// Get A Principal's Cumulitive AD Rights On An Object private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject) { ActiveDirectoryRights myRights = 0; ActiveDirectoryRights myDenyRights = 0; Principal p = DirectoryServices.GetPrincipal(principal); if (p == null) { throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist); } List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject); if (de == null) { throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist); } List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de); Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>(); Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>(); // Accumulate Allow and Deny Rights By Identity Reference foreach (AccessRuleObject rule in rules) { if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow) { if (rights.Keys.Contains(rule.IdentityReference)) { rights[rule.IdentityReference] |= rule.Rights; } else { rights.Add(rule.IdentityReference, rule.Rights); } } else { if (rights.Keys.Contains(rule.IdentityReference)) { denyRights[rule.IdentityReference] |= rule.Rights; } else { denyRights.Add(rule.IdentityReference, rule.Rights); } } } foreach (DirectoryEntry entry in groups) { if (entry.Properties.Contains("objectSid")) { string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value); if (rights.ContainsKey(sid)) { myRights |= rights[sid]; } if (denyRights.ContainsKey(sid)) { myDenyRights |= denyRights[sid]; } } } // Apply Deny Rights myDenyRights = myRights & myDenyRights; myRights = myRights ^ myDenyRights; return(myRights); }
public void Core_UserTestSuccess() { // Get User By Distinguished Name Console.WriteLine($"Getting User By DisginguishedName : [{user.DistinguishedName}]"); UserPrincipalObject upo = DirectoryServices.GetUser(user.DistinguishedName, true, true, true); Assert.That(upo.DistinguishedName, Is.EqualTo(user.DistinguishedName)); String userName = upo.Name; String userPrincipalName = upo.UserPrincipalName; String userSamAccountName = upo.SamAccountName; Guid? userGuid = upo.Guid; String userSid = upo.Sid; // Get User By Name Console.WriteLine($"Getting User By Name: [{userName}]"); upo = DirectoryServices.GetUser(userName, true, true, true); Assert.That(upo.Name, Is.EqualTo(userName)); // Get User By UserPrincipalName Console.WriteLine($"Getting User By UserPrincipalName: [{userPrincipalName}]"); upo = DirectoryServices.GetUser(userPrincipalName, true, true, true); Assert.That(upo.UserPrincipalName, Is.EqualTo(userPrincipalName)); // Get User By SamAccountName Console.WriteLine($"Getting User By SamAccountName : [{userSamAccountName}]"); upo = DirectoryServices.GetUser(userSamAccountName, true, true, true); Assert.That(upo.SamAccountName, Is.EqualTo(userSamAccountName)); // Get User By Guid Console.WriteLine($"Getting User By Guid : [{userGuid}]"); upo = DirectoryServices.GetUser(userGuid.ToString(), true, true, true); Assert.That(upo.Guid, Is.EqualTo(userGuid)); // Get User By Sid Console.WriteLine($"Getting User By Sid : [{userSid}]"); upo = DirectoryServices.GetUser(userSid, true, true, true); Assert.That(upo.Sid, Is.EqualTo(userSid)); // Modify User Console.WriteLine($"Modifying User : [{userName}]"); UserPrincipal up = DirectoryServices.GetUserPrincipal(userName); up.DisplayName = "Guy Michael Waguespack"; up.GivenName = "Guy"; up.MiddleName = "Michael"; up.Surname = "Waguespack"; DirectoryServices.SaveUser(up); upo = DirectoryServices.GetUser(userName, false, false, false); Assert.That(upo.DisplayName, Is.EqualTo("Guy Michael Waguespack")); Assert.That(upo.GivenName, Is.EqualTo("Guy")); Assert.That(upo.MiddleName, Is.EqualTo("Michael")); Assert.That(upo.Surname, Is.EqualTo("Waguespack")); // Create AccessUser For AccessRule Tests (Below) UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName); int ruleCount = DirectoryServices.GetAccessRules(user).Count; // Add Access Rule To User Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To User [{user.Name}]."); DirectoryServices.AddAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); int newRuleCount = DirectoryServices.GetAccessRules(user).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Removing Access Rule From User Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From User [{user.Name}]."); DirectoryServices.DeleteAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(user).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Seting Access Rule From User Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On User [{user.Name}]."); DirectoryServices.SetAccessRule(user, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(user).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Purge Access Rule From User Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From User [{user.Name}]."); DirectoryServices.PurgeAccessRules(user, accessRuleUser); newRuleCount = DirectoryServices.GetAccessRules(user).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Delete AccessRule User Utility.DeleteUser(accessRuleUser.DistinguishedName); }
