Get Group Permissions from LDAP with C# (READ ACL)
I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...
I work with Microsoft ActiveDirectory.
With the DirectorySearcher I search like this:
DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};
the ntSecurityDescriptor is a byte array in my Code
group["ntSecurityDescriptor"][0] as byte
so far so good
and now I will try to list the permissions:
static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);
//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }
bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;
Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}
dont understand the result
I think I´m on the wrong way
=> I hope anyone can help me
c# permissions active-directory ldap
add a comment |
I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...
I work with Microsoft ActiveDirectory.
With the DirectorySearcher I search like this:
DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};
the ntSecurityDescriptor is a byte array in my Code
group["ntSecurityDescriptor"][0] as byte
so far so good
and now I will try to list the permissions:
static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);
//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }
bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;
Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}
dont understand the result
I think I´m on the wrong way
=> I hope anyone can help me
c# permissions active-directory ldap
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37
add a comment |
I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...
I work with Microsoft ActiveDirectory.
With the DirectorySearcher I search like this:
DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};
the ntSecurityDescriptor is a byte array in my Code
group["ntSecurityDescriptor"][0] as byte
so far so good
and now I will try to list the permissions:
static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);
//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }
bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;
Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}
dont understand the result
I think I´m on the wrong way
=> I hope anyone can help me
c# permissions active-directory ldap
I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...
I work with Microsoft ActiveDirectory.
With the DirectorySearcher I search like this:
DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};
the ntSecurityDescriptor is a byte array in my Code
group["ntSecurityDescriptor"][0] as byte
so far so good
and now I will try to list the permissions:
static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);
//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));
Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }
bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;
Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}
dont understand the result
I think I´m on the wrong way
=> I hope anyone can help me
c# permissions active-directory ldap
c# permissions active-directory ldap
edited Nov 21 '18 at 9:04
beari7
asked Nov 21 '18 at 8:47
beari7beari7
409
409
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37
add a comment |
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37
add a comment |
1 Answer
1
active
oldest
votes
If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.
You are excluding inherited permissions by passing false
in the second parameter of GetAccessRules()
:
retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))
So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.
In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408219%2fget-group-permissions-from-ldap-with-c-sharp-read-acl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.
You are excluding inherited permissions by passing false
in the second parameter of GetAccessRules()
:
retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))
So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.
In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
add a comment |
If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.
You are excluding inherited permissions by passing false
in the second parameter of GetAccessRules()
:
retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))
So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.
In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
add a comment |
If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.
You are excluding inherited permissions by passing false
in the second parameter of GetAccessRules()
:
retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))
So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.
In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.
If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.
You are excluding inherited permissions by passing false
in the second parameter of GetAccessRules()
:
retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))
So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.
In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.
answered Nov 22 '18 at 15:01
Gabriel LuciGabriel Luci
11.4k11525
11.4k11525
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
add a comment |
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...
– beari7
Nov 23 '18 at 6:41
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408219%2fget-group-permissions-from-ldap-with-c-sharp-read-acl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What part do you not understand? I can help explain, but I don't know what part to explain :)
– Gabriel Luci
Nov 21 '18 at 20:19
thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?
– beari7
Nov 22 '18 at 6:37