// Get A Principal's Cumulitive AD Rights On An Object
private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject)
{
ActiveDirectoryRights myRights = 0;
ActiveDirectoryRights myDenyRights = 0;
Principal p = DirectoryServices.GetPrincipal(principal);
if (p == null)
{
throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true);
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject);
if (de == null)
{
throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de);
Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>();
Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>();
// Accumulate Allow and Deny Rights By Identity Reference
foreach (AccessRuleObject rule in rules)
{
if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow)
{
if (rights.Keys.Contains(rule.IdentityReference))
{
rights[rule.IdentityReference] |= rule.Rights;
}
else
{
rights.Add(rule.IdentityReference, rule.Rights);
}
}
else
{
if (rights.Keys.Contains(rule.IdentityReference))
{
denyRights[rule.IdentityReference] |= rule.Rights;
}
else
{
denyRights.Add(rule.IdentityReference, rule.Rights);
}
}
}
foreach (DirectoryEntry entry in groups)
{
if (entry.Properties.Contains("objectSid"))
{
string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value);
if (rights.ContainsKey(sid))
{
myRights |= rights[sid];
}
if (denyRights.ContainsKey(sid))
{
myDenyRights |= denyRights[sid];
}
}
}
// Apply Deny Rights
myDenyRights = myRights & myDenyRights;
myRights = myRights ^ myDenyRights;
return(myRights);
}
public void Core_UserTestSuccess()
{
// Get User By Distinguished Name
Console.WriteLine($"Getting User By DisginguishedName : [{user.DistinguishedName}]");
UserPrincipalObject upo = DirectoryServices.GetUser(user.DistinguishedName, true, true, true);
Assert.That(upo.DistinguishedName, Is.EqualTo(user.DistinguishedName));
String userName = upo.Name;
String userPrincipalName = upo.UserPrincipalName;
String userSamAccountName = upo.SamAccountName;
Guid? userGuid = upo.Guid;
String userSid = upo.Sid;
// Get User By Name
Console.WriteLine($"Getting User By Name: [{userName}]");
upo = DirectoryServices.GetUser(userName, true, true, true);
Assert.That(upo.Name, Is.EqualTo(userName));
// Get User By UserPrincipalName
Console.WriteLine($"Getting User By UserPrincipalName: [{userPrincipalName}]");
upo = DirectoryServices.GetUser(userPrincipalName, true, true, true);
Assert.That(upo.UserPrincipalName, Is.EqualTo(userPrincipalName));
// Get User By SamAccountName
Console.WriteLine($"Getting User By SamAccountName : [{userSamAccountName}]");
upo = DirectoryServices.GetUser(userSamAccountName, true, true, true);
Assert.That(upo.SamAccountName, Is.EqualTo(userSamAccountName));
// Get User By Guid
Console.WriteLine($"Getting User By Guid : [{userGuid}]");
upo = DirectoryServices.GetUser(userGuid.ToString(), true, true, true);
Assert.That(upo.Guid, Is.EqualTo(userGuid));
// Get User By Sid
Console.WriteLine($"Getting User By Sid : [{userSid}]");
upo = DirectoryServices.GetUser(userSid, true, true, true);
Assert.That(upo.Sid, Is.EqualTo(userSid));
// Modify User
Console.WriteLine($"Modifying User : [{userName}]");
UserPrincipal up = DirectoryServices.GetUserPrincipal(userName);
up.DisplayName = "Guy Michael Waguespack";
up.GivenName = "Guy";
up.MiddleName = "Michael";
up.Surname = "Waguespack";
DirectoryServices.SaveUser(up);
upo = DirectoryServices.GetUser(userName, false, false, false);
Assert.That(upo.DisplayName, Is.EqualTo("Guy Michael Waguespack"));
Assert.That(upo.GivenName, Is.EqualTo("Guy"));
Assert.That(upo.MiddleName, Is.EqualTo("Michael"));
Assert.That(upo.Surname, Is.EqualTo("Waguespack"));
// Create AccessUser For AccessRule Tests (Below)
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(user).Count;
// Add Access Rule To User
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To User [{user.Name}].");
DirectoryServices.AddAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From User
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From User [{user.Name}].");
DirectoryServices.DeleteAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From User
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On User [{user.Name}].");
DirectoryServices.SetAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From User
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From User [{user.Name}].");
DirectoryServices.PurgeAccessRules(user, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(user).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
}
public void Core_OrgUnitTestSuccess()
{
// Setup Test
String name = $"testou_{Utility.GenerateToken( 8 )}";
String distinguishedName = $"OU={name},{workspaceName}";
Dictionary <string, List <string> > properties = new Dictionary <string, List <string> >();
DirectoryServices.AddProperty(properties, "description", "Test OU");
// Create OrgUnit
Console.WriteLine($"Creating OrgUnit : [{distinguishedName}]");
DirectoryServices.CreateOrganizationUnit(distinguishedName, properties);
