Using IExchangeModifyTable to Modify Public Folder Access

Second way of dealing with public folder ACLs is using the IExchangeModifyTable interface. Using this approach you obtain ACL in a form of a MAPI table. You can manipulate this table (for example, by inserting or modifying rows) and then save your changes.
 

Where ACL Data Is Stored?

You may wonder where public folder ACL data is stored. It is stored in PR_ACL_DATA property of the folder object. It is a binary object. Being binary reminds of a Windows NT DACL, but instead of security identifiers public folder ACL deals with MAPI ENTRYIDs, which are usually bigger in size.
 

Reading Public Folder ACL with IExchangeModifyTable

 
A few comments about the code. Notice that I obtain IExchangeModifyTable interface via the IMAPIFolder::OpenProperty call requesting PR_ACL_TABLE. This property is of type PT_OBJECT. However, if you examine properties of the folder with a tool such as mdbvu32.exe, it may not be there. For example, for a folder I am experimenting with now PR_ACL_TABLE is not available, but PR_ACL_DATA is.

This is how these properties are defined in EdkMdb.pas:

const pidExchangeXmitReservedMin  $3FE0
const PR_ACL_TABLE    PROP_TAG( PT_OBJECT, pidExchangeXmitReservedMin)
const PR_ACL_DATA     PROP_TAG( PT_BINARY, pidExchangeXmitReservedMin)

Mdbvu32.exe does not know their names and displays PR_ACL_DATA as $3FE0.

It turns out that it is still possible to use the OpenProperty specifying PR_ACL_DATA. Exchange creates IExchangeModifyTable interface and gives it back to us for use. Binary table data is actually stored in PR_ACL_DATA. Using IExchangeModifyTable interface is just a more convenient way of working with this data. Having obtained the interface with the OpenProperty call I then use its GetTable method to get a MAPI table filled with data. I scan this table looking for member names and their access rights.

If you run this code you will see that the Default and Anonymous accounts actually have their names listed in the table. Remember that when we were using the IExchangeFolderACLs the names and ENTRYIDs were NULLs. This is a nice advantage of using IExchangeModifyTable interface.
 

Modifying Public Folder ACL with IExchangeModifyTable

Modifying ACL with IExchangeModifyTable is tricky. If you are trying to accomplish this - be prepared to spend some time guessing how it is supposed to work. IExchangeFolderACLs interface is implemented on top of IExchangeModifyTable. If you examine CFolderACLs class implementation in aclclsf.cpp file in your build environment samples\dbmsg\Exchange\libsrc\aclcls project, you will see that for yourself. Apparently, it was designed to simplify working with IExchangeModifyTable. Pay attention to comments, they reveal important details about how IExchangeModifyTable is supposed to be used. For example, you need to drop PR_MEMBER_NAME property when modifying the table. I have spent a few hours trying to modify a single row in the table with no luck (ERROR_INVALID_PARAMETER was returned by the ModifyTable method). Apparently, I was doing something wrong. Anyway, the best algorithm I could suggest here now would be as follows: study libsrc code and do it as they do.


Copyright © 2012 IMIBO
Send mail to webmaster@imibo.com with questions or comments.
Privacy Statement