public IResult Collect(SearchString searchstring) { NestedGMSearchString searchString = (NestedGMSearchString)searchstring; _logger.Debug($"Collecting Nested Group Membership for {searchString.SAMAccountName}"); List <string> groupList = new List <string>(); Dictionary <string, string> groupMap = new Dictionary <string, string>(); string nameFilter = $"(sAMAccountName={searchString.SAMAccountName})"; var ldapSearchString = new LDAPSearchString { DN = Searcher.LdapInfo.RootDN, Filter = nameFilter, Scope = SearchScope.Subtree }; var resultEntry = Searcher.GetResultEntry(ldapSearchString); if (resultEntry == null) { return(null); } using (var userEntry = (Searcher.GetDirectoryEntry(resultEntry.DistinguishedName))) { //https://www.morgantechspace.com/2015/08/active-directory-tokengroups-vs-memberof.html //Use RefreshCach to get the constructed attribute tokenGroups. userEntry.RefreshCache(new string[] { "tokenGroups" }); foreach (byte[] sid in userEntry.Properties["tokenGroups"]) { string groupSID = new SecurityIdentifier(sid, 0).ToString(); string groupName = Helper.SIDNameSID(groupSID); groupList.Add(groupName); groupMap.Add(groupSID, groupName); } } //Somehow these groups are missing groupMap.Add("S-1-5-11", @"NT AUTHORITY\Authenticated Users"); groupMap.Add("S-1-5-15", @"NT AUTHORITY\This Organization"); UserSIDNameDictionary.Add(searchString.SAMAccountName.ToUpper(), groupMap); return(new ListResult { Title = searchString.Title, Result = groupList }); }
public static List <DACL> ACLScan(string user, List <string> groupSIDs) { if (user == null) { return(null); } var ACLList = new List <DACL>(); //1. Locate the user var targetEntry = Searcher.GetResultEntry(new LDAPSearchString { DN = Searcher.LdapInfo.TargetSearchBase, Filter = $"(sAMAccountName={user})", Scope = SearchScope.Subtree }); if (targetEntry == null) { return(null); } var targetSid = new SecurityIdentifier((byte[])targetEntry.Attributes["objectsid"][0], 0).ToString(); //2. Get user nested group sid groupSIDs.Add(targetSid); //Iterate all objects var partitions = new string[] { Searcher.LdapInfo.RootDN, Searcher.LdapInfo.ConfigDN, Searcher.LdapInfo.SchemaDN }; if (Searcher.LdapInfo.TargetSearchBase != Searcher.LdapInfo.RootDN) { var allObjects = Searcher.GetResultEntries(new LDAPSearchString { DN = Searcher.LdapInfo.TargetSearchBase, Filter = "(ObjectCategory=*)", Scope = SearchScope.Subtree }); foreach (var obj in allObjects) { var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs); if (acl != null) { ACLList.Add(acl); } } } else { foreach (var partition in partitions) { var allObjects = Searcher.GetResultEntries(new LDAPSearchString { DN = partition, Filter = "(ObjectCategory=*)", Scope = SearchScope.Subtree }); foreach (var obj in allObjects) { var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs); if (acl != null) { ACLList.Add(acl); } } } } return(ACLList); }