【问题标题】:Reading / Writing security properties to objects in Active Directory (the same way Delegation of rights work) C#向 Active Directory 中的对象读取/写入安全属性(与权限委派的工作方式相同)C#
【发布时间】:2011-06-06 11:09:15
【问题描述】:

我正在寻找一种在 Windows Server 2008+ 上的 Active Directory 中读取和设置对象(OU 或用户/计算机)的安全权限的方法。与使用 Active Directory 向导进行委派的方式相同吗?我希望能够选择 OU 并使用重置密码权限或创建/管理用户的能力为其分配组?

我怎样才能做到这一点?

【问题讨论】:

    标签: c# active-directory windows-server-2008 windows-server-2008-r2 windows-security


    【解决方案1】:

    下面是一个简单的例子,它允许域用户“user1”为 OU 中的用户“ForUser1”重置密码

    /* Connection to Active Directory
     */
    DirectoryEntry workingOU = new DirectoryEntry();
    workingOU.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;
    workingOU.Path = "LDAP://WM2008R2ENT:389/ou=ForUser1,dc=dom,dc=fr";
    
    /* Retreive Obect security
     */
    ActiveDirectorySecurity adsOUSec = workingOU.ObjectSecurity;
    
    /* Ellaborate the user to delegate
     */
    NTAccount ntaToDelegate = new NTAccount("dom", "user1");
    SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate (typeof(SecurityIdentifier));
    
    /* Specils Guids
     */
    Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529");
    Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
    Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2");
    
    /* Ellaborate ACEs
     */
    ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
    PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
    PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
    adsOUSec.AddAccessRule(erarResetPwd);
    adsOUSec.AddAccessRule(parPwdLastSetW);
    adsOUSec.AddAccessRule(parPwdLastSetR);
    
    workingOU.CommitChanges();
    

    之后你需要:

    place to find ExtendedRightAccessRule.

    查找 Active-Directory 架构 attributesclasses 信息的地方。

    【讨论】:

    • 我会检查它的进展情况,但它似乎正是我所需要的。我想我可以在阅读信息时扩展 ObjectSecurity 吗?所以我可以找出哪些组以及分配给该 OU 的“权利”?
    猜你喜欢
    • 1970-01-01
    • 2012-09-09
    • 1970-01-01
    • 2021-11-22
    • 1970-01-01
    • 2019-05-07
    • 1970-01-01
    • 1970-01-01
    • 2017-11-26
    相关资源
    最近更新 更多