protected override void ProcessRecord()
{
//OU can be passed as name or as dn
List <ObjectInfo> OUs = DirectoryUtils.GetOU(Identity);
if (OUs.Count > 1)
{
foreach (ObjectInfo ou in OUs)
{
WriteObject(ou);
}
throw new Exception("More than one object found, search using distinguishedName instead");
}
if (OUs.Count == 0)
{
throw new Exception("Object not found");
}
ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
//apply permissions only to computer objects
Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, "computer", SchemaObjectType.Class);
Guid timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute);
//System.DirectoryServices.PropertyAccessRule rule;
System.DirectoryServices.ActiveDirectoryAccessRule rule;
foreach (string principalName in AllowedPrincipals)
{
System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName);
// read ms-Mcs-AdmPwdExpirationTime on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Read,
timestampGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// write ms-Mcs-AdmPwdExpirationTime on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Write,
timestampGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
}
DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
OUs[0].Status = PermissionDelegationState.Delegated;
WriteObject(OUs[0]);
}
protected override void ProcessRecord()
{
//OU can be passed as name or as dn
var OUs = DirectoryUtils.GetOU(Identity);
if (OUs.Count > 1)
{
foreach (ObjectInfo ou in OUs)
{
WriteObject(ou);
}
throw new AmbiguousResultException("More than one object found, search using distinguishedName instead");
}
if (OUs.Count == 0)
{
throw new NotFoundException("Object not found");
}
ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
//SELF SID
System.Security.Principal.SecurityIdentifier selfSid = new System.Security.Principal.SecurityIdentifier("PS");
//apply permissions only to computer objects
Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, "computer", SchemaObjectType.Class);
System.DirectoryServices.PropertyAccessRule rule;
Guid attributeGuid;
// read ms-Mcs-AdmPwdExpirationTime on computer objects
attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute);
rule = new System.DirectoryServices.PropertyAccessRule(selfSid,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Read,
attributeGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// write ms-Mcs-AdmPwdExpirationTime on computer objects
attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute);
rule = new System.DirectoryServices.PropertyAccessRule(selfSid,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Write,
attributeGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// write ms-Mcs-AdmPwd on computer objects
attributeGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.PasswordAttributeName, SchemaObjectType.Attribute);
rule = new System.DirectoryServices.PropertyAccessRule(selfSid,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Write,
attributeGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
WriteObject(OUs[0]);
}
protected override void ProcessRecord()
{
//OU can be passed as name or as dn
var OUs = DirectoryUtils.GetOU(Identity);
if (OUs.Count > 1)
{
foreach (ObjectInfo ou in OUs)
{
WriteObject(ou);
}
throw new AmbiguousResultException("More than one object found, search using distinguishedName instead");
}
if (OUs.Count == 0)
{
throw new NotFoundException($"Object not found: {Identity}");
}
ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
//apply permissions only to computer objects
Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, "computer", SchemaObjectType.Class);
Guid timestampGuid;
Guid pwdGuid;
try
{
timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute);
}
catch (Exception)
{
throw new NotFoundException($"Object not found: {Constants.TimestampAttributeName}");
}
try
{
pwdGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.PasswordAttributeName, SchemaObjectType.Attribute);
}
catch (Exception)
{
throw new NotFoundException($"Object not found: {Constants.PasswordAttributeName}");
}
System.DirectoryServices.ActiveDirectoryAccessRule rule;
foreach (string principalName in AllowedPrincipals)
{
System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName);
// read ms-Mcs-AdmPwdExpirationTime on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Read,
timestampGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// read ms-Mcs-AdmPwd on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Read,
pwdGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// control access on ms-Mcs-AdmPwd on computer objects
rule = new System.DirectoryServices.ActiveDirectoryAccessRule(principal,
ActiveDirectoryRights.ExtendedRight,
System.Security.AccessControl.AccessControlType.Allow,
pwdGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
}
DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
WriteObject(OUs[0]);
}