// Get OrgUnit By DistinguishedName
Console.WriteLine($"Getting OrgUnit By DisginguishedName : [{distinguishedName}]");
DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, true, true, false);
Assert.That(ouo, Is.Not.Null);
String guid = ouo.Guid.ToString();
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Name : [{name}]");
ouo = DirectoryServices.GetOrganizationalUnit(name, false, false, false);
Assert.That(ouo, Is.Not.Null);
// Get OrgUnit By Name
Console.WriteLine($"Getting OrgUnit By Guid : [{guid}]");
ouo = DirectoryServices.GetOrganizationalUnit(guid, false, true, false);
Assert.That(ouo, Is.Not.Null);
Assert.That(ouo.Properties.ContainsKey("description"), Is.True);
// Modify OrgUnit
DirectoryServices.AddProperty(properties, "description", "~null~", true);
DirectoryServices.ModifyOrganizationUnit(distinguishedName, properties);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, true, false);
Assert.That(ouo.Properties.ContainsKey("description"), Is.False);
// Create AccessUser For AccessRule Tests (Below)
DirectoryEntry orgUnit = DirectoryServices.GetDirectoryEntry(distinguishedName);
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
// Add Access Rule To OrgUnit
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To OrgUnit [{orgUnit.Name}].");
DirectoryServices.AddAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From OrgUnit
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.DeleteAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From OrgUnit
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On OrgUnit [{orgUnit.Name}].");
DirectoryServices.SetAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From OrgUnit
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}].");
DirectoryServices.PurgeAccessRules(orgUnit, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
// Delete OrgUnit
Console.WriteLine($"Deleting OrgUnit : [{distinguishedName}]");
DirectoryServices.DeleteOrganizationUnit(distinguishedName);
ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, false, false);
Assert.That(ouo, Is.Null);
}
public void Core_GroupTestSuccess()
{
// Get Group By Distinguished Name
Console.WriteLine($"Getting Group By DisginguishedName : [{group.DistinguishedName}]");
GroupPrincipalObject gpo = DirectoryServices.GetGroup(group.DistinguishedName, true, true, true);
Assert.That(gpo.DistinguishedName, Is.EqualTo(group.DistinguishedName));
String groupName = gpo.Name;
String groupSamAccountName = gpo.SamAccountName;
Guid? groupGuid = gpo.Guid;
String groupSid = gpo.Sid;
// Get Group By Name
Console.WriteLine($"Getting Group By Name: [{groupName}]");
gpo = DirectoryServices.GetGroup(groupName, true, true, true);
Assert.That(gpo.Name, Is.EqualTo(groupName));
// Get Group By SamAccountName
Console.WriteLine($"Getting Group By SamAccountName : [{groupSamAccountName}]");
gpo = DirectoryServices.GetGroup(groupSamAccountName, true, true, true);
Assert.That(gpo.SamAccountName, Is.EqualTo(groupSamAccountName));
// Get Group By Guid
Console.WriteLine($"Getting Group By Guid : [{groupGuid}]");
gpo = DirectoryServices.GetGroup(groupGuid.ToString(), true, true, true);
Assert.That(gpo.Guid, Is.EqualTo(groupGuid));
// Get Group By Sid
Console.WriteLine($"Getting Group By Sid : [{groupSid}]");
gpo = DirectoryServices.GetGroup(groupSid, true, true, true);
Assert.That(gpo.Sid, Is.EqualTo(groupSid));
// Modify Group
Console.WriteLine($"Modifying Group : [{groupName}]");
GroupPrincipal gp = DirectoryServices.GetGroupPrincipal(groupName);
gp.DisplayName = "Unit Test Group";
gp.Description = "Unit Test Description";
DirectoryServices.SaveGroup(gp);
gpo = DirectoryServices.GetGroup(groupName, false, false, false);
Assert.That(gpo.DisplayName, Is.EqualTo("Unit Test Group"));
Assert.That(gpo.Description, Is.EqualTo("Unit Test Description"));
// Create AccessUser For AccessRule Tests (Below)
UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName);
int ruleCount = DirectoryServices.GetAccessRules(group).Count;
// Add Access Rule To Group
Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To Group [{group.Name}].");
DirectoryServices.AddAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
int newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Removing Access Rule From Group
Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From Group [{group.Name}].");
DirectoryServices.DeleteAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Seting Access Rule From Group
Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On Group [{group.Name}].");
DirectoryServices.SetAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.GreaterThan(ruleCount));
// Purge Access Rule From Group
Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From Group [{group.Name}].");
DirectoryServices.PurgeAccessRules(group, accessRuleUser);
newRuleCount = DirectoryServices.GetAccessRules(group).Count;
Assert.That(newRuleCount, Is.EqualTo(ruleCount));
// Delete AccessRule User
Utility.DeleteUser(accessRuleUser.DistinguishedName);
}
