如何查找当前用户具有WriteProperty访问权限的ActiveDirectory中的所有组?

目前,我想在Active Directory中查找当前用户具有正确WriteProperty的所有组。

问题是我可以找到直接插入用户的所有组,但是当用户在一个组内并且该组具有写访问权限时,它将不会显示。 我认为设置GetAccessRules()的布尔值会有所帮助,但事实并非如此。

所以这是我已经拥有的代码:

var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); //Apply some filter to focus on only some specfic objects searcher.Filter = "(&(objectClass=group)(name=*part_of_group_name*))"; return searcher; }); var itemsFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast() .Select(result => result.GetDirectoryEntry())); var itemsWithWriteAccess = itemsFound .Where(entry => entry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast() .Where(rule => rule.IdentityReference == identity) .Where(rule => (rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty) .Count() > 0); foreach (var item in itemsWithWriteAccess) { Debug.Print(item.Name); } 

经过很长一段时间和哈维的帮助,我终于找到了一个很好的解决方案。

正如哈维已经解释过的那样,要真正进一步理解你将在entry.Properties["allowedAttributesEffective"].Value获得的内容可能有点困难entry.Properties["allowedAttributesEffective"].Value 。 但是出于正常目的,您必须检查写入权限是否该字段不是空的

以下是示例代码:

 // (replace "part_of_group_name" with some partial group name existing in your AD) var groupNameContains = "part_of_group_name"; var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); // Apply some filter to focus on only some specfic objects searcher.Filter = String.Format("(&(objectClass=group)(name=*{0}*))", groupNameContains); return searcher; }); var directoryEntriesFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast() .Select(result => result.GetDirectoryEntry())); var allowedTo = directoryEntriesFound.Select(entry => { using (entry) { entry.RefreshCache(new string[] { "allowedAttributesEffective" }); var rights = entry.Properties["allowedAttributesEffective"].Value == null ? "read only" : "write"; return new { Name = entry.Name, AllowedTo = rights }; } }); foreach (var item in allowedTo) { var message = String.Format("Name = {0}, AllowedTo = {1}", item.Name, item.AllowedTo); Debug.Print(message); }