// Constructors
	public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags) {}
 public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags))
 {
   Contract.Requires(identity != null);
 }
		public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, type, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
		{
		}
		public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, 0, 0, Guid.Empty)
		{
		}
Beispiel #5
0
 public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type) : this(identity, (int)adRights, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
 {
 }
 public ActiveDirectoryAccessRule(
     IdentityReference identity,
     ActiveDirectoryRights adRights,
     AccessControlType type,
     ActiveDirectorySecurityInheritance inheritanceType,
     Guid inheritedObjectType)
     : this(
         identity,
         ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
         type,
         Guid.Empty,
         false,
         ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType),
         ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType),
         inheritedObjectType)
 {
 }
Beispiel #7
0
 public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, 0, 0, Guid.Empty)
 {
 }
		public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags) : this(identity, (int)adRights, auditFlags, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
		{
		}
		public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, auditFlags, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
		{
		}
		public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, 0, 0, Guid.Empty)
		{
		}
 public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights rights, AccessControlType aclType)
 {
     throw new NotImplementedException("ActiveDirectoryAccessRule()");
 }
 public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base(default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags))
 {
     Contract.Requires(identity != null);
 }
        public static void AddPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission, ActiveDirectorySecurityInheritance inheritance = ActiveDirectorySecurityInheritance.All)
        {
            var obj  = new DirectoryEntry(objectPath);
            var rule = new ActiveDirectoryAccessRule(identity, permission, AccessControlType.Allow, inheritance);

            obj.ObjectSecurity.AddAccessRule(rule);
            obj.CommitChanges();
        }
        public static bool HasPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission)
        {
            var obj = new DirectoryEntry(objectPath);

            return(GetRules(obj.ObjectSecurity, identity).Any(r => r.ActiveDirectoryRights == permission));
        }
        public static void RemoveOUSecurityfromSid(string ouPath, WellKnownSidType UserSid, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance)
        {
            DirectoryEntry ou = GetADObject(ouPath);


            SecurityIdentifier identity = null;

            identity = new SecurityIdentifier(UserSid, null);

            ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule(
                identity,
                rights,
                type,
                inheritance
                );



            ou.ObjectSecurity.RemoveAccessRule(ruleRead);
            ou.CommitChanges();
            ou.Close();
        }
Beispiel #16
0
 private static bool IsRightSetinAccessRule(ActiveDirectoryAccessRule accessrule, ActiveDirectoryRights right)
 {
     return((accessrule.ActiveDirectoryRights & right) == right);
 }
 public ActiveDirectoryAccessRule(
     IdentityReference identity,
     ActiveDirectoryRights adRights,
     AccessControlType type,
     Guid objectType)
     : this(
         identity,
         ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
         type,
         objectType,
         false,
         InheritanceFlags.None,
         PropagationFlags.None,
         Guid.Empty)
 {
 }
Beispiel #18
0
        protected override void PopulateCalculatedProperties()
        {
            base.PopulateCalculatedProperties();
            TaskLogger.Trace("Resolving InheritedObjectType", new object[0]);
            IConfigurationSession session = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 175, "PopulateCalculatedProperties", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\ADAcePresentationObject.cs");

