public IResult Collect(SearchString searchstring)
{
NestedGMSearchString searchString = (NestedGMSearchString)searchstring;
_logger.Debug($"Collecting Nested Group Membership for {searchString.SAMAccountName}");
List <string> groupList = new List <string>();
Dictionary <string, string> groupMap = new Dictionary <string, string>();
string nameFilter = $"(sAMAccountName={searchString.SAMAccountName})";
var ldapSearchString = new LDAPSearchString {
DN = Searcher.LdapInfo.RootDN, Filter = nameFilter, Scope = SearchScope.Subtree
};
var resultEntry = Searcher.GetResultEntry(ldapSearchString);
if (resultEntry == null)
{
return(null);
}
using (var userEntry = (Searcher.GetDirectoryEntry(resultEntry.DistinguishedName)))
{
//https://www.morgantechspace.com/2015/08/active-directory-tokengroups-vs-memberof.html
//Use RefreshCach to get the constructed attribute tokenGroups.
userEntry.RefreshCache(new string[] { "tokenGroups" });
foreach (byte[] sid in userEntry.Properties["tokenGroups"])
{
string groupSID = new SecurityIdentifier(sid, 0).ToString();
string groupName = Helper.SIDNameSID(groupSID);
groupList.Add(groupName);
groupMap.Add(groupSID, groupName);
}
}
//Somehow these groups are missing
groupMap.Add("S-1-5-11", @"NT AUTHORITY\Authenticated Users");
groupMap.Add("S-1-5-15", @"NT AUTHORITY\This Organization");
UserSIDNameDictionary.Add(searchString.SAMAccountName.ToUpper(), groupMap);
return(new ListResult {
Title = searchString.Title, Result = groupList
});
}
public static List <DACL> ACLScan(string user, List <string> groupSIDs)
{
if (user == null)
{
return(null);
}
var ACLList = new List <DACL>();
//1. Locate the user
var targetEntry = Searcher.GetResultEntry(new LDAPSearchString
{
DN = Searcher.LdapInfo.TargetSearchBase,
Filter = $"(sAMAccountName={user})",
Scope = SearchScope.Subtree
});
if (targetEntry == null)
{
return(null);
}
var targetSid = new SecurityIdentifier((byte[])targetEntry.Attributes["objectsid"][0], 0).ToString();
//2. Get user nested group sid
groupSIDs.Add(targetSid);
//Iterate all objects
var partitions = new string[] { Searcher.LdapInfo.RootDN, Searcher.LdapInfo.ConfigDN, Searcher.LdapInfo.SchemaDN };
if (Searcher.LdapInfo.TargetSearchBase != Searcher.LdapInfo.RootDN)
{
var allObjects = Searcher.GetResultEntries(new LDAPSearchString
{
DN = Searcher.LdapInfo.TargetSearchBase,
Filter = "(ObjectCategory=*)",
Scope = SearchScope.Subtree
});
foreach (var obj in allObjects)
{
var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs);
if (acl != null)
{
ACLList.Add(acl);
}
}
}
else
{
foreach (var partition in partitions)
{
var allObjects = Searcher.GetResultEntries(new LDAPSearchString
{
DN = partition,
Filter = "(ObjectCategory=*)",
Scope = SearchScope.Subtree
});
foreach (var obj in allObjects)
{
var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs);
if (acl != null)
{
ACLList.Add(acl);
}
}
}
}
return(ACLList);
}
