Check Authorization on ActiveDirectory Object

Question

I want to test if an arbitrary user has write-access to attributes of a particular Active Directory object. I think one part of the solution appears to be this:

NTAccount Account = new NTAccount("Domain\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));

That seems to allow me to get a concrete representation from a string representation of the user. Another piece of the puzzle I think is this:

string strMemberString = "LDAP://OU=Test,DC=Domain,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
   if (computer.Name == "CN=Test")
   {
      ActiveDirectorySecurity sdc = computer.ObjectSecurity;
      //...

Not sure where to go from there. How do I finish this? Is there an entirely different way I should be pursuing? I'm using .net 4.0.

I'd prefer that the solution be entirely BCL code, rather than PInvoke or WMI.

Are you aware of the fact that "having write access to attributes of aparticular Active-Directory object" can result from the belonging of a group or a group which belongs to a group and so on? — JPBlanc, Jul 22 '11 at 12:06
@JPBlanc: Yes, I am aware. That "work" should be handled for me by the BCL. I just need to understand the usage story. — Brent Arias, Jul 22 '11 at 21:03
I edited my answer, you'll find there the way to retreive the security groups a user is bellonging to. — JPBlanc, Jul 23 '11 at 05:33

score 0 · Answer 1 · edited May 23 '17 at 12:19

I think that the best way is to look for a class that gives the "Effective Rights" as represented in a tab of the advanced dialog box in the security tab of an AD object :

enter image description here

It exists also a command line tool called ACLDiag.exe that do what you want.

(Edited) To find groups a user belongs to you can

Write a recursive query program, It gives bad performance in big organizations.
Use of a special matching rule called "LDAP_MATCHING_RULE_IN_CHAIN" (See Search Filter Syntax for more information). I give an example in this other question. It's a bit long too, but as far as I know, it's the only way to retreive security AND distribution groups.
use the 'tokenGroups' attribute. It'is a computed attribute which holds the ids of every SecurityGroup the user is a member of, including the indirect groups. I think this the one you can use and that is provided with the UserPrincipal.GetAuthorizationGroups method (in the System.DirectoryServices.AccountManagement namespace and introduced in .Net 3.5)

I'm looking for a programmatic solution, rather than an administrative solution, but thanks for this anyway. — Brent Arias, Jul 22 '11 at 21:04

score 0 · Answer 2 · answered Jul 23 '11 at 17:21

0

You need to inspect the allowedAttributesEffective attribute.

answered Jul 23 '11 at 17:21

Brian Desmond

4,473
1
13
11

[Allowed-Attributes-Effective](http://msdn.microsoft.com/en-us/library/ms675218(v=VS.85).aspx) is the list of attributes that can be modified on the object – JPBlanc Jul 24 '11 at 10:25
I was thinking that he was looking for ACLs on attributes. – JPBlanc Jul 24 '11 at 18:08

Check Authorization on ActiveDirectory Object

2 Answers2