// Constructors public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags) {}
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags)) { Contract.Requires(identity != null); }
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, type, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType) { }
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, 0, 0, Guid.Empty) { }
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type) : this(identity, (int)adRights, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty) { }
public ActiveDirectoryAccessRule( IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this( identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, Guid.Empty, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType) { }
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, 0, 0, Guid.Empty) { }
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags) : this(identity, (int)adRights, auditFlags, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty) { }
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, auditFlags, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType) { }
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights rights, AccessControlType aclType) { throw new NotImplementedException("ActiveDirectoryAccessRule()"); }
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base(default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags)) { Contract.Requires(identity != null); }
public static void AddPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission, ActiveDirectorySecurityInheritance inheritance = ActiveDirectorySecurityInheritance.All) { var obj = new DirectoryEntry(objectPath); var rule = new ActiveDirectoryAccessRule(identity, permission, AccessControlType.Allow, inheritance); obj.ObjectSecurity.AddAccessRule(rule); obj.CommitChanges(); }
public static bool HasPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission) { var obj = new DirectoryEntry(objectPath); return(GetRules(obj.ObjectSecurity, identity).Any(r => r.ActiveDirectoryRights == permission)); }
public static void RemoveOUSecurityfromSid(string ouPath, WellKnownSidType UserSid, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance) { DirectoryEntry ou = GetADObject(ouPath); SecurityIdentifier identity = null; identity = new SecurityIdentifier(UserSid, null); ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule( identity, rights, type, inheritance ); ou.ObjectSecurity.RemoveAccessRule(ruleRead); ou.CommitChanges(); ou.Close(); }
private static bool IsRightSetinAccessRule(ActiveDirectoryAccessRule accessrule, ActiveDirectoryRights right) { return((accessrule.ActiveDirectoryRights & right) == right); }
public ActiveDirectoryAccessRule( IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this( identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty) { }
protected override void PopulateCalculatedProperties() { base.PopulateCalculatedProperties(); TaskLogger.Trace("Resolving InheritedObjectType", new object[0]); IConfigurationSession session = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 175, "PopulateCalculatedProperties", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\ADAcePresentationObject.cs"); if (base.RealAce.InheritedObjectType != Guid.Empty) { ADSchemaObjectIdParameter adschemaObjectIdParameter = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString()); IEnumerable <ADSchemaClassObject> objects = adschemaObjectIdParameter.GetObjects <ADSchemaClassObject>(null, session); using (IEnumerator <ADSchemaClassObject> enumerator = objects.GetEnumerator()) { string text = null; if (enumerator.MoveNext()) { text = enumerator.Current.Name; } if (text == null || enumerator.MoveNext()) { this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString()); TaskLogger.Trace("Could not resolve the following InheritedObjectType: {0}", new object[] { base.RealAce.InheritedObjectType.ToString() }); } else { this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(text); } } } if (base.RealAce.ObjectType != Guid.Empty) { ActiveDirectoryRights activeDirectoryRights = base.RealAce.ActiveDirectoryRights; string text2 = base.RealAce.ObjectType.ToString(); bool flag = false; if ((activeDirectoryRights & ActiveDirectoryRights.ExtendedRight) == ActiveDirectoryRights.ExtendedRight) { TaskLogger.Trace("Resolving ExtendedRight", new object[0]); ExtendedRightIdParameter[] extendedRights = null; ExtendedRightIdParameter