CODEWITHSUNDEEP
c#permissionsactive-directoryldap
beari7
beari7

Reputation: 105

Get Group Permissions from LDAP with C# (READ ACL)

I like to get the permissions from a group. e.g. User in this Group can Read, or Write...

I work with Microsoft ActiveDirectory.

With the DirectorySearcher I search like this:

DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
    Filter = searchString,
    //SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
    SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
    //SecurityMasks = SecurityMasks.Dacl
    //SecurityMasks = SecurityMasks.Group
            };

the ntSecurityDescriptor is a byte array in my Code

group["ntSecurityDescriptor"][0] as byte[]

so far so good

and now I will try to list the permissions:

static void ReadAccess(byte[] sec)
{
    System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
    retVal.SetSecurityDescriptorBinaryForm(sec);

    //AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
    AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));

    Console.WriteLine("\n\n");
    //AuthorizationRule || ActiveDirectoryAccessRule
    foreach (ActiveDirectoryAccessRule acr in arc)
    {
        string sid = null;
        try
        {
            sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
        }
        catch { }

        bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
        bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
        bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
        bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
        bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;

        Console.WriteLine("{0}\t{1}\t{2}\t{3}\t{4}", all, read, write, execute, extended);
        Console.WriteLine("{0}\t{1}\t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
        Console.WriteLine("\n");
    }
}

dont understand the result wrong way

I think I´m on the wrong way => I hope anyone can help me

Upvotes: 1

Views: 1474

Answers (1)

Gabriel Luci
Gabriel Luci

Reputation: 41008

If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.

You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():

retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))

So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.

In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.

Upvotes: 2

Related Questions