// Constructors
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags) {}
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags))
{
Contract.Requires(identity != null);
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, type, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
{
}
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, 0, 0, Guid.Empty)
{
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type) : this(identity, (int)adRights, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
public ActiveDirectoryAccessRule(
IdentityReference identity,
ActiveDirectoryRights adRights,
AccessControlType type,
ActiveDirectorySecurityInheritance inheritanceType,
Guid inheritedObjectType)
: this(
identity,
ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
type,
Guid.Empty,
false,
ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType),
ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType),
inheritedObjectType)
{
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, 0, 0, Guid.Empty)
{
}
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags) : this(identity, (int)adRights, auditFlags, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, auditFlags, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
{
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, 0, 0, Guid.Empty)
{
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights rights, AccessControlType aclType)
{
throw new NotImplementedException("ActiveDirectoryAccessRule()");
}
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, ActiveDirectorySecurityInheritance inheritanceType) : base(default(System.Security.Principal.IdentityReference), default(int), default(bool), default(System.Security.AccessControl.InheritanceFlags), default(System.Security.AccessControl.PropagationFlags), default(Guid), default(Guid), default(System.Security.AccessControl.AuditFlags))
{
Contract.Requires(identity != null);
}
public static void AddPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission, ActiveDirectorySecurityInheritance inheritance = ActiveDirectorySecurityInheritance.All)
{
var obj = new DirectoryEntry(objectPath);
var rule = new ActiveDirectoryAccessRule(identity, permission, AccessControlType.Allow, inheritance);
obj.ObjectSecurity.AddAccessRule(rule);
obj.CommitChanges();
}
public static bool HasPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission)
{
var obj = new DirectoryEntry(objectPath);
return(GetRules(obj.ObjectSecurity, identity).Any(r => r.ActiveDirectoryRights == permission));
}
public static void RemoveOUSecurityfromSid(string ouPath, WellKnownSidType UserSid, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance)
{
DirectoryEntry ou = GetADObject(ouPath);
SecurityIdentifier identity = null;
identity = new SecurityIdentifier(UserSid, null);
ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule(
identity,
rights,
type,
inheritance
);
ou.ObjectSecurity.RemoveAccessRule(ruleRead);
ou.CommitChanges();
ou.Close();
}
private static bool IsRightSetinAccessRule(ActiveDirectoryAccessRule accessrule, ActiveDirectoryRights right)
{
return((accessrule.ActiveDirectoryRights & right) == right);
}
public ActiveDirectoryAccessRule(
IdentityReference identity,
ActiveDirectoryRights adRights,
AccessControlType type,
Guid objectType)
: this(
identity,
ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
type,
objectType,
false,
InheritanceFlags.None,
PropagationFlags.None,
Guid.Empty)
{
}
protected override void PopulateCalculatedProperties()
{
base.PopulateCalculatedProperties();
TaskLogger.Trace("Resolving InheritedObjectType", new object[0]);
IConfigurationSession session = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 175, "PopulateCalculatedProperties", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\ADAcePresentationObject.cs");
if (base.RealAce.InheritedObjectType != Guid.Empty)
{
ADSchemaObjectIdParameter adschemaObjectIdParameter = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString());