extendedRightIdParameter = ExtendedRightIdParameter.Parse(text2); IEnumerable <ExtendedRight> objects2 = extendedRightIdParameter.GetObjects <ExtendedRight>(null, session); using (IEnumerator <ExtendedRight> enumerator2 = objects2.GetEnumerator()) { string text3 = null; if (enumerator2.MoveNext()) { text3 = enumerator2.Current.Name; } if (text3 != null && !enumerator2.MoveNext()) { extendedRights = new ExtendedRightIdParameter[] { ExtendedRightIdParameter.Parse(text3) }; flag = true; } } this.ExtendedRights = extendedRights; } if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.CreateChild) == ActiveDirectoryRights.CreateChild) || (activeDirectoryRights & ActiveDirectoryRights.DeleteChild) == ActiveDirectoryRights.DeleteChild || (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty) { TaskLogger.Trace("Resolving Child Object Type", new object[0]); ADSchemaObjectIdParameter[] childObjectTypes = null; ADSchemaObjectIdParameter adschemaObjectIdParameter2 = ADSchemaObjectIdParameter.Parse(text2); IEnumerable <ADSchemaClassObject> objects3 = adschemaObjectIdParameter2.GetObjects <ADSchemaClassObject>(null, session); using (IEnumerator <ADSchemaClassObject> enumerator3 = objects3.GetEnumerator()) { string text4 = null; if (enumerator3.MoveNext()) { text4 = enumerator3.Current.Name; } if (text4 != null && !enumerator3.MoveNext()) { childObjectTypes = new ADSchemaObjectIdParameter[] { ADSchemaObjectIdParameter.Parse(text4) }; flag = true; } } this.ChildObjectTypes = childObjectTypes; } if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty) || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty || (activeDirectoryRights & ActiveDirectoryRights.Self) == ActiveDirectoryRights.Self) { TaskLogger.Trace("Resolving Property", new object[0]); ADSchemaObjectIdParameter[] properties = null; ADSchemaObjectIdParameter adschemaObjectIdParameter3 = ADSchemaObjectIdParameter.Parse(text2); IEnumerable <ADSchemaAttributeObject> objects4 = adschemaObjectIdParameter3.GetObjects <ADSchemaAttributeObject>(null, session); using (IEnumerator <ADSchemaAttributeObject> enumerator4 = objects4.GetEnumerator()) { string text5 = null; if (enumerator4.MoveNext()) { text5 = enumerator4.Current.Name; } if (text5 == null || enumerator4.MoveNext()) { ExtendedRightIdParameter extendedRightIdParameter2 = ExtendedRightIdParameter.Parse(text2); IEnumerable <ExtendedRight> objects5 = extendedRightIdParameter2.GetObjects <ExtendedRight>(null, session); using (IEnumerator <ExtendedRight> enumerator5 = objects5.GetEnumerator()) { string text6 = null; if (enumerator5.MoveNext()) { text6 = enumerator5.Current.Name; } TaskLogger.Trace("Could not resolve the following property: {0}", new object[] { text2 }); if (text6 != null && !enumerator5.MoveNext()) { properties = new ADSchemaObjectIdParameter[] { ADSchemaObjectIdParameter.Parse(text6) }; } goto IL_3A4; } } properties = new ADSchemaObjectIdParameter[] { ADSchemaObjectIdParameter.Parse(text5) }; IL_3A4 :; } this.Properties = properties; } } }
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights) { return((int)adRights); }
Task StartConsumer(BlockingCollection <DBObject> input, BlockingCollection <ACLInfo> output, TaskFactory factory) { return(factory.StartNew(() => { foreach (DBObject obj in input.GetConsumingEnumerable()) { Interlocked.Increment(ref count); if (obj.NTSecurityDescriptor == null) { options.WriteVerbose($"DACL was null on ${obj.SAMAccountName}"); continue; } RawSecurityDescriptor desc = new RawSecurityDescriptor(obj.NTSecurityDescriptor, 0); RawAcl acls = desc.DiscretionaryAcl; //Figure out whose the owner string ownersid = desc.Owner.ToString(); if (!manager.FindBySID(ownersid, CurrentDomain, out DBObject owner)) { if (MappedPrincipal.GetCommon(ownersid, out MappedPrincipal mapped)) { owner = new DBObject { BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}", Type = "group", Domain = CurrentDomain, DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}", }; } else if (NullSIDS.TryGetValue(ownersid, out byte val)) { owner = null; continue; } else { try { DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={ownersid}>"); owner = entry.ConvertToDB(); manager.InsertRecord(owner); } catch { owner = null; NullSIDS.TryAdd(ownersid, new byte()); options.WriteVerbose($"Unable to resolve {ownersid} for object owner"); continue; } } } if (owner != null) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, Inherited = false, RightName = "Owner", PrincipalName = owner.BloodHoundDisplayName, PrincipalType = owner.Type, AceType = "", Qualifier = "AccessAllowed" }); } foreach (QualifiedAce r in acls) { string PrincipalSID = r.SecurityIdentifier.ToString(); //Try to map our SID to the principal using a few different methods if (!manager.FindBySID(PrincipalSID, CurrentDomain, out DBObject principal)) { if (MappedPrincipal.GetCommon(PrincipalSID, out MappedPrincipal mapped)) { principal = new DBObject { BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}", Type = "group", Domain = CurrentDomain, DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}" }; } else if (NullSIDS.TryGetValue(ownersid, out byte val)) { continue; } else { try { DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={PrincipalSID}>"); principal = entry.ConvertToDB(); manager.InsertRecord(principal); } catch { NullSIDS.TryAdd(PrincipalSID, new byte()); options.WriteVerbose($"Unable to resolve {PrincipalSID} for ACL"); continue; } } } //If we're here, we have a principal. Yay! //Resolve the ActiveDirectoryRight ActiveDirectoryRights right = (ActiveDirectoryRights)Enum.ToObject(typeof(ActiveDirectoryRights), r.AccessMask); string rs = right.ToString(); string guid = r is ObjectAce ? ((ObjectAce)r).ObjectAceType.ToString() : ""; List <string> foundrights = new List <string>(); bool cont = false; //Figure out if we need more processing cont |= (rs.Contains("WriteDacl") || rs.Contains("WriteOwner")); if (rs.Contains("GenericWrite") || rs.Contains("GenericAll")) { cont |= ("00000000-0000-0000-0000-000000000000".Equals(guid) || guid.Equals("") || cont); } if (rs.Contains("ExtendedRight")) { cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("") || guid.Equals("00299570-246d-11d0-a768-00aa006e0529") || cont); //DCSync cont |= (guid.Equals("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") || guid.Equals("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") || cont); } if (rs.Contains("WriteProperty")) { cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2") || guid.Equals("bf9679a8-0de6-11d0-a285-00aa003049e2") || cont); } if (!cont) { continue; } string acetype = null; MatchCollection coll = GenericRegex.Matches(rs); if (rs.Contains("ExtendedRight")) { switch (guid) { case "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2": acetype = "DS-Replication-Get-Changes"; break; case "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2": acetype = "DS-Replication-Get-Changes-All"; break; default: acetype = "All"; break; } } if (acetype != null && (acetype.Equals("DS-Replication-Get-Changes-All") || acetype.Equals("DS-Replication-Get-Changes"))) { if (!syncers.TryGetValue(principal.DistinguishedName, out DCSync SyncObject)) { SyncObject = new DCSync { Domain = obj.BloodHoundDisplayName, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type }; } if (acetype.Contains("-All")) { SyncObject.GetChangesAll = true; } else { SyncObject.GetChanges = true; } syncers.AddOrUpdate(principal.DistinguishedName, SyncObject, (key, oldVar) => SyncObject); //We only care about these privs if we have both, so store that stuff and continue on continue; } if (rs.Contains("GenericAll")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "GenericAll" }); } if (rs.Contains("GenericWrite")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "GenericWrite" }); } if (rs.Contains("WriteOwner")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "WriteOwner" }); } if (rs.Contains("WriteDacl")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "WriteDacl" }); } if (rs.Contains("WriteProperty")) { if (guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "Member", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "WriteProperty" }); } else { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "Script-Path", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "WriteProperty" }); } } if (rs.Contains("ExtendedRight")) { if (guid.Equals("00299570-246d-11d0-a768-00aa006e0529")) { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "User-Force-Change-Password", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "ExtendedRight" }); } else { output.Add(new ACLInfo { ObjectName = obj.BloodHoundDisplayName, ObjectType = obj.Type, AceType = "All", Inherited = r.IsInherited, PrincipalName = principal.BloodHoundDisplayName, PrincipalType = principal.Type, Qualifier = r.AceQualifier.ToString(), RightName = "ExtendedRight" }); } } } } })); }
