// Get A Principal's Cumulitive AD Rights On An Object
private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject)
{
ActiveDirectoryRights myRights = 0;
ActiveDirectoryRights myDenyRights = 0;
Principal p = DirectoryServices.GetPrincipal(principal);
if (p == null)
{
throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true);
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject);
if (de == null)
{
throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de);
Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>();
Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>();
// Accumulate Allow and Deny Rights By Identity Reference
foreach (AccessRuleObject rule in rules)
{
if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow)
{
if (rights.Keys.Contains(rule.IdentityReference))
{
rights[rule.IdentityReference] |= rule.Rights;
}
else
{
rights.Add(rule.IdentityReference, rule.Rights);
}
}
else
{
if (rights.Keys.Contains(rule.IdentityReference))
{
denyRights[rule.IdentityReference] |= rule.Rights;
}
else
{
denyRights.Add(rule.IdentityReference, rule.Rights);
}
}
}
foreach (DirectoryEntry entry in groups)
{
if (entry.Properties.Contains("objectSid"))
{
string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value);
if (rights.ContainsKey(sid))
{
myRights |= rights[sid];
}
if (denyRights.ContainsKey(sid))
{
myDenyRights |= denyRights[sid];
}
}
}
// Apply Deny Rights
myDenyRights = myRights & myDenyRights;
myRights = myRights ^ myDenyRights;
return(myRights);
}