IEnumerable <ADSchemaClassObject> objects = adschemaObjectIdParameter.GetObjects <ADSchemaClassObject>(null, session);
using (IEnumerator <ADSchemaClassObject> enumerator = objects.GetEnumerator())
{
string text = null;
if (enumerator.MoveNext())
{
text = enumerator.Current.Name;
}
if (text == null || enumerator.MoveNext())
{
this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(base.RealAce.InheritedObjectType.ToString());
TaskLogger.Trace("Could not resolve the following InheritedObjectType: {0}", new object[]
{
base.RealAce.InheritedObjectType.ToString()
});
}
else
{
this.InheritedObjectType = ADSchemaObjectIdParameter.Parse(text);
}
}
}
if (base.RealAce.ObjectType != Guid.Empty)
{
ActiveDirectoryRights activeDirectoryRights = base.RealAce.ActiveDirectoryRights;
string text2 = base.RealAce.ObjectType.ToString();
bool flag = false;
if ((activeDirectoryRights & ActiveDirectoryRights.ExtendedRight) == ActiveDirectoryRights.ExtendedRight)
{
TaskLogger.Trace("Resolving ExtendedRight", new object[0]);
ExtendedRightIdParameter[] extendedRights = null;
ExtendedRightIdParameter extendedRightIdParameter = ExtendedRightIdParameter.Parse(text2);
IEnumerable <ExtendedRight> objects2 = extendedRightIdParameter.GetObjects <ExtendedRight>(null, session);
using (IEnumerator <ExtendedRight> enumerator2 = objects2.GetEnumerator())
{
string text3 = null;
if (enumerator2.MoveNext())
{
text3 = enumerator2.Current.Name;
}
if (text3 != null && !enumerator2.MoveNext())
{
extendedRights = new ExtendedRightIdParameter[]
{
ExtendedRightIdParameter.Parse(text3)
};
flag = true;
}
}
this.ExtendedRights = extendedRights;
}
if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.CreateChild) == ActiveDirectoryRights.CreateChild) || (activeDirectoryRights & ActiveDirectoryRights.DeleteChild) == ActiveDirectoryRights.DeleteChild || (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty)
{
TaskLogger.Trace("Resolving Child Object Type", new object[0]);
ADSchemaObjectIdParameter[] childObjectTypes = null;
ADSchemaObjectIdParameter adschemaObjectIdParameter2 = ADSchemaObjectIdParameter.Parse(text2);
IEnumerable <ADSchemaClassObject> objects3 = adschemaObjectIdParameter2.GetObjects <ADSchemaClassObject>(null, session);
using (IEnumerator <ADSchemaClassObject> enumerator3 = objects3.GetEnumerator())
{
string text4 = null;
if (enumerator3.MoveNext())
{
text4 = enumerator3.Current.Name;
}
if (text4 != null && !enumerator3.MoveNext())
{
childObjectTypes = new ADSchemaObjectIdParameter[]
{
ADSchemaObjectIdParameter.Parse(text4)
};
flag = true;
}
}
this.ChildObjectTypes = childObjectTypes;
}
if ((!flag && (activeDirectoryRights & ActiveDirectoryRights.ReadProperty) == ActiveDirectoryRights.ReadProperty) || (activeDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty || (activeDirectoryRights & ActiveDirectoryRights.Self) == ActiveDirectoryRights.Self)
{
TaskLogger.Trace("Resolving Property", new object[0]);
ADSchemaObjectIdParameter[] properties = null;
ADSchemaObjectIdParameter adschemaObjectIdParameter3 = ADSchemaObjectIdParameter.Parse(text2);
IEnumerable <ADSchemaAttributeObject> objects4 = adschemaObjectIdParameter3.GetObjects <ADSchemaAttributeObject>(null, session);
using (IEnumerator <ADSchemaAttributeObject> enumerator4 = objects4.GetEnumerator())
{
string text5 = null;
if (enumerator4.MoveNext())
{
text5 = enumerator4.Current.Name;
}
if (text5 == null || enumerator4.MoveNext())
{
ExtendedRightIdParameter extendedRightIdParameter2 = ExtendedRightIdParameter.Parse(text2);
IEnumerable <ExtendedRight> objects5 = extendedRightIdParameter2.GetObjects <ExtendedRight>(null, session);
using (IEnumerator <ExtendedRight> enumerator5 = objects5.GetEnumerator())
{
string text6 = null;
if (enumerator5.MoveNext())
{
text6 = enumerator5.Current.Name;
}
TaskLogger.Trace("Could not resolve the following property: {0}", new object[]
{
text2
});
if (text6 != null && !enumerator5.MoveNext())
