/// <summary> /// Set the security rights on a computer object to allow users in the JoinToComputer group to join to computer objects. /// </summary> /// <param name="compName">The computer object name to set permissions on</param> /// <param name="ouContainer">The container where the computer object resides.</param> private void SetSecurityRights(string compName, string ouContainer) { string qString = "(&(name=" + compName + ")(objectClass=computer))"; ExecuteResult result = this.ExecuteSearch(qString, false, ouContainer); //TODO: add group to security var computer = result.singleResult.GetDirectoryEntry(); ActiveDirectorySecurity sdc = computer.ObjectSecurity; NTAccount Account = new NTAccount("capstone", "JoinToComputer"); SecurityIdentifier sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier)); Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2"); Guid computerSchemaGuid = new Guid("bf967a86-0de6-11d0-a285-00aa003049e2"); Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); // ‘Reset password’ Guid dnsHostNameGuid = new Guid("72e39547-7b18-11d1-adef-00c04fd8d5cd"); // ‘Validated write to DNS host name’ Guid rwAccountRestrictions = new Guid("4c164200-20c0-11d0-a768-00aa006e0529"); // ‘Read and write account restrictions’ Guid wServicePrincipalName = new Guid("f3a64788-5306-11d1-a9c5-0000f80367c1"); // ‘Validated write to service principal name’ ActiveDirectoryAccessRule acctRestrictionsRW = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, rwAccountRestrictions, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(acctRestrictionsRW); ActiveDirectoryAccessRule dnsHostNameEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, dnsHostNameGuid, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(dnsHostNameEdit); ActiveDirectoryAccessRule valSPN = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, wServicePrincipalName, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(valSPN); ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(Account, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid); sdc.AddAccessRule(erarResetPwd); /* may require the below line * * Guid userAccountControlGuid = GUID('bf967a68-0de6-11d0-a285-00aa003049e2'); * ActiveDirectoryAccessRule userAccountControlEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, userAccountControlGuid, ActiveDirectorySecurityInheritance.None); * sdc.AddAccessRule(userAccountControlEdit); * * */ //commit and cleanup computer.CommitChanges(); computer.Close(); computer.Dispose(); }
static void Main(string[] args) { // Get security descriptor of the target object DirectoryEntry user = new DirectoryEntry(); user.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl; user.Path = "LDAP://edetoc589VM.edetoc1.lab:389/CN=user,CN=Users,DC=edetoc1,DC=lab"; ActiveDirectorySecurity userSec = user.ObjectSecurity; // Get SID of the group named 'ITGroup' NTAccount ntaToDelegate = new NTAccount("EDETOC1", "ITGroup"); SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate(typeof(SecurityIdentifier)); // Specials Guids . See 00299570-246d-11d0-a768-00aa006e0529 Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2"); //Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2"); // Create ACE ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid); //PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.None, userSchemaGuid); //PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.None, userSchemaGuid); // add ACE to security descriptor of target object userSec.AddAccessRule(erarResetPwd); userSec.SetAccessRuleProtection(true, false); //userSec.AddAccessRule(parPwdLastSetW); //userSec.AddAccessRule(parPwdLastSetR); // Commit change user.CommitChanges(); }