protected override void ProcessRecord() { //OU can be passed as name or as dn List <ObjectInfo> OUs = DirectoryUtils.GetOU(Identity); if (OUs.Count > 1) { foreach (ObjectInfo ou in OUs) { WriteObject(ou); } throw new Exception("More than one object found, search using distinguishedName instead"); } if (OUs.Count == 0) { throw new Exception("Object not found"); } ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl); //apply permissions only to computer objects Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, "computer", SchemaObjectType.Class); Guid timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); //System.DirectoryServices.PropertyAccessRule rule; System.DirectoryServices.ActiveDirectoryAccessRule rule; foreach (string principalName in AllowedPrincipals) { System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName); // read ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // write ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Write, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); } DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl); OUs[0].Status = PermissionDelegationState.Delegated; WriteObject(OUs[0]); }
protected override void ProcessRecord() { //OU can be passed as name or as dn var OUs = DirectoryUtils.GetOU(Identity); if (OUs.Count > 1) { foreach (ObjectInfo ou in OUs) { WriteObject(ou); } throw new AmbiguousResultException("More than one object found, search using distinguishedName instead"); } if (OUs.Count == 0) { throw new NotFoundException("Object not found"); } ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl); //SELF SID System.Security.Principal.SecurityIdentifier selfSid = new System.Security.Principal.SecurityIdentifier("PS"); //apply permissions only to computer objects Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, "computer", SchemaObjectType.Class); System.DirectoryServices.PropertyAccessRule rule; Guid attributeGuid; // read ms-Mcs-AdmPwdExpirationTime on computer objects attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); rule = new System.DirectoryServices.PropertyAccessRule(selfSid, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, attributeGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // write ms-Mcs-AdmPwdExpirationTime on computer objects attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); rule = new System.DirectoryServices.PropertyAccessRule(selfSid, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Write, attributeGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // write ms-Mcs-AdmPwd on computer objects attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.PasswordAttributeName, SchemaObjectType.Attribute); rule = new System.DirectoryServices.PropertyAccessRule(selfSid, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Write, attributeGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl); WriteObject(OUs[0]); }
protected override void ProcessRecord() { //OU can be passed as name or as dn var OUs = DirectoryUtils.GetOU(Identity); if (OUs.Count > 1) { foreach (ObjectInfo ou in OUs) { WriteObject(ou); } throw new AmbiguousResultException("More than one object found, search using distinguishedName instead"); } if (OUs.Count == 0) { throw new NotFoundException($"Object not found: {Identity}"); } ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl); //apply permissions only to computer objects Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, "computer", SchemaObjectType.Class); Guid timestampGuid; Guid pwdGuid; try { timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); } catch (Exception) { throw new NotFoundException($"Object not found: {Constants.TimestampAttributeName}"); } try { pwdGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.PasswordAttributeName, SchemaObjectType.Attribute); } catch (Exception) { throw new NotFoundException($"Object not found: {Constants.PasswordAttributeName}"); } System.DirectoryServices.ActiveDirectoryAccessRule rule; foreach (string principalName in AllowedPrincipals) { System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName); // read ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // read ms-Mcs-AdmPwd on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, pwdGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // control access on ms-Mcs-AdmPwd on computer objects rule = new System.DirectoryServices.ActiveDirectoryAccessRule(principal, ActiveDirectoryRights.ExtendedRight, System.Security.AccessControl.AccessControlType.Allow, pwdGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); } DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl); WriteObject(OUs[0]); }