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType) { }
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights) => (int)adRights;
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType) { }
// Get A Principal's Cumulitive AD Rights On An Object private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject) { ActiveDirectoryRights myRights = 0; ActiveDirectoryRights myDenyRights = 0; Principal p = DirectoryServices.GetPrincipal(principal); if (p == null) { throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist); } List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true); DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject); if (de == null) { throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist); } List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de); Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>(); Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>(); // Accumulate Allow and Deny Rights By Identity Reference foreach (AccessRuleObject rule in rules) { if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow) { if (rights.Keys.Contains(rule.IdentityReference)) { rights[rule.IdentityReference] |= rule.Rights; } else { rights.Add(rule.IdentityReference, rule.Rights); } } else { if (rights.Keys.Contains(rule.IdentityReference)) { denyRights[rule.IdentityReference] |= rule.Rights; } else { denyRights.Add(rule.IdentityReference, rule.Rights); } } } foreach (DirectoryEntry entry in groups) { if (entry.Properties.Contains("objectSid")) { string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value); if (rights.ContainsKey(sid)) { myRights |= rights[sid]; } if (denyRights.ContainsKey(sid)) { myDenyRights |= denyRights[sid]; } } } // Apply Deny Rights myDenyRights = myRights & myDenyRights; myRights = myRights ^ myDenyRights; return(myRights); }
void fromActiveDirectorySecurity() { ActiveDirectorySecurity dsSecurity; using (var entry = new DirectoryEntry("LDAP://" + _x500Name)) { dsSecurity = entry.ObjectSecurity; } try { SetOwner(dsSecurity.GetOwner(typeof(NTAccount))); } catch { SetOwner(dsSecurity.GetOwner(typeof(SecurityIdentifier))); } IEnumerable <IdentityReference> users = dsSecurity .GetAccessRules(true, true, typeof(NTAccount)) .Cast <ActiveDirectoryAccessRule>() .Select(x => x.IdentityReference) .Distinct(); foreach (IdentityReference user in users) { foreach (AccessControlType accessType in Enum.GetValues(typeof(AccessControlType))) { CertTemplateRights rights = 0; IEnumerable <ActiveDirectoryAccessRule> aceList = dsSecurity.GetAccessRules(true, true, typeof(NTAccount)) .Cast <ActiveDirectoryAccessRule>() .Where(x => x.IdentityReference == user && x.AccessControlType == accessType); foreach (ActiveDirectoryAccessRule ace in aceList) { ActiveDirectoryRights aceRights = ace.ActiveDirectoryRights; if (aceRights.HasFlag(ActiveDirectoryRights.GenericRead) || aceRights.HasFlag(ActiveDirectoryRights.GenericExecute)) { rights |= CertTemplateRights.Read; } if (aceRights.HasFlag(ActiveDirectoryRights.WriteDacl)) { rights |= CertTemplateRights.Write; } if (aceRights.HasFlag(ActiveDirectoryRights.GenericAll)) { rights |= CertTemplateRights.FullControl; } if (aceRights.HasFlag(ActiveDirectoryRights.ExtendedRight)) { switch (ace.ObjectType.ToString()) { case GUID_ENROLL: rights |= CertTemplateRights.Enroll; break; case GUID_AUTOENROLL: rights |= CertTemplateRights.Autoenroll; break; } } } if (rights > 0) { AddAccessRule(new CertTemplateAccessRule(user, rights, accessType)); } } } }
public ActiveDirectoryAuditRule( IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags) : this( identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty ) { }
public ActiveDirectoryAccessRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType) {}
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights) { return (int)adRights; }
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, System.Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, System.Guid inheritedObjectType) {}
public static void RemoveOUSecurityfromUser(string ouPath, string domain, string Username, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance) { DirectoryEntry ou = GetADObject(ouPath); NTAccount ADUser = new NTAccount(domain, Username); ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule( ADUser, rights, type, inheritance ); ou.ObjectSecurity.RemoveAccessRule(ruleRead); ou.CommitChanges(); ou.Close(); }