            if (base.RealAce.InheritedObjectType != Guid.Empty)
            {
                ADSchemaObjectIdParameter         adschemaObjectIdParameter = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString());
                IEnumerable <ADSchemaClassObject> objects = adschemaObjectIdParameter.GetObjects <ADSchemaClassObject>(null, session);
                using (IEnumerator <ADSchemaClassObject> enumerator = objects.GetEnumerator())
                {
                    string text = null;
                    if (enumerator.MoveNext())
                    {
                        text = enumerator.Current.Name;
                    }
                    if (text == null || enumerator.MoveNext())
                    {
                        this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString());
                        TaskLogger.Trace("Could not resolve the following InheritedObjectType: {0}", new object[]
                        {
                            base.RealAce.InheritedObjectType.ToString()
                        });
                    }
                    else
                    {
                        this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(text);
                    }
                }
            }
            if (base.RealAce.ObjectType != Guid.Empty)
            {
                ActiveDirectoryRights activeDirectoryRights = base.RealAce.ActiveDirectoryRights;
                string text2 = base.RealAce.ObjectType.ToString();
                bool   flag  = false;
                if ((activeDirectoryRights & ActiveDirectoryRights.ExtendedRight) == ActiveDirectoryRights.ExtendedRight)
                {
                    TaskLogger.Trace("Resolving ExtendedRight", new object[0]);
                    ExtendedRightIdParameter[]  extendedRights           = null;
                    ExtendedRightIdParameter    extendedRightIdParameter = ExtendedRightIdParameter.Parse(text2);
                    IEnumerable <ExtendedRight> objects2 = extendedRightIdParameter.GetObjects <ExtendedRight>(null, session);
                    using (IEnumerator <ExtendedRight> enumerator2 = objects2.GetEnumerator())
                    {
                        string text3 = null;
                        if (enumerator2.MoveNext())
                        {
                            text3 = enumerator2.Current.Name;
                        }
                        if (text3 != null && !enumerator2.MoveNext())
                        {
                            extendedRights = new ExtendedRightIdParameter[]
                            {
                                ExtendedRightIdParameter.Parse(text3)
                            };
                            flag = true;
                        }
                    }
                    this.ExtendedRights = extendedRights;
                }
                if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.CreateChild) == ActiveDirectoryRights.CreateChild) || (activeDirectoryRights & ActiveDirectoryRights.DeleteChild) == ActiveDirectoryRights.DeleteChild || (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty)
                {
                    TaskLogger.Trace("Resolving Child Object Type", new object[0]);
                    ADSchemaObjectIdParameter[]       childObjectTypes           = null;
                    ADSchemaObjectIdParameter         adschemaObjectIdParameter2 = ADSchemaObjectIdParameter.Parse(text2);
                    IEnumerable <ADSchemaClassObject> objects3 = adschemaObjectIdParameter2.GetObjects <ADSchemaClassObject>(null, session);
                    using (IEnumerator <ADSchemaClassObject> enumerator3 = objects3.GetEnumerator())
                    {
                        string text4 = null;
                        if (enumerator3.MoveNext())
                        {
                            text4 = enumerator3.Current.Name;
                        }
                        if (text4 != null && !enumerator3.MoveNext())
                        {
                            childObjectTypes = new ADSchemaObjectIdParameter[]
                            {
                                ADSchemaObjectIdParameter.Parse(text4)
                            };
                            flag = true;
                        }
                    }
                    this.ChildObjectTypes = childObjectTypes;
                }
                if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty) || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty || (activeDirectoryRights & ActiveDirectoryRights.Self) == ActiveDirectoryRights.Self)
                {
                    TaskLogger.Trace("Resolving Property", new object[0]);
                    ADSchemaObjectIdParameter[]           properties = null;
                    ADSchemaObjectIdParameter             adschemaObjectIdParameter3 = ADSchemaObjectIdParameter.Parse(text2);
                    IEnumerable <ADSchemaAttributeObject> objects4 = adschemaObjectIdParameter3.GetObjects <ADSchemaAttributeObject>(null, session);
                    using (IEnumerator <ADSchemaAttributeObject> enumerator4 = objects4.GetEnumerator())
                    {
                        string text5 = null;
                        if (enumerator4.MoveNext())
                        {
                            text5 = enumerator4.Current.Name;
                        }
                        if (text5 == null || enumerator4.MoveNext())
                        {
                            ExtendedRightIdParameter    extendedRightIdParameter2 = ExtendedRightIdParameter.Parse(text2);
                            IEnumerable <ExtendedRight> objects5 = extendedRightIdParameter2.GetObjects <ExtendedRight>(null, session);
                            using (IEnumerator <ExtendedRight> enumerator5 = objects5.GetEnumerator())
                            {
                                string text6 = null;
                                if (enumerator5.MoveNext())
                                {
                                    text6 = enumerator5.Current.Name;
                                }
                                TaskLogger.Trace("Could not resolve the following property: {0}", new object[]
                                {
                                    text2
                                });
                                if (text6 != null && !enumerator5.MoveNext())
                                {
                                    properties = new ADSchemaObjectIdParameter[]
                                    {
                                        ADSchemaObjectIdParameter.Parse(text6)
                                    };
                                }
                                goto IL_3A4;
                            }
                        }
                        properties = new ADSchemaObjectIdParameter[]
                        {
                            ADSchemaObjectIdParameter.Parse(text5)
                        };
                        IL_3A4 :;
                    }
                    this.Properties = properties;
                }
            }
        }
Beispiel #19
0
 internal static int AccessMaskFromRights(ActiveDirectoryRights adRights)
 {
     return((int)adRights);
 }
Beispiel #20
0
        Task StartConsumer(BlockingCollection <DBObject> input, BlockingCollection <ACLInfo> output, TaskFactory factory)
        {
            return(factory.StartNew(() =>
            {
                foreach (DBObject obj in input.GetConsumingEnumerable())
                {
                    Interlocked.Increment(ref count);
                    if (obj.NTSecurityDescriptor == null)
                    {
                        options.WriteVerbose($"DACL was null on ${obj.SAMAccountName}");
                        continue;
                    }
                    RawSecurityDescriptor desc = new RawSecurityDescriptor(obj.NTSecurityDescriptor, 0);
                    RawAcl acls = desc.DiscretionaryAcl;
                    //Figure out whose the owner
                    string ownersid = desc.Owner.ToString();

