开发者

Check Authorization on ActiveDirectory Object

I want to test if an arbit开发者_开发问答rary user has write-access to attributes of a particular Active Directory object. I think one part of the solution appears to be this:

NTAccount Account = new NTAccount("Domain\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));

That seems to allow me to get a concrete representation from a string representation of the user. Another piece of the puzzle I think is this:

string strMemberString = "LDAP://OU=Test,DC=Domain,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
   if (computer.Name == "CN=Test")
   {
      ActiveDirectorySecurity sdc = computer.ObjectSecurity;
      //...

Not sure where to go from there. How do I finish this? Is there an entirely different way I should be pursuing? I'm using .net 4.0.

I'd prefer that the solution be entirely BCL code, rather than PInvoke or WMI.


I think that the best way is to look for a class that gives the "Effective Rights" as represented in a tab of the advanced dialog box in the security tab of an AD object :

Check Authorization on ActiveDirectory Object

It exists also a command line tool called ACLDiag.exe that do what you want.


(Edited) To find groups a user belongs to you can

  • Write a recursive query program, It gives bad performance in big organizations.

  • Use of a special matching rule called "LDAP_MATCHING_RULE_IN_CHAIN" (See Search Filter Syntax for more information). I give an example in this other question. It's a bit long too, but as far as I know, it's the only way to retreive security AND distribution groups.

  • use the 'tokenGroups' attribute. It'is a computed attribute which holds the ids of every SecurityGroup the user is a member of, including the indirect groups. I think this the one you can use and that is provided with the UserPrincipal.GetAuthorizationGroups method (in the System.DirectoryServices.AccountManagement namespace and introduced in .Net 3.5)


You need to inspect the allowedAttributesEffective attribute.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