Get Group Permissions from LDAP with C# (READ ACL)












1















I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...



I work with Microsoft ActiveDirectory.



With the DirectorySearcher I search like this:



DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};


the ntSecurityDescriptor is a byte array in my Code



group["ntSecurