/// <summary>
/// Set the security rights on a computer object to allow users in the JoinToComputer group to join to computer objects.
/// </summary>
/// <param name="compName">The computer object name to set permissions on</param>
/// <param name="ouContainer">The container where the computer object resides.</param>
private void SetSecurityRights(string compName, string ouContainer)
{
string qString = "(&(name=" + compName + ")(objectClass=computer))";
ExecuteResult result = this.ExecuteSearch(qString, false, ouContainer);
//TODO: add group to security
var computer = result.singleResult.GetDirectoryEntry();
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("capstone", "JoinToComputer");
SecurityIdentifier sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
Guid computerSchemaGuid = new Guid("bf967a86-0de6-11d0-a285-00aa003049e2");
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); // ‘Reset password’
Guid dnsHostNameGuid = new Guid("72e39547-7b18-11d1-adef-00c04fd8d5cd"); // ‘Validated write to DNS host name’
Guid rwAccountRestrictions = new Guid("4c164200-20c0-11d0-a768-00aa006e0529"); // ‘Read and write account restrictions’
Guid wServicePrincipalName = new Guid("f3a64788-5306-11d1-a9c5-0000f80367c1"); // ‘Validated write to service principal name’
ActiveDirectoryAccessRule acctRestrictionsRW = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, rwAccountRestrictions, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(acctRestrictionsRW);
ActiveDirectoryAccessRule dnsHostNameEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, dnsHostNameGuid, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(dnsHostNameEdit);
ActiveDirectoryAccessRule valSPN = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, wServicePrincipalName, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(valSPN);
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(Account, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid);
sdc.AddAccessRule(erarResetPwd);
/* may require the below line
*
* Guid userAccountControlGuid = GUID('bf967a68-0de6-11d0-a285-00aa003049e2');
* ActiveDirectoryAccessRule userAccountControlEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, userAccountControlGuid, ActiveDirectorySecurityInheritance.None);
* sdc.AddAccessRule(userAccountControlEdit);
*
* */
//commit and cleanup
computer.CommitChanges();
computer.Close();
computer.Dispose();
}
static void Main(string[] args)
{
// Get security descriptor of the target object
DirectoryEntry user = new DirectoryEntry();
user.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;
user.Path = "LDAP://edetoc589VM.edetoc1.lab:389/CN=user,CN=Users,DC=edetoc1,DC=lab";
ActiveDirectorySecurity userSec = user.ObjectSecurity;
// Get SID of the group named 'ITGroup'
NTAccount ntaToDelegate = new NTAccount("EDETOC1", "ITGroup");
SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate(typeof(SecurityIdentifier));
// Specials Guids . See 00299570-246d-11d0-a768-00aa006e0529
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529");
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
//Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2");
// Create ACE
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid);
//PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.None, userSchemaGuid);
//PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.None, userSchemaGuid);
// add ACE to security descriptor of target object
userSec.AddAccessRule(erarResetPwd);
userSec.SetAccessRuleProtection(true, false);
//userSec.AddAccessRule(parPwdLastSetW);
//userSec.AddAccessRule(parPwdLastSetR);
// Commit change
user.CommitChanges();
}
