private void setManagedBy(string managerLDAPPath, bool managerUpdateMembershipList, DirectoryEntry group) { DirectoryEntry managedBy = new DirectoryEntry(managerLDAPPath, credentials.UserName + "@" + credentials.Domain, credentials.Password); string managedBymanagerDistinguishedName = managedBy.Properties["distinguishedName"].Value.ToString(); string userPrincipalName = managedBy.Properties["userPrincipalName"].Value.ToString(); string managedBysAMAccountName = userPrincipalName.Split('@')[0]; string managedByDomainName = userPrincipalName.Split('@')[1].Replace(".com", ""); setSinglePropertyValue(group, "managedBy", managedBymanagerDistinguishedName); if (managerUpdateMembershipList) { IADsSecurityDescriptor sd = (IADsSecurityDescriptor)group.Properties["ntSecurityDescriptor"].Value; IADsAccessControlList dacl = (IADsAccessControlList)sd.DiscretionaryAcl; IADsAccessControlEntry ace = new AccessControlEntry(); ace.Trustee = string.Format("{0}\\{1}", managedByDomainName, managedBysAMAccountName); ace.AccessMask = (int)ADS_RIGHTS_ENUM.ADS_RIGHT_DS_WRITE_PROP; ace.AceFlags = (int)ADS_ACEFLAG_ENUM.ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE; ace.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT; ace.Flags = (int)ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT; ace.ObjectType = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"; dacl.AddAce(ace); sd.DiscretionaryAcl = dacl; ((IADsGroup)group.NativeObject).Put("ntSecurityDescriptor", sd); ((IADsGroup)group.NativeObject).SetInfo(); } }
public void ReplacePermisions(Computer baseComputer) { //create a temporary acl IADsAccessControlList acl = AccessControlList; IADsAccessControlList baseacl = baseComputer.AccessControlList; IADsSecurityDescriptor sd = SecurityDescriptor; sd.DiscretionaryAcl = baseacl; SecurityDescriptor = sd; }
public AccessControlList(DirectoryEntry user) { _user = user; if (_securityDescriptor == null) { try { _securityDescriptor = _user.Properties["ntSecurityDescriptor"].Value as IADsSecurityDescriptor; _accessControlList = _securityDescriptor.DiscretionaryAcl as IADsAccessControlList; } catch (Exception e) { //trace error } } Fill(); }
public void GetSecurityDescriptorViaInterop() { DirectoryEntry entry = TestUtils.GetDefaultPartition(); IADsSecurityDescriptor sd = (IADsSecurityDescriptor) entry.Properties["ntSecurityDescriptor"].Value; IADsAccessControlList dacl = (IADsAccessControlList)sd.DiscretionaryAcl; foreach (IADsAccessControlEntry ace in (IEnumerable)dacl) { Console.WriteLine("Trustee: {0}", ace.Trustee); Console.WriteLine("AccessMask: {0}", ace.AccessMask); Console.WriteLine("Access Type: {0}", ace.AceType); Console.WriteLine("Access Flags: {0}", ace.AceFlags); } }
/// <summary> /// Sets the permission to join this computer to the domain to a trustee such as domain\user or Authenticated Users /// </summary> /// <param name="Trustee"></param> public void SetJoinPermissions(string Trustee) { //create a temporary acl IADsAccessControlList acl = AccessControlList; //Gets aces from tools Tools.ADACEComputerJoinPermissions acllist = new Tools.ADACEComputerJoinPermissions(Trustee); foreach (IADsAccessControlEntry ace in acllist.ace_writeaccountrestrictions) { acl.AddAce(ace); } //Update the security descriptor with the new ACL IADsSecurityDescriptor sd = SecurityDescriptor; sd.DiscretionaryAcl = acl; SecurityDescriptor = sd; }
public void UpdateSecurityDescriptorViaInterop() { //point this to any object (I chose a user) DirectoryEntry entry = TestUtils.CreateDirectoryEntry( "CN=User1,OU=Users," + TestUtils.Settings.DefaultPartition); IADsAccessControlEntry newAce = new AccessControlEntryClass(); IADsSecurityDescriptor sd = (IADsSecurityDescriptor) entry.Properties["ntSecurityDescriptor"].Value; IADsAccessControlList dacl = (IADsAccessControlList)sd.DiscretionaryAcl; newAce.Trustee = @"mydomain\some user"; //update this to your needs newAce.AccessMask = -1; //all flags newAce.AceType = 0; //access allowed dacl.AddAce(newAce); sd.DiscretionaryAcl = dacl; entry.Properties["ntSecurityDescriptor"].Value = sd; entry.CommitChanges(); }