private AuthorizationInformation BuildAuthorizationInformation(IUser user, IComputer computer) { AuthorizationInformation info = new AuthorizationInformation { MatchedComputerTargets = this.GetMatchingTargetsForComputer(computer), EffectiveAccess = 0, Computer = computer, User = user }; if (info.MatchedComputerTargets.Count == 0) { return(info); } using AuthorizationContext c = authorizationContextProvider.GetAuthorizationContext(user, computer.Sid); DiscretionaryAcl masterDacl = new DiscretionaryAcl(false, false, info.MatchedComputerTargets.Count); int matchedTargetCount = 0; foreach (var target in info.MatchedComputerTargets) { CommonSecurityDescriptor sd; if (target.AuthorizationMode == AuthorizationMode.PowershellScript) { sd = this.powershell.GenerateSecurityDescriptor(user, computer, target.Script, 30); } else { if (string.IsNullOrWhiteSpace(target.SecurityDescriptor)) { this.logger.LogTrace($"Ignoring target {target.Id} with empty security descriptor"); continue; } sd = new CommonSecurityDescriptor(false, false, new RawSecurityDescriptor(target.SecurityDescriptor)); } if (sd == null) { this.logger.LogTrace($"Ignoring target {target.Id} with null security descriptor"); continue; } foreach (var ace in sd.DiscretionaryAcl.OfType <CommonAce>()) { masterDacl.AddAccess( (AccessControlType)ace.AceType, ace.SecurityIdentifier, ace.AccessMask, ace.InheritanceFlags, ace.PropagationFlags); } int i = matchedTargetCount; if (c.AccessCheck(sd, (int)AccessMask.Laps)) { info.SuccessfulLapsTargets.Add(target); matchedTargetCount++; } if (c.AccessCheck(sd, (int)AccessMask.LapsHistory)) { info.SuccessfulLapsHistoryTargets.Add(target); matchedTargetCount++; } if (c.AccessCheck(sd, (int)AccessMask.Jit)) { info.SuccessfulJitTargets.Add(target); matchedTargetCount++; } // If the ACE did not grant any permissions to the user, consider it a failure response if (i == matchedTargetCount) { info.FailedTargets.Add(target); } } if (matchedTargetCount > 0) { info.SecurityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), null, null, masterDacl); this.logger.LogTrace($"Resultant security descriptor for computer {computer.MsDsPrincipalName}: {info.SecurityDescriptor.GetSddlForm(AccessControlSections.All)}"); info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Laps) ? AccessMask.Laps : 0; info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.Jit) ? AccessMask.Jit : 0; info.EffectiveAccess |= c.AccessCheck(info.SecurityDescriptor, (int)AccessMask.LapsHistory) ? AccessMask.LapsHistory : 0; } this.logger.LogTrace($"User {user.MsDsPrincipalName} has effective access of {info.EffectiveAccess} on computer {computer.MsDsPrincipalName}"); return(info); }