatus
> xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
> xmlns:c="xml:" xmlns:d="http://schemas.microsoft.com/exchange/"
> xmlns:f="urn:schemas-microsoft-com:office:office"
> xmlns:e="http://schemas.microsoft.com/exchange/security/"
> xmlns:a="DAV:"><a:response><a:href>http://DOMAINexch01/public/z%20ben/bjd.EML><a:propstat><a:status>HTTP/1.1
> 200 OK</a:status><a:prop>
> <e:descriptor><S:security_descriptor
> xmlns:S="http://schemas.microsoft.com/security/"
> xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
> D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
> <S:revision>1</S:revision>
> <S:owner S:defaulted="0">
> <S:sid>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
> <S:type>user</S:type>
> <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
> <S:display_name>User One</S:display_name>
> </S:sid>
> </S:owner>
> <S:primary_group S:defaulted="0">
> <S:sid>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
> <S:type>group</S:type>
> <S:nt4_compatible_name>DOMAIN\Domain Users</S:nt4_compatible_name>
>
> <S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
> </S:sid>
> </S:primary_group>
> <S:dacl S:defaulted="1" S:protected="0" S:autoinherited="1">
> <S:revision>2</S:revision>
> <S:effective_aces>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
> <S:type>user</S:type>
> <S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
> <S:display_name>User Three</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
> <S:type>user</S:type>
> <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
> <S:display_name>User One</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> <S:access_denied_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
> <S:string_sid>S-1-5-7</S:string_sid>
> <S:type>well_known_group</S:type>
> <S:nt4_compatible_name>NT AUTHORITY\ANONYMOUS
> LOGON</S:nt4_compatible_name>
>
> <S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
> </S:sid>
> </S:access_denied_ace>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
> <S:type>group</S:type>
> <S:nt4_compatible_name>DOMAIN\a_team
> (47669)</S:nt4_compatible_name>
>
> <S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
> <S:display_name>a_Team (47669)</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> </S:effective_aces>
> </S:dacl>
> </S:security_descriptor>
> </e:descriptor></a:prop></a:propstat></a:response></a:multistatus>
>
>
> The XML I send back using PROPPATCH is below
>
> <a:propertyupdate xmlns:a="DAV:"
> xmlns:e="http://schemas.microsoft.com/exchange/security/"><a:set><a:prop><e:descriptor>
> <S:security_descriptor
> xmlns:S="http://schemas.microsoft.com/security/"
> xmlns:D="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/"
> D:dt="microsoft.security_descriptor" S:from_mapi_tlh="1">
> <S:revision>1</S:revision>
> <S:owner S:defaulted="0">
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
> <S:type>user</S:type>
>
> <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
> <S:display_name>User One</S:display_name>
> </S:sid>
> </S:owner>
> <S:primary_group S:defaulted="0">
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-513</S:string_sid>
> <S:type>group</S:type>
> <S:nt4_compatible_name>DOMAIN\Domain
> Users</S:nt4_compatible_name>
>
> <S:ad_object_guid>{e9879cfb-7c9f-4040-abf7-ba5a2298b7d3}</S:ad_object_guid>
> </S:sid>
> </S:primary_group>
> <S:dacl S:defaulted="1" S:protected="0"
> S:autoinherited="1">
> <S:revision>2</S:revision>
> <S:effective_aces>
>
> <!-- THIS IS THE USER I AM TRYING TO ADD - I HAVE ATTEMPTED MANY
> DIFFERENT MASKS, ADDING BOTH AN ALLOWED AND A DENIED NODE HOWEVER
> NOTHING RETURNS AN ERROR BUT MORE IMPORTANTLY NO CALLS ACTUALLY UPDATE
> THE ACL -->
>
> <S:access_allowed_ace S:inherited="0">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
> <S:type>user</S:type>
> <S:nt4_compatible_name>DOMAIN\user2</S:nt4_compatible_name>
> <S:property_name>urn:schemas:contacts:email1</S:property_name>
> </S:sid>
> </S:access_allowed_ace>
> <!-- END OF INSERT -->
>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1112</S:string_sid>
> <S:type>user</S:type>
>
> <S:nt4_compatible_name>DOMAIN\user3</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b16e749b-8fa2-4315-b5c3-bf4448582428}</S:ad_object_guid>
> <S:display_name>User
> Three</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1335</S:string_sid>
> <S:type>user</S:type>
>
> <S:nt4_compatible_name>DOMAIN\user1</S:nt4_compatible_name>
>
> <S:ad_object_guid>{b1d3cd09-d620-421a-bbbe-72b59d32dfc7}</S:ad_object_guid>
> <S:display_name>User
> One</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> <S:access_denied_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-7</S:string_sid>
> <S:type>well_known_group</S:type>
> <S:nt4_compatible_name>NT
> AUTHORITY\ANONYMOUS LOGON</S:nt4_compatible_name>
>
> <S:ad_object_guid>{acbbf32e-fcbc-4349-9dde-79593942f816}</S:ad_object_guid>
> </S:sid>
> </S:access_denied_ace>
> <S:access_allowed_ace S:inherited="1">
> <S:access_mask>1f0fbf</S:access_mask>
> <S:sid>
>
> <S:string_sid>S-1-5-21-746137067-920026266-839522115-1355</S:string_sid>
> <S:type>group</S:type>
>
> <S:nt4_compatible_name>DOMAIN\a_team (47669)</S:nt4_compatible_name>
>
> <S:ad_object_guid>{d30e47a8-9c4e-45cc-b832-3851d93e730a}</S:ad_object_guid>
> <S:display_name>a_Team
> (47669)</S:display_name>
> </S:sid>
> </S:access_allowed_ace>
> </S:effective_aces>
> </S:dacl>
> </S:security_descriptor>
> </e:descriptor></a:prop></a:set></a:propertyupdate>
>
> I have used this same code using ADO/CDOEX and it updates without
> issue.
>
> Why can't WBEDAV update in the same way???
>
> I have looked everywhere for some documentation that addresses this
> issue (Success Status returned without any sort of success occuring)
> but all the documentation seems to support that I am doing this in the
> correct way.
>
> I have no more Ideas.... Hopefully someone else out there does!!
>
> Cheers
> Ben