如何查找当前用户具有WriteProperty访问权限的ActiveDirectory中的所有组?
目前,我想在Active Directory中查找当前用户具有正确WriteProperty的所有组。
问题是我可以找到直接插入用户的所有组,但是当用户在一个组内并且该组具有写访问权限时,它将不会显示。 我认为设置GetAccessRules()的布尔值会有所帮助,但事实并非如此。
所以这是我已经拥有的代码:
var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); //Apply some filter to focus on only some specfic objects searcher.Filter = "(&(objectClass=group)(name=*part_of_group_name*))"; return searcher; }); var itemsFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast() .Select(result => result.GetDirectoryEntry())); var itemsWithWriteAccess = itemsFound .Where(entry => entry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast() .Where(rule => rule.IdentityReference == identity) .Where(rule => (rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty) .Count() > 0); foreach (var item in itemsWithWriteAccess) { Debug.Print(item.Name); }
经过很长一段时间和哈维的帮助,我终于找到了一个很好的解决方案。
正如哈维已经解释过的那样,要真正进一步理解你将在entry.Properties["allowedAttributesEffective"].Value
获得的内容可能有点困难entry.Properties["allowedAttributesEffective"].Value
。 但是出于正常目的,您必须检查写入权限是否该字段不是空的 。
以下是示例代码:
// (replace "part_of_group_name" with some partial group name existing in your AD) var groupNameContains = "part_of_group_name"; var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); // Apply some filter to focus on only some specfic objects searcher.Filter = String.Format("(&(objectClass=group)(name=*{0}*))", groupNameContains); return searcher; }); var directoryEntriesFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast() .Select(result => result.GetDirectoryEntry())); var allowedTo = directoryEntriesFound.Select(entry => { using (entry) { entry.RefreshCache(new string[] { "allowedAttributesEffective" }); var rights = entry.Properties["allowedAttributesEffective"].Value == null ? "read only" : "write"; return new { Name = entry.Name, AllowedTo = rights }; } }); foreach (var item in allowedTo) { var message = String.Format("Name = {0}, AllowedTo = {1}", item.Name, item.AllowedTo); Debug.Print(message); }
- 使用Reflection通过签名调用对象实例上的generics方法:SomeObject.SomeGenericInstanceMethod (T参数)
- Active Directory服务:PrincipalContext – “容器”对象的DN是什么?
- 在Active Directory中创建用户:连接到系统的设备无法运行
- 如何在Nancy中针对Active Directory进行身份validation?
- 使用C#,如何检查活动目录中是否禁用了计算机帐户?
- 使用C#快速获取Active Directory中的组成员列表
- GroupPrincipal方法FindByIdentity抛出奇怪的exception
- 将NETBIOS域转换为FQDN(完全限定域名)
- 从Active Directory获取所有直接报告
- 通过电子邮件地址在ActiveDirectory中查找用户
- PrincipalContext.ValidateCredentials始终返回FALSE