                    if (!manager.FindBySID(ownersid, CurrentDomain, out DBObject owner))
                    {
                        if (MappedPrincipal.GetCommon(ownersid, out MappedPrincipal mapped))
                        {
                            owner = new DBObject
                            {
                                BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
                                Type = "group",
                                Domain = CurrentDomain,
                                DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}",
                            };
                        }
                        else if (NullSIDS.TryGetValue(ownersid, out byte val))
                        {
                            owner = null;
                            continue;
                        }
                        else
                        {
                            try
                            {
                                DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={ownersid}>");
                                owner = entry.ConvertToDB();
                                manager.InsertRecord(owner);
                            }
                            catch
                            {
                                owner = null;
                                NullSIDS.TryAdd(ownersid, new byte());
                                options.WriteVerbose($"Unable to resolve {ownersid} for object owner");
                                continue;
                            }
                        }
                    }

                    if (owner != null)
                    {
                        output.Add(new ACLInfo
                        {
                            ObjectName = obj.BloodHoundDisplayName,
                            ObjectType = obj.Type,
                            Inherited = false,
                            RightName = "Owner",
                            PrincipalName = owner.BloodHoundDisplayName,
                            PrincipalType = owner.Type,
                            AceType = "",
                            Qualifier = "AccessAllowed"
                        });
                    }

                    foreach (QualifiedAce r in acls)
                    {
                        string PrincipalSID = r.SecurityIdentifier.ToString();

                        //Try to map our SID to the principal using a few different methods
                        if (!manager.FindBySID(PrincipalSID, CurrentDomain, out DBObject principal))
                        {
                            if (MappedPrincipal.GetCommon(PrincipalSID, out MappedPrincipal mapped))
                            {
                                principal = new DBObject
                                {
                                    BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
                                    Type = "group",
                                    Domain = CurrentDomain,
                                    DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}"
                                };
                            }
                            else if (NullSIDS.TryGetValue(ownersid, out byte val))
                            {
                                continue;
                            }
                            else
                            {
                                try
                                {
                                    DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={PrincipalSID}>");
                                    principal = entry.ConvertToDB();
                                    manager.InsertRecord(principal);
                                }
                                catch
                                {
                                    NullSIDS.TryAdd(PrincipalSID, new byte());
                                    options.WriteVerbose($"Unable to resolve {PrincipalSID} for ACL");
                                    continue;
                                }
                            }
                        }
                        //If we're here, we have a principal. Yay!