{
properties = new ADSchemaObjectIdParameter[]
{
ADSchemaObjectIdParameter.Parse(text6)
};
}
goto IL_3A4;
}
}
properties = new ADSchemaObjectIdParameter[]
{
ADSchemaObjectIdParameter.Parse(text5)
};
IL_3A4 :;
}
this.Properties = properties;
}
}
}
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights)
{
return((int)adRights);
}
Task StartConsumer(BlockingCollection <DBObject> input, BlockingCollection <ACLInfo> output, TaskFactory factory)
{
return(factory.StartNew(() =>
{
foreach (DBObject obj in input.GetConsumingEnumerable())
{
Interlocked.Increment(ref count);
if (obj.NTSecurityDescriptor == null)
{
options.WriteVerbose($"DACL was null on ${obj.SAMAccountName}");
continue;
}
RawSecurityDescriptor desc = new RawSecurityDescriptor(obj.NTSecurityDescriptor, 0);
RawAcl acls = desc.DiscretionaryAcl;
//Figure out whose the owner
string ownersid = desc.Owner.ToString();
if (!manager.FindBySID(ownersid, CurrentDomain, out DBObject owner))
{
if (MappedPrincipal.GetCommon(ownersid, out MappedPrincipal mapped))
{
owner = new DBObject
{
BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
Type = "group",
Domain = CurrentDomain,
DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}",
};
}
else if (NullSIDS.TryGetValue(ownersid, out byte val))
{
owner = null;
continue;
}
else
{
try
{
DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={ownersid}>");
owner = entry.ConvertToDB();
manager.InsertRecord(owner);
}
catch
{
owner = null;
NullSIDS.TryAdd(ownersid, new byte());
options.WriteVerbose($"Unable to resolve {ownersid} for object owner");
continue;
}
}
}
if (owner != null)
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
Inherited = false,
RightName = "Owner",
PrincipalName = owner.BloodHoundDisplayName,
PrincipalType = owner.Type,
AceType = "",
Qualifier = "AccessAllowed"
});
}
foreach (QualifiedAce r in acls)
{
string PrincipalSID = r.SecurityIdentifier.ToString();
//Try to map our SID to the principal using a few different methods
if (!manager.FindBySID(PrincipalSID, CurrentDomain, out DBObject principal))
{
if (MappedPrincipal.GetCommon(PrincipalSID, out MappedPrincipal mapped))
{
principal = new DBObject
{
BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
Type = "group",
Domain = CurrentDomain,
DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}"
};
}
else if (NullSIDS.TryGetValue(ownersid, out byte val))
{
continue;
}
else
{
try
{
DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={PrincipalSID}>");
principal = entry.ConvertToDB();
manager.InsertRecord(principal);
}
catch
{
NullSIDS.TryAdd(PrincipalSID, new byte());
options.WriteVerbose($"Unable to resolve {PrincipalSID} for ACL");
continue;
}
}
}
//If we're here, we have a principal. Yay!
//Resolve the ActiveDirectoryRight
ActiveDirectoryRights right = (ActiveDirectoryRights)Enum.ToObject(typeof(ActiveDirectoryRights), r.AccessMask);
string rs = right.ToString();
string guid = r is ObjectAce ? ((ObjectAce)r).ObjectAceType.ToString() : "";
List <string> foundrights = new List <string>();
bool cont = false;
//Figure out if we need more processing
cont |= (rs.Contains("WriteDacl") || rs.Contains("WriteOwner"));
if (rs.Contains("GenericWrite") || rs.Contains("GenericAll"))
{
cont |= ("00000000-0000-0000-0000-000000000000".Equals(guid) || guid.Equals("") || cont);
}
if (rs.Contains("ExtendedRight"))
{
cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("") || guid.Equals("00299570-246d-11d0-a768-00aa006e0529") || cont);
//DCSync
cont |= (guid.Equals("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") || guid.Equals("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") || cont);
}
if (rs.Contains("WriteProperty"))
{
cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2") || guid.Equals("bf9679a8-0de6-11d0-a285-00aa003049e2") || cont);
}
if (!cont)
{
continue;
}
string acetype = null;
MatchCollection coll = GenericRegex.Matches(rs);
if (rs.Contains("ExtendedRight"))
{