public void Core_OrgUnitTestSuccess() { // Setup Test String name = $"testou_{Utility.GenerateToken( 8 )}"; String distinguishedName = $"OU={name},{workspaceName}"; Dictionary <string, List <string> > properties = new Dictionary <string, List <string> >(); DirectoryServices.AddProperty(properties, "description", "Test OU"); // Create OrgUnit Console.WriteLine($"Creating OrgUnit : [{distinguishedName}]"); DirectoryServices.CreateOrganizationUnit(distinguishedName, properties); // Get OrgUnit By DistinguishedName Console.WriteLine($"Getting OrgUnit By DisginguishedName : [{distinguishedName}]"); DirectoryEntryObject ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, true, true, false); Assert.That(ouo, Is.Not.Null); String guid = ouo.Guid.ToString(); // Get OrgUnit By Name Console.WriteLine($"Getting OrgUnit By Name : [{name}]"); ouo = DirectoryServices.GetOrganizationalUnit(name, false, false, false); Assert.That(ouo, Is.Not.Null); // Get OrgUnit By Name Console.WriteLine($"Getting OrgUnit By Guid : [{guid}]"); ouo = DirectoryServices.GetOrganizationalUnit(guid, false, true, false); Assert.That(ouo, Is.Not.Null); Assert.That(ouo.Properties.ContainsKey("description"), Is.True); // Modify OrgUnit DirectoryServices.AddProperty(properties, "description", "~null~", true); DirectoryServices.ModifyOrganizationUnit(distinguishedName, properties); ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, true, false); Assert.That(ouo.Properties.ContainsKey("description"), Is.False); // Create AccessUser For AccessRule Tests (Below) DirectoryEntry orgUnit = DirectoryServices.GetDirectoryEntry(distinguishedName); UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName); int ruleCount = DirectoryServices.GetAccessRules(orgUnit).Count; // Add Access Rule To OrgUnit Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To OrgUnit [{orgUnit.Name}]."); DirectoryServices.AddAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); int newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Removing Access Rule From OrgUnit Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}]."); DirectoryServices.DeleteAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Seting Access Rule From OrgUnit Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On OrgUnit [{orgUnit.Name}]."); DirectoryServices.SetAccessRule(orgUnit, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Purge Access Rule From OrgUnit Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From OrgUnit [{orgUnit.Name}]."); DirectoryServices.PurgeAccessRules(orgUnit, accessRuleUser); newRuleCount = DirectoryServices.GetAccessRules(orgUnit).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Delete AccessRule User Utility.DeleteUser(accessRuleUser.DistinguishedName); // Delete OrgUnit Console.WriteLine($"Deleting OrgUnit : [{distinguishedName}]"); DirectoryServices.DeleteOrganizationUnit(distinguishedName); ouo = DirectoryServices.GetOrganizationalUnit(distinguishedName, false, false, false); Assert.That(ouo, Is.Null); }
public void Core_GroupTestSuccess() { // Get Group By Distinguished Name Console.WriteLine($"Getting Group By DisginguishedName : [{group.DistinguishedName}]"); GroupPrincipalObject gpo = DirectoryServices.GetGroup(group.DistinguishedName, true, true, true); Assert.That(gpo.DistinguishedName, Is.EqualTo(group.DistinguishedName)); String groupName = gpo.Name; String groupSamAccountName = gpo.SamAccountName; Guid? groupGuid = gpo.Guid; String groupSid = gpo.Sid; // Get Group By Name Console.WriteLine($"Getting Group By Name: [{groupName}]"); gpo = DirectoryServices.GetGroup(groupName, true, true, true); Assert.That(gpo.Name, Is.EqualTo(groupName)); // Get Group By SamAccountName Console.WriteLine($"Getting Group By SamAccountName : [{groupSamAccountName}]"); gpo = DirectoryServices.GetGroup(groupSamAccountName, true, true, true); Assert.That(gpo.SamAccountName, Is.EqualTo(groupSamAccountName)); // Get Group By Guid Console.WriteLine($"Getting Group By Guid : [{groupGuid}]"); gpo = DirectoryServices.GetGroup(groupGuid.ToString(), true, true, true); Assert.That(gpo.Guid, Is.EqualTo(groupGuid)); // Get Group By Sid Console.WriteLine($"Getting Group By Sid : [{groupSid}]"); gpo = DirectoryServices.GetGroup(groupSid, true, true, true); Assert.That(gpo.Sid, Is.EqualTo(groupSid)); // Modify Group Console.WriteLine($"Modifying Group : [{groupName}]"); GroupPrincipal gp = DirectoryServices.GetGroupPrincipal(groupName); gp.DisplayName = "Unit Test Group"; gp.Description = "Unit Test Description"; DirectoryServices.SaveGroup(gp); gpo = DirectoryServices.GetGroup(groupName, false, false, false); Assert.That(gpo.DisplayName, Is.EqualTo("Unit Test Group")); Assert.That(gpo.Description, Is.EqualTo("Unit Test Description")); // Create AccessUser For AccessRule Tests (Below) UserPrincipal accessRuleUser = Utility.CreateUser(workspaceName); int ruleCount = DirectoryServices.GetAccessRules(group).Count; // Add Access Rule To Group Console.WriteLine($"Adding AccessRule For User [{accessRuleUser.Name}] To Group [{group.Name}]."); DirectoryServices.AddAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); int newRuleCount = DirectoryServices.GetAccessRules(group).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Removing Access Rule From Group Console.WriteLine($"Removing AccessRule For User [{accessRuleUser.Name}] From Group [{group.Name}]."); DirectoryServices.DeleteAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(group).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Seting Access Rule From Group Console.WriteLine($"Setting AccessRule For User [{accessRuleUser.Name}] On Group [{group.Name}]."); DirectoryServices.SetAccessRule(group, accessRuleUser, ActiveDirectoryRights.GenericRead, System.Security.AccessControl.AccessControlType.Allow, ActiveDirectorySecurityInheritance.None); newRuleCount = DirectoryServices.GetAccessRules(group).Count; Assert.That(newRuleCount, Is.GreaterThan(ruleCount)); // Purge Access Rule From Group Console.WriteLine($"Purging AccessRules For User [{accessRuleUser.Name}] From Group [{group.Name}]."); DirectoryServices.PurgeAccessRules(group, accessRuleUser); newRuleCount = DirectoryServices.GetAccessRules(group).Count; Assert.That(newRuleCount, Is.EqualTo(ruleCount)); // Delete AccessRule User Utility.DeleteUser(accessRuleUser.DistinguishedName); }