                        //Resolve the ActiveDirectoryRight
                        ActiveDirectoryRights right = (ActiveDirectoryRights)Enum.ToObject(typeof(ActiveDirectoryRights), r.AccessMask);
                        string rs = right.ToString();
                        string guid = r is ObjectAce ? ((ObjectAce)r).ObjectAceType.ToString() : "";
                        List <string> foundrights = new List <string>();
                        bool cont = false;

                        //Figure out if we need more processing
                        cont |= (rs.Contains("WriteDacl") || rs.Contains("WriteOwner"));
                        if (rs.Contains("GenericWrite") || rs.Contains("GenericAll"))
                        {
                            cont |= ("00000000-0000-0000-0000-000000000000".Equals(guid) || guid.Equals("") || cont);
                        }

                        if (rs.Contains("ExtendedRight"))
                        {
                            cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("") || guid.Equals("00299570-246d-11d0-a768-00aa006e0529") || cont);

                            //DCSync
                            cont |= (guid.Equals("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") || guid.Equals("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") || cont);
                        }

                        if (rs.Contains("WriteProperty"))
                        {
                            cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2") || guid.Equals("bf9679a8-0de6-11d0-a285-00aa003049e2") || cont);
                        }

                        if (!cont)
                        {
                            continue;
                        }

                        string acetype = null;
                        MatchCollection coll = GenericRegex.Matches(rs);
                        if (rs.Contains("ExtendedRight"))
                        {
                            switch (guid)
                            {
                            case "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2":
                                acetype = "DS-Replication-Get-Changes";
                                break;

                            case "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2":
                                acetype = "DS-Replication-Get-Changes-All";
                                break;

                            default:
                                acetype = "All";
                                break;
                            }
                        }

                        if (acetype != null && (acetype.Equals("DS-Replication-Get-Changes-All") || acetype.Equals("DS-Replication-Get-Changes")))
                        {
                            if (!syncers.TryGetValue(principal.DistinguishedName, out DCSync SyncObject))
                            {
                                SyncObject = new DCSync
                                {
                                    Domain = obj.BloodHoundDisplayName,
                                    PrincipalName = principal.BloodHoundDisplayName,
                                    PrincipalType = principal.Type
                                };
                            }

                            if (acetype.Contains("-All"))
                            {
                                SyncObject.GetChangesAll = true;
                            }
                            else
                            {
                                SyncObject.GetChanges = true;
                            }

                            syncers.AddOrUpdate(principal.DistinguishedName, SyncObject, (key, oldVar) => SyncObject);
                            //We only care about these privs if we have both, so store that stuff and continue on
                            continue;
                        }

                        if (rs.Contains("GenericAll"))
                        {
                            output.Add(new ACLInfo
                            {
                                ObjectName = obj.BloodHoundDisplayName,
                                ObjectType = obj.Type,
                                AceType = "",
                                Inherited = r.IsInherited,
                                PrincipalName = principal.BloodHoundDisplayName,
                                PrincipalType = principal.Type,
                                Qualifier = r.AceQualifier.ToString(),
                                RightName = "GenericAll"
                            });
                        }

                        if (rs.Contains("GenericWrite"))
                        {
                            output.Add(new ACLInfo
                            {
                                ObjectName = obj.BloodHoundDisplayName,
                                ObjectType = obj.Type,
                                AceType = "",
                                Inherited = r.IsInherited,
                                PrincipalName = principal.BloodHoundDisplayName,
                                PrincipalType = principal.Type,
                                Qualifier = r.AceQualifier.ToString(),
                                RightName = "GenericWrite"
                            });
                        }

                        if (rs.Contains("WriteOwner"))
                        {
                            output.Add(new ACLInfo
                            {
                                ObjectName = obj.BloodHoundDisplayName,
                                ObjectType = obj.Type,
                                AceType = "",
                                Inherited = r.IsInherited,
                                PrincipalName = principal.BloodHoundDisplayName,
                                PrincipalType = principal.Type,
                                Qualifier = r.AceQualifier.ToString(),
                                RightName = "WriteOwner"
                            });
                        }