switch (guid)
{
case "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2":
acetype = "DS-Replication-Get-Changes";
break;
case "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2":
acetype = "DS-Replication-Get-Changes-All";
break;
default:
acetype = "All";
break;
}
}
if (acetype != null && (acetype.Equals("DS-Replication-Get-Changes-All") || acetype.Equals("DS-Replication-Get-Changes")))
{
if (!syncers.TryGetValue(principal.DistinguishedName, out DCSync SyncObject))
{
SyncObject = new DCSync
{
Domain = obj.BloodHoundDisplayName,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type
};
}
if (acetype.Contains("-All"))
{
SyncObject.GetChangesAll = true;
}
else
{
SyncObject.GetChanges = true;
}
syncers.AddOrUpdate(principal.DistinguishedName, SyncObject, (key, oldVar) => SyncObject);
//We only care about these privs if we have both, so store that stuff and continue on
continue;
}
if (rs.Contains("GenericAll"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "GenericAll"
});
}
if (rs.Contains("GenericWrite"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "GenericWrite"
});
}
if (rs.Contains("WriteOwner"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteOwner"
});
}
if (rs.Contains("WriteDacl"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteDacl"
});
}
if (rs.Contains("WriteProperty"))
{
if (guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "Member",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteProperty"
});
}
else
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "Script-Path",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteProperty"
});
}
}
if (rs.Contains("ExtendedRight"))
{
if (guid.Equals("00299570-246d-11d0-a768-00aa006e0529"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "User-Force-Change-Password",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "ExtendedRight"
});
}
else
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "All",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "ExtendedRight"
});
}
}
}
}
}));
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), type, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
{
}
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights) => (int)adRights;
public ActiveDirectoryAuditRule(IdentityReference identity, ActiveDirectoryRights adRights, AuditFlags auditFlags, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights), auditFlags, objectType, false, ActiveDirectoryInheritanceTranslator.GetInheritanceFlags(inheritanceType), ActiveDirectoryInheritanceTranslator.GetPropagationFlags(inheritanceType), inheritedObjectType)
{
}
// Get A Principal's Cumulitive AD Rights On An Object
private ActiveDirectoryRights GetAdAccessRights(string principal, string adObject)
{
ActiveDirectoryRights myRights = 0;
ActiveDirectoryRights myDenyRights = 0;
Principal p = DirectoryServices.GetPrincipal(principal);
if (p == null)
{
throw new AdException($"Principal [{principal}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <DirectoryEntry> groups = DirectoryServices.GetGroupMembership(p, true);
DirectoryEntry de = DirectoryServices.GetDirectoryEntry(adObject);
if (de == null)
{
throw new AdException($"Object [{adObject}] Does Not Exist.", AdStatusType.DoesNotExist);
}
List <AccessRuleObject> rules = DirectoryServices.GetAccessRules(de);
Dictionary <string, ActiveDirectoryRights> rights = new Dictionary <string, ActiveDirectoryRights>();
Dictionary <string, ActiveDirectoryRights> denyRights = new Dictionary <string, ActiveDirectoryRights>();
// Accumulate Allow and Deny Rights By Identity Reference
foreach (AccessRuleObject rule in rules)
{
if (rule.ControlType == System.Security.AccessControl.AccessControlType.Allow)
{
if (rights.Keys.Contains(rule.IdentityReference))
{
rights[rule.IdentityReference] |= rule.Rights;
}
else
{
rights.Add(rule.IdentityReference, rule.Rights);
}
}
else
{
if (rights.Keys.Contains(rule.IdentityReference))
{
denyRights[rule.IdentityReference] |= rule.Rights;
