// Get A Principal's Cumulitive AD Rights On An Object private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject) { ActiveDirectoryRights myRights = 0; ActiveDirectoryRights myDenyRights = 0; Principal p = DirectoryServices.GetPrincipal(principal); if (p == null) { throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist); } List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject); if (de == null) { throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist); } List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de); Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>(); Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>(); // Accumulate Allow and Deny Rights By Identity Reference foreach (AccessRuleObject rule in rules) { if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow) { if (rights.Keys.Contains(rule.IdentityReference)) { rights[rule.IdentityReference] |= rule.Rights; } else { rights.Add(rule.IdentityReference, rule.Rights); } } else { if (rights.Keys.Contains(rule.IdentityReference)) { denyRights[rule.IdentityReference] |= rule.Rights; } else { denyRights.Add(rule.IdentityReference, rule.Rights); } } } foreach (DirectoryEntry entry in groups) { if (entry.Properties.Contains("objectSid")) { string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value); if (rights.ContainsKey(sid)) { myRights |= rights[sid]; } if (denyRights.ContainsKey(sid)) { myDenyRights |= denyRights[sid]; } } } // Apply Deny Rights myDenyRights = myRights & myDenyRights; myRights = myRights ^ myDenyRights; return(myRights); }