public SetAccess ( System accessType, System sid, System rule ) : void | ||
accessType | System | |
sid | System | |
rule | System | |
return | void |
private static void AuthUserStartStop(DiscretionaryAcl dacl) { var sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null); dacl.SetAccess(AccessControlType.Allow, sid, (int) (ServiceAccess.ServiceStart | ServiceAccess.ServiceStop), InheritanceFlags.None, PropagationFlags.None); }
public void ActiveDirectorySetup(bool overwrite) { const string ftpDetails = "OU=Users,OU="; const string iisDetails = "OU="; String[] siteTypes = { iisDetails, ftpDetails }; foreach (String type in siteTypes) { String siteConnection = type; String siteUsername; String sitePassword; if (type == iisDetails) { siteUsername = IISusername; sitePassword = IISpassword; } else { siteUsername = FTPusername; sitePassword = FTPpassword; } using (var de = new DirectoryEntry(getConfigSections("ADServer") + "/" + siteConnection + ",DC= " + loginUserName.Text.Split('\\')[0] + ",DC=net", loginUserName.Text, loginPassword.Text)) { bool creatingNewUser = false; try { using (var dirSearch = new DirectorySearcher(de, "(&(objectClass=user)(name=" + siteUsername + "))", new[] { "cn" })) { de.RefreshCache(); SearchResult result = dirSearch.FindOne(); if (result != null && !overwrite) { WriteOut("User with that name already exists. Please enter a unique domain name. If you want to override the existing entries, select the Override checkbox."); } else if (overwrite) { WriteOut("Overwriting existing user."); creatingNewUser = true; } else { WriteOut("No user with that name."); creatingNewUser = true; } } } catch (Exception e) { WriteOut("Failed because of: " + e); creatingNewUser = false; } if (creatingNewUser) { try { if (overwrite) { DirectoryEntry oldUser = de.Children.Find("CN=" + siteUsername, "user"); de.Children.Remove(oldUser); WriteOut("Removed existing user entry."); } DirectoryEntry user = de.Children.Add("CN=" + siteUsername, "user"); user.Properties["sAMAccountName"].Add(siteUsername); user.Properties["userPrincipalName"].Value = siteUsername + "@" + loginUserName.Text.Split('\\')[0] + ".com"; user.CommitChanges(); WriteOut("Added new user."); user.Invoke("SetPassword", new Object[] { sitePassword }); user.Properties["userAccountControl"].Value = 0x10240; //Password never expires (0x10000) and normal account (0x200) + can't change password (0x40) user.CommitChanges(); WriteOut("Set user password and password never expires flag."); de.CommitChanges(); //REDO TO USE THE DIRECTORY SERVICES ACCOUNT MANAGEMENT STUFF using (var pc = new PrincipalContext(ContextType.Domain, "servername." + loginUserName.Text.Split('\\')[0] + ".net", "OU=,DC=" + loginUserName.Text.Split('\\')[0] + ",DC=net", loginUserName.Text, loginPassword.Text)) { GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, "WWWRoot-" + folderGroup); PrincipalContext mainContext = new PrincipalContext(ContextType.Domain, "servername." + loginUserName.Text.Split('\\')[0] + ".com", siteConnection + ",DC=" + loginUserName.Text.Split('\\')[0] + ",DC=com", loginUserName.Text, loginPassword.Text); group.Members.Add(mainContext, IdentityType.UserPrincipalName, siteUsername + "@" + loginUserName.Text.Split('\\')[0] + ".com"); group.Save(); mainContext.Dispose(); } //USER CAN'T CHANGE PASSWORD FLAG NOT SETTING ActiveDirectorySecurity adSec = de.ObjectSecurity; var securityDescriptor = adSec.GetSecurityDescriptorSddlForm(AccessControlSections.Access); var testSD = adSec.GetSecurityDescriptorBinaryForm(); var sid = new SecurityIdentifier(WellKnownSidType.SelfSid, null); //TxtOutput.Text += "SDDL: " + securityDescriptor + "| Binary: " + testSD; Guid changePasswordGuid = new Guid("{ab721a53-1e2f-11d0-9819-00aa0040529b}"); RawSecurityDescriptor rawSecDes = new RawSecurityDescriptor(securityDescriptor); var rawAcl = rawSecDes.DiscretionaryAcl; DiscretionaryAcl discACL = new DiscretionaryAcl(false, true, rawAcl); discACL.SetAccess(AccessControlType.Deny, sid, 0x10000000, InheritanceFlags.None, PropagationFlags.None, ObjectAceFlags.ObjectAceTypePresent, changePasswordGuid, changePasswordGuid); de.CommitChanges(); } catch (Exception e) { WriteOut("Failed for reasons:" + e); } } } } }
public void SetAccess () { SecurityIdentifier adminSid = new SecurityIdentifier ("BA"); // S-1-5-32-544 SecurityIdentifier userSid = new SecurityIdentifier ("BU"); // S-1-5-32-545 DiscretionaryAcl dacl = new DiscretionaryAcl (true, false, 0); dacl.SetAccess (AccessControlType.Allow, adminSid, 1, InheritanceFlags.ObjectInherit, PropagationFlags.None); dacl.SetAccess (AccessControlType.Allow, userSid, 2, InheritanceFlags.None, PropagationFlags.None); Assert.AreEqual (2, dacl.Count); CommonAce ace = (CommonAce)dacl [0]; Assert.AreEqual (adminSid, ace.SecurityIdentifier); Assert.AreEqual (1, ace.AccessMask); dacl.SetAccess (AccessControlType.Allow, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreNotEqual (4, ace.AccessMask); // remove and add, not modify, despite AccessMask having a setter ace = (CommonAce)dacl [0]; Assert.AreEqual (4, ace.AccessMask); dacl.SetAccess (AccessControlType.Deny, adminSid, 4, InheritanceFlags.ObjectInherit, PropagationFlags.None); Assert.AreEqual (3, dacl.Count); ace = (CommonAce)dacl [0]; Assert.AreEqual (AceQualifier.AccessDenied, ace.AceQualifier); ace = (CommonAce)dacl [1]; Assert.AreEqual (AceQualifier.AccessAllowed, ace.AceQualifier); }