                        if (rs.Contains("WriteDacl"))
                        {
                            output.Add(new ACLInfo
                            {
                                ObjectName = obj.BloodHoundDisplayName,
                                ObjectType = obj.Type,
                                AceType = "",
                                Inherited = r.IsInherited,
                                PrincipalName = principal.BloodHoundDisplayName,
                                PrincipalType = principal.Type,
                                Qualifier = r.AceQualifier.ToString(),
                                RightName = "WriteDacl"
                            });
                        }

                        if (rs.Contains("WriteProperty"))
                        {
                            if (guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2"))
                            {
                                output.Add(new ACLInfo
                                {
                                    ObjectName = obj.BloodHoundDisplayName,
                                    ObjectType = obj.Type,
                                    AceType = "Member",
                                    Inherited = r.IsInherited,
                                    PrincipalName = principal.BloodHoundDisplayName,
                                    PrincipalType = principal.Type,
                                    Qualifier = r.AceQualifier.ToString(),
                                    RightName = "WriteProperty"
                                });
                            }
                            else
                            {
                                output.Add(new ACLInfo
                                {
                                    ObjectName = obj.BloodHoundDisplayName,
                                    ObjectType = obj.Type,
                                    AceType = "Script-Path",
                                    Inherited = r.IsInherited,
                                    PrincipalName = principal.BloodHoundDisplayName,
                                    PrincipalType = principal.Type,
                                    Qualifier = r.AceQualifier.ToString(),
                                    RightName = "WriteProperty"
                                });
                            }
                        }

                        if (rs.Contains("ExtendedRight"))
                        {
                            if (guid.Equals("00299570-246d-11d0-a768-00aa006e0529"))
                            {
                                output.Add(new ACLInfo
                                {
                                    ObjectName = obj.BloodHoundDisplayName,
                                    ObjectType = obj.Type,
                                    AceType = "User-Force-Change-Password",
                                    Inherited = r.IsInherited,
                                    PrincipalName = principal.BloodHoundDisplayName,
                                    PrincipalType = principal.Type,
                                    Qualifier = r.AceQualifier.ToString(),
                                    RightName = "ExtendedRight"
                                });
                            }
                            else
                            {
                                output.Add(new ACLInfo
                                {
                                    ObjectName = obj.BloodHoundDisplayName,
                                    ObjectType = obj.Type,
                                    AceType = "All",
                                    Inherited = r.IsInherited,
                                    PrincipalName = principal.BloodHoundDisplayName,
                                    PrincipalType = principal.Type,
                                    Qualifier = r.AceQualifier.ToString(),
                                    RightName = "ExtendedRight"
                                });
                            }
                        }
                    }
                }
            }));
        }
Beispiel #21
0
 public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
 {
 }
Beispiel #22
0
 internal static int AccessMaskFromRights(ActiveDirectoryRights adRights) => (int)adRights;
		public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
		{
		}
    // Get A Principal's Cumulitive AD Rights On An Object
    private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject)
    {
        ActiveDirectoryRights myRights     = 0;
        ActiveDirectoryRights myDenyRights = 0;
        Principal             p            = DirectoryServices.GetPrincipal(principal);

        if (p == null)
        {
            throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist);
        }
        List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true);

        DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject);

        if (de == null)
        {
            throw new AdException($"Object [{adObject}]  Does Not Exist.", AdStatusType.DoesNotExist);
        }
        List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de);

        Dictionary <string, ActiveDirectoryRights> rights     = new Dictionary <string, ActiveDirectoryRights>();
        Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>();

        // Accumulate Allow and Deny Rights By Identity Reference
        foreach (AccessRuleObject rule in rules)
        {
            if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow)
            {
                if (rights.Keys.Contains(rule.IdentityReference))
                {
                    rights[rule.IdentityReference] |= rule.Rights;
                }
                else
                {
                    rights.Add(rule.IdentityReference, rule.Rights);
                }
            }
            else
            {
                if (rights.Keys.Contains(rule.IdentityReference))
                {
                    denyRights[rule.IdentityReference] |= rule.Rights;
                }
                else
                {
                    denyRights.Add(rule.IdentityReference, rule.Rights);
                }
            }
        }

        foreach (DirectoryEntry entry in groups)
        {
            if (entry.Properties.Contains("objectSid"))
            {
                string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value);
                if (rights.ContainsKey(sid))
                {
                    myRights |= rights[sid];
                }
                if (denyRights.ContainsKey(sid))
                {
                    myDenyRights |= denyRights[sid];
                }
            }
        }

