I have some native C++ code that makes use of ADSI to read attribute values from objects in AD. In one particular AD domain, when reading the nTSecurityDescriptor attribute from any user or group object in the domain, the code encounters an error while processing the security descriptor as follows:
1) Verify that the data type of the VARIANT "vValue" containing the SD is of type VT_DISPATCH.
2) Obtain the IDispatch interface pointer from the VARIANT "vValue" as follows:
IDispatch * piDispatch = NULL;
piDispatch = vValue.pdispVal;
3) Query the IDispatch interface for an IADsSecurityDescriptor interface as follows:
IADsSecurityDescriptor *piADsSecurityDescriptor = NULL;
hr = piDispatch->QueryInterface(IID_IADsSecurityDescriptor, &piADsSecurityDescriptor);
4) Provided that no errors have occurred, then at this point we know for certain the the VARIANT contains a security descriptor, and we can take further steps to process it. The security descriptor's content needs to be obtained so that it can be stored and then later analyzed.
IADsSecurityUtility * piADsSecurityUtility = NULL;
VARIANT vSD;
VariantInit(&vSD);
hr = CoCreateInstance(CLSID_ADsSecurityUtility, NULL, CLSCTX_INPROC_SERVER, IID_IADsSecurityUtility, &piADsSecurityUtility);
5) If an IADsSecurityUtility interface was successfully obtained, then it is used to convert the security descriptor into raw format as follows:
hr = piADsSecurityUtility->ConvertSecurityDescriptor(vValue, ADS_SD_FORMAT_IID, ADS_SD_FORMAT_RAW, &vSD);
This is where E_INVALIDARG 0x80070057 is being encountered.
As an alternative, an attempt is made to convert the security descriptor to a hex string:
hr = piADsSecurityUtility->ConvertSecurityDescriptor(vValue, ADS_SD_FORMAT_IID, ADS_SD_FORMAT_HEXSTRING, &vSD);
This also fails with E_INVALIDARG.
I have been able to successfully view the full SD in ADSI EDIT and with LDP, and have confirmed that the DACL contains 749 ACEs, which is well below the upper limit range of 1820 to 2000 ACEs.
Calling piADsSecurityDescriptor->get_DiscretionaryAcl() and then obtaining an IADsAccessControlList interface from it is successful, and calling the get_AceCount() method returns a value of 749, which matches what I saw in the dump of the SD & DACL as viewed in LDP.
This behavior leads me to believe that if I want to write code to parse the content of the SD purely via COM Interfaces and their method calls, then that method should probably work out OK, but if I try to use IADsSecurityUtility::ConvertSecurityDescriptor(), then there may be times where the method fails with E_INVALIDARG for seemingly unknown reasons.
I have not been able to find any information online via Google, MSDN or TechNet regarding any known issues related to obtaining the SD from an object in AD and then converting it to a self-relative format via IADsSecurityUtility::ConvertSecurityDescriptor(). I would greatly appreciate any information or links that can help identify what's going wrong and/or how to resolve the problem or otherwise work around it in a reliable manner.