public IResult Collect(SearchString searchstring)
            NestedGMSearchString searchString = (NestedGMSearchString)searchstring;

            _logger.Debug($"Collecting Nested Group Membership for {searchString.SAMAccountName}");
            List <string> groupList = new List <string>();
            Dictionary <string, string> groupMap = new Dictionary <string, string>();

            string nameFilter = $"(sAMAccountName={searchString.SAMAccountName})";

            var ldapSearchString = new LDAPSearchString {
                DN = Searcher.LdapInfo.RootDN, Filter = nameFilter, Scope = SearchScope.Subtree
            var resultEntry = Searcher.GetResultEntry(ldapSearchString);

            if (resultEntry == null)

            using (var userEntry = (Searcher.GetDirectoryEntry(resultEntry.DistinguishedName)))
                //Use RefreshCach to get the constructed attribute tokenGroups.
                userEntry.RefreshCache(new string[] { "tokenGroups" });

                foreach (byte[] sid in userEntry.Properties["tokenGroups"])
                    string groupSID  = new SecurityIdentifier(sid, 0).ToString();
                    string groupName = Helper.SIDNameSID(groupSID);
                    groupMap.Add(groupSID, groupName);

            //Somehow these groups are missing
            groupMap.Add("S-1-5-11", @"NT AUTHORITY\Authenticated Users");
            groupMap.Add("S-1-5-15", @"NT AUTHORITY\This Organization");
            UserSIDNameDictionary.Add(searchString.SAMAccountName.ToUpper(), groupMap);

            return(new ListResult {
                Title = searchString.Title, Result = groupList
 public static AuthorizationRuleCollection GetAuthorizationRules(string targetDn, out string ownerSID)
     logger.Debug($"Getting Authorization Rules for {targetDn}");
         using (var aclEntry = Searcher.GetDirectoryEntry(targetDn))
             ActiveDirectorySecurity sec = aclEntry.ObjectSecurity;
             ownerSID = sec.GetOwner(typeof(SecurityIdentifier)).ToString();
             AuthorizationRuleCollection rules = sec.GetAccessRules(true, true, typeof(SecurityIdentifier));
         logger.Error($"Cannot get authorization data on {targetDn}");
         ownerSID = null;
        //1. Iterate each OU/Domain/Site: "gplink" & "gpoptions"
        //2. Find GPOs that are linked to each OU/Domain/Site
        //3. Iterate each GPO to find out if they have WMI filters: "gPCWQLFilter"
        //4. Find the WMI policy and check if the policy is filtered out: "msWMI-Parm2"
        public IResult Collect(SearchString searchstring)
            AppliedGPOSearchString searchString = (AppliedGPOSearchString)searchstring;

            var ouList = CollectMyOUs(searchString.SAMAccountName);

            if (ouList == null)

            AppliedGPOs = new Dictionary <string, Dictionary <string, string> >();
            Regex gpoRx      = new Regex(@"=(\{.+?\}),", RegexOptions.Compiled);
            Regex gpoptionRx = new Regex(@";(\d)", RegexOptions.Compiled);

            foreach (string ouDN in ouList)
                bool isBlocking = false;
                bool isEnforced = false;
                bool isDenied   = false;
                var  linkedGPOs = new Dictionary <string, string>();

                using (var ouEntry = Searcher.GetDirectoryEntry(ouDN))
                    //Linked GPOs & Enforcement
                    if (ouEntry.Properties.Contains("gplink"))
                        string[] gplinkArrary = Regex.Split(ouEntry.Properties["gplink"][0].ToString(), @"\]\[");
                        if (gplinkArrary == null)

                        foreach (var gplinkString in gplinkArrary)
                            if (gplinkString.Replace(" ", "") == string.Empty)

                            Match matchGPO = gpoRx.Match(gplinkString);

                            Match matchGpoption = gpoptionRx.Match(gplinkString);

                            string gpoID = matchGPO.Groups[1].ToString().ToUpper();

                            //0: Default: The GPO Link is not ignored and is not an enforced GPO.
                            //1: The GPO Link MUST be ignored.
                            //2: The GPO Link is an enforced GPO.
                            isEnforced = (int.Parse(matchGpoption.Groups[1].ToString()) == 2);

                            string gpoDn = "CN=" + gpoID + ",CN=Policies,CN=System," + Searcher.LdapInfo.RootDN;

                            try//in case the gpo was deleted
                                string gpoName = GPO.GroupPolicies[gpoID];
                                //SecurityFiltering: Check if the target GPO applied to the current user
                                isDenied = IsDeniedPolicy(searchString.SAMAccountName, gpoDn);
                                gpoName  = isDenied ? (gpoName + "  [X Denied]") : gpoName;
                                gpoName  = isEnforced ? (gpoName + " [Enforced]") : gpoName;

                                linkedGPOs.Add(gpoID, gpoName);
                            catch { _logger.Warn($"GPO {gpoID} was probably deleted."); }
                    //If a OU blocks inheritance
                    if (ouEntry.Properties.Contains("gpOptions"))
                        //OUs that block inheritance will only ignore non-enforecd GPO
                        //OU Attribute: gPOptions=1  Block Inheritance
                        isBlocking = (int)ouEntry.Properties["gpOptions"][0] == 1;

                string ou = isBlocking ? (ouDN + " [Blocking Inheritance]") : ouDN;

                AppliedGPOs.Add(ou, linkedGPOs);
            return(new DDResult {
                Title = searchString.Title, Result = AppliedGPOs