private void setManagedBy(string managerLDAPPath, bool managerUpdateMembershipList, DirectoryEntry group)
{
DirectoryEntry managedBy = new DirectoryEntry(managerLDAPPath, credentials.UserName + "@" + credentials.Domain, credentials.Password);
string managedBymanagerDistinguishedName = managedBy.Properties["distinguishedName"].Value.ToString();
string userPrincipalName = managedBy.Properties["userPrincipalName"].Value.ToString();
string managedBysAMAccountName = userPrincipalName.Split('@')[0];
string managedByDomainName = userPrincipalName.Split('@')[1].Replace(".com", "");
setSinglePropertyValue(group, "managedBy", managedBymanagerDistinguishedName);
if (managerUpdateMembershipList)
{
IADsSecurityDescriptor sd = (IADsSecurityDescriptor)group.Properties["ntSecurityDescriptor"].Value;
IADsAccessControlList dacl = (IADsAccessControlList)sd.DiscretionaryAcl;
IADsAccessControlEntry ace = new AccessControlEntry();
ace.Trustee = string.Format("{0}\\{1}", managedByDomainName, managedBysAMAccountName);
ace.AccessMask = (int)ADS_RIGHTS_ENUM.ADS_RIGHT_DS_WRITE_PROP;
ace.AceFlags = (int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE;
ace.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
ace.Flags = (int)ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
ace.ObjectType = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}";
dacl.AddAce(ace);
sd.DiscretionaryAcl = dacl;
((IADsGroup)group.NativeObject).Put("ntSecurityDescriptor", sd);
((IADsGroup)group.NativeObject).SetInfo();
}
}
public void ReplacePermisions(Computer baseComputer)
{
//create a temporary acl
IADsAccessControlList acl = AccessControlList;
IADsAccessControlList baseacl = baseComputer.AccessControlList;
IADsSecurityDescriptor sd = SecurityDescriptor;
sd.DiscretionaryAcl = baseacl;
SecurityDescriptor = sd;
}
public AccessControlList(DirectoryEntry user)
{
_user = user;
if (_securityDescriptor == null)
{
try
{
_securityDescriptor = _user.Properties["ntSecurityDescriptor"].Value as IADsSecurityDescriptor;
_accessControlList = _securityDescriptor.DiscretionaryAcl as IADsAccessControlList;
}
catch (Exception e)
{
//trace error
}
}
Fill();
}
public void GetSecurityDescriptorViaInterop()
{
DirectoryEntry entry = TestUtils.GetDefaultPartition();
IADsSecurityDescriptor sd = (IADsSecurityDescriptor)
entry.Properties["ntSecurityDescriptor"].Value;
IADsAccessControlList dacl =
(IADsAccessControlList)sd.DiscretionaryAcl;
foreach (IADsAccessControlEntry ace in (IEnumerable)dacl)
{
Console.WriteLine("Trustee: {0}", ace.Trustee);
Console.WriteLine("AccessMask: {0}", ace.AccessMask);
Console.WriteLine("Access Type: {0}", ace.AceType);
Console.WriteLine("Access Flags: {0}", ace.AceFlags);
}
}
/// <summary>
/// Sets the permission to join this computer to the domain to a trustee such as domain\user or Authenticated Users
/// </summary>
/// <param name="Trustee"></param>
public void SetJoinPermissions(string Trustee)
{
//create a temporary acl
IADsAccessControlList acl = AccessControlList;
//Gets aces from tools
Tools.ADACEComputerJoinPermissions acllist = new Tools.ADACEComputerJoinPermissions(Trustee);
foreach (IADsAccessControlEntry ace in acllist.ace_writeaccountrestrictions)
{
acl.AddAce(ace);
}
//Update the security descriptor with the new ACL
IADsSecurityDescriptor sd = SecurityDescriptor;
sd.DiscretionaryAcl = acl;
SecurityDescriptor = sd;
}
public void UpdateSecurityDescriptorViaInterop()
{
//point this to any object (I chose a user)
DirectoryEntry entry = TestUtils.CreateDirectoryEntry(
"CN=User1,OU=Users," + TestUtils.Settings.DefaultPartition);
IADsAccessControlEntry newAce = new AccessControlEntryClass();
IADsSecurityDescriptor sd = (IADsSecurityDescriptor)
entry.Properties["ntSecurityDescriptor"].Value;
IADsAccessControlList dacl =
(IADsAccessControlList)sd.DiscretionaryAcl;
newAce.Trustee = @"mydomain\some user"; //update this to your needs
newAce.AccessMask = -1; //all flags
newAce.AceType = 0; //access allowed
dacl.AddAce(newAce);
sd.DiscretionaryAcl = dacl;
entry.Properties["ntSecurityDescriptor"].Value = sd;
entry.CommitChanges();
}