}
else
{
denyRights.Add(rule.IdentityReference, rule.Rights);
}
}
}
foreach (DirectoryEntry entry in groups)
{
if (entry.Properties.Contains("objectSid"))
{
string sid = DirectoryServices.ConvertByteToStringSid((byte[])entry.Properties["objectSid"].Value);
if (rights.ContainsKey(sid))
{
myRights |= rights[sid];
}
if (denyRights.ContainsKey(sid))
{
myDenyRights |= denyRights[sid];
}
}
}
// Apply Deny Rights
myDenyRights = myRights & myDenyRights;
myRights = myRights ^ myDenyRights;
return(myRights);
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type, Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, Guid inheritedObjectType) : this(identity, (int)adRights, type, objectType, false, InheritanceFlags.None, PropagationFlags.None, inheritedObjectType)
{
}
void fromActiveDirectorySecurity()
{
ActiveDirectorySecurity dsSecurity;
using (var entry = new DirectoryEntry("LDAP://" + _x500Name)) {
dsSecurity = entry.ObjectSecurity;
}
try {
SetOwner(dsSecurity.GetOwner(typeof(NTAccount)));
} catch {
SetOwner(dsSecurity.GetOwner(typeof(SecurityIdentifier)));
}
IEnumerable <IdentityReference> users = dsSecurity
.GetAccessRules(true, true, typeof(NTAccount))
.Cast <ActiveDirectoryAccessRule>()
.Select(x => x.IdentityReference)
.Distinct();
foreach (IdentityReference user in users)
{
foreach (AccessControlType accessType in Enum.GetValues(typeof(AccessControlType)))
{
CertTemplateRights rights = 0;
IEnumerable <ActiveDirectoryAccessRule> aceList = dsSecurity.GetAccessRules(true, true, typeof(NTAccount))
.Cast <ActiveDirectoryAccessRule>()
.Where(x => x.IdentityReference == user && x.AccessControlType == accessType);
foreach (ActiveDirectoryAccessRule ace in aceList)
{
ActiveDirectoryRights aceRights = ace.ActiveDirectoryRights;
if (aceRights.HasFlag(ActiveDirectoryRights.GenericRead) || aceRights.HasFlag(ActiveDirectoryRights.GenericExecute))
{
rights |= CertTemplateRights.Read;
}
if (aceRights.HasFlag(ActiveDirectoryRights.WriteDacl))
{
rights |= CertTemplateRights.Write;
}
if (aceRights.HasFlag(ActiveDirectoryRights.GenericAll))
{
rights |= CertTemplateRights.FullControl;
}
if (aceRights.HasFlag(ActiveDirectoryRights.ExtendedRight))
{
switch (ace.ObjectType.ToString())
{
case GUID_ENROLL:
rights |= CertTemplateRights.Enroll;
break;
case GUID_AUTOENROLL:
rights |= CertTemplateRights.Autoenroll;
break;
}
}
}
if (rights > 0)
{
AddAccessRule(new CertTemplateAccessRule(user, rights, accessType));
}
}
}
}
public ActiveDirectoryAccessRule(IdentityReference identity, ActiveDirectoryRights adRights, AccessControlType type) : this(identity, (int)adRights, type, Guid.Empty, false, InheritanceFlags.None, PropagationFlags.None, Guid.Empty)
{
}
public ActiveDirectoryAuditRule(
IdentityReference identity,
ActiveDirectoryRights adRights,
AuditFlags auditFlags)
: this(
identity,
ActiveDirectoryRightsTranslator.AccessMaskFromRights(adRights),
auditFlags,
Guid.Empty,
false,
InheritanceFlags.None,
PropagationFlags.None,
Guid.Empty
)
{
}
public ActiveDirectoryAccessRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AccessControlType type, ActiveDirectorySecurityInheritance inheritanceType) {}
internal static int AccessMaskFromRights(ActiveDirectoryRights adRights)
{
return (int)adRights;
}
public ActiveDirectoryAuditRule(System.Security.Principal.IdentityReference identity, ActiveDirectoryRights adRights, System.Security.AccessControl.AuditFlags auditFlags, System.Guid objectType, ActiveDirectorySecurityInheritance inheritanceType, System.Guid inheritedObjectType) {}
public static void RemoveOUSecurityfromUser(string ouPath, string domain, string Username, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance)
{
DirectoryEntry ou = GetADObject(ouPath);
NTAccount ADUser = new NTAccount(domain, Username);
ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule(
ADUser,
rights,
type,
inheritance
);
ou.ObjectSecurity.RemoveAccessRule(ruleRead);
ou.CommitChanges();
ou.Close();
}
