| public SetAccess ( System accessType, System sid, System rule ) : void | ||
| accessType | System | |
| sid | System | |
| rule | System | |
| return | void | |
private static void AuthUserStartStop(DiscretionaryAcl dacl)
{
var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
dacl.SetAccess(AccessControlType.Allow, sid, (int) (ServiceAccess.ServiceStart | ServiceAccess.ServiceStop),
InheritanceFlags.None, PropagationFlags.None);
}
public void ActiveDirectorySetup(bool overwrite)
{
const string ftpDetails = "OU=Users,OU=";
const string iisDetails = "OU=";
String[] siteTypes = { iisDetails, ftpDetails };
foreach (String type in siteTypes)
{
String siteConnection = type;
String siteUsername;
String sitePassword;
if (type == iisDetails)
{
siteUsername = IISusername;
sitePassword = IISpassword;
}
else
{
siteUsername = FTPusername;
sitePassword = FTPpassword;
}
using (var de = new DirectoryEntry(getConfigSections("ADServer") + "/" + siteConnection + ",DC= " + loginUserName.Text.Split('\\')[0] + ",DC=net", loginUserName.Text, loginPassword.Text))
{
bool creatingNewUser = false;
try
{
using (var dirSearch = new DirectorySearcher(de, "(&(objectClass=user)(name=" + siteUsername + "))", new[] { "cn" }))
{
de.RefreshCache();
SearchResult result = dirSearch.FindOne();
if (result != null && !overwrite)
{
WriteOut("User with that name already exists. Please enter a unique domain name. If you want to override the existing entries, select the Override checkbox.");
}
else if (overwrite)
{
WriteOut("Overwriting existing user.");
creatingNewUser = true;
}
else
{
WriteOut("No user with that name.");
creatingNewUser = true;
}
}
}
catch (Exception e)
{
WriteOut("Failed because of: " + e);
creatingNewUser = false;
}
if (creatingNewUser)
{
try
{
if (overwrite)
{
DirectoryEntry oldUser = de.Children.Find("CN=" + siteUsername, "user");
de.Children.Remove(oldUser);
WriteOut("Removed existing user entry.");
}
DirectoryEntry user = de.Children.Add("CN=" + siteUsername, "user");
user.Properties["sAMAccountName"].Add(siteUsername);
user.Properties["userPrincipalName"].Value = siteUsername + "@" + loginUserName.Text.Split('\\')[0] + ".com";
user.CommitChanges();
WriteOut("Added new user.");
user.Invoke("SetPassword", new Object[] { sitePassword });
user.Properties["userAccountControl"].Value = 0x10240; //Password never expires (0x10000) and normal account (0x200) + can't change password (0x40)
user.CommitChanges();
WriteOut("Set user password and password never expires flag.");
de.CommitChanges();
//REDO TO USE THE DIRECTORY SERVICES ACCOUNT MANAGEMENT STUFF
using (var pc = new PrincipalContext(ContextType.Domain, "servername." + loginUserName.Text.Split('\\')[0] + ".net", "OU=,DC=" + loginUserName.Text.Split('\\')[0] + ",DC=net", loginUserName.Text, loginPassword.Text))
{
GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, "WWWRoot-" + folderGroup);
PrincipalContext mainContext = new PrincipalContext(ContextType.Domain, "servername." + loginUserName.Text.Split('\\')[0] + ".com", siteConnection + ",DC=" + loginUserName.Text.Split('\\')[0] + ",DC=com", loginUserName.Text, loginPassword.Text);
group.Members.Add(mainContext, IdentityType.UserPrincipalName, siteUsername + "@" + loginUserName.Text.Split('\\')[0] + ".com");
group.Save();
mainContext.Dispose();
}
//USER CAN'T CHANGE PASSWORD FLAG NOT SETTING
ActiveDirectorySecurity adSec = de.ObjectSecurity;
var securityDescriptor = adSec.GetSecurityDescriptorSddlForm(AccessControlSections.Access);
var testSD = adSec.GetSecurityDescriptorBinaryForm();
var sid = new SecurityIdentifier(WellKnownSidType.SelfSid, null);
//TxtOutput.Text += "SDDL: " + securityDescriptor + "| Binary: " + testSD;
Guid changePasswordGuid = new Guid("{ab721a53-1e2f-11d0-9819-00aa0040529b}");
RawSecurityDescriptor rawSecDes = new RawSecurityDescriptor(securityDescriptor);
var rawAcl = rawSecDes.DiscretionaryAcl;
DiscretionaryAcl discACL = new DiscretionaryAcl(false, true, rawAcl);
discACL.SetAccess(AccessControlType.Deny, sid, 0x10000000, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, changePasswordGuid, changePasswordGuid);
de.CommitChanges();
}
catch (Exception e)
{
WriteOut("Failed for reasons:" + e);
}
}
}
}
}
public void SetAccess ()
{
SecurityIdentifier adminSid = new SecurityIdentifier ("BA"); // S-1-5-32-544
SecurityIdentifier userSid = new SecurityIdentifier ("BU"); // S-1-5-32-545
DiscretionaryAcl dacl = new DiscretionaryAcl (true, false, 0);
dacl.SetAccess (AccessControlType.Allow, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None);
dacl.SetAccess (AccessControlType.Allow, userSid, 2, InheritanceFlags.None, PropagationFlags.None);
Assert.AreEqual (2, dacl.Count);
CommonAce ace = (CommonAce)dacl [0];
Assert.AreEqual (adminSid, ace.SecurityIdentifier);
Assert.AreEqual (1, ace.AccessMask);
dacl.SetAccess (AccessControlType.Allow, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreNotEqual (4, ace.AccessMask); // remove and add, not modify, despite AccessMask having a setter
ace = (CommonAce)dacl [0];
Assert.AreEqual (4, ace.AccessMask);
dacl.SetAccess (AccessControlType.Deny, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None);
Assert.AreEqual (3, dacl.Count);
ace = (CommonAce)dacl [0];
Assert.AreEqual (AceQualifier.AccessDenied, ace.AceQualifier);
ace = (CommonAce)dacl [1];
Assert.AreEqual (AceQualifier.AccessAllowed, ace.AceQualifier);
}