        // Apply Deny Rights
        myDenyRights = myRights & myDenyRights;
        myRights     = myRights ^ myDenyRights;

        return(myRights);
    }
Beispiel #25
0
 public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, type, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
 {
 }
        void fromActiveDirectorySecurity()
        {
            ActiveDirectorySecurity dsSecurity;

            using (var entry = new DirectoryEntry("LDAP://" + _x500Name)) {
                dsSecurity = entry.ObjectSecurity;
            }

            try {
                SetOwner(dsSecurity.GetOwner(typeof(NTAccount)));
            } catch {
                SetOwner(dsSecurity.GetOwner(typeof(SecurityIdentifier)));
            }

            IEnumerable <IdentityReference> users = dsSecurity
                                                    .GetAccessRules(true, true, typeof(NTAccount))
                                                    .Cast <ActiveDirectoryAccessRule>()
                                                    .Select(x => x.IdentityReference)
                                                    .Distinct();

            foreach (IdentityReference user in users)
            {
                foreach (AccessControlType accessType in Enum.GetValues(typeof(AccessControlType)))
                {
                    CertTemplateRights rights = 0;
                    IEnumerable <ActiveDirectoryAccessRule> aceList = dsSecurity.GetAccessRules(true, true, typeof(NTAccount))
                                                                      .Cast <ActiveDirectoryAccessRule>()
                                                                      .Where(x => x.IdentityReference == user && x.AccessControlType == accessType);
                    foreach (ActiveDirectoryAccessRule ace in aceList)
                    {
                        ActiveDirectoryRights aceRights = ace.ActiveDirectoryRights;
                        if (aceRights.HasFlag(ActiveDirectoryRights.GenericRead) || aceRights.HasFlag(ActiveDirectoryRights.GenericExecute))
                        {
                            rights |= CertTemplateRights.Read;
                        }
                        if (aceRights.HasFlag(ActiveDirectoryRights.WriteDacl))
                        {
                            rights |= CertTemplateRights.Write;
                        }
                        if (aceRights.HasFlag(ActiveDirectoryRights.GenericAll))
                        {
                            rights |= CertTemplateRights.FullControl;
                        }
                        if (aceRights.HasFlag(ActiveDirectoryRights.ExtendedRight))
                        {
                            switch (ace.ObjectType.ToString())
                            {
                            case GUID_ENROLL:
                                rights |= CertTemplateRights.Enroll;
                                break;

                            case GUID_AUTOENROLL:
                                rights |= CertTemplateRights.Autoenroll;
                                break;
                            }
                        }
                    }
                    if (rights > 0)
                    {
                        AddAccessRule(new CertTemplateAccessRule(user, rights, accessType));
                    }
                }
            }
        }
		public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type) : this(identity, (int)adRights, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
		{
		}
 public ActiveDirectoryAuditRule(
     IdentityReference identity,
     ActiveDirectoryRights adRights,
     AuditFlags auditFlags)
     : this(
         identity,
         ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
         auditFlags,
         Guid.Empty,
         false,
         InheritanceFlags.None,
         PropagationFlags.None,
         Guid.Empty
         )
 {
 }
	public ActiveDirectoryAccessRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType) {}
 internal static int AccessMaskFromRights(ActiveDirectoryRights adRights)
 {
     return (int)adRights;
 }
	public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, System.Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, System.Guid inheritedObjectType) {}
        public static void RemoveOUSecurityfromUser(string ouPath, string domain, string Username, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance)
        {
            DirectoryEntry            ou       = GetADObject(ouPath);
            NTAccount                 ADUser   = new NTAccount(domain, Username);
            ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule(
                ADUser,
                rights,
                type,
                inheritance
                );

            ou.ObjectSecurity.RemoveAccessRule(ruleRead);
            ou.CommitChanges();
            ou.Close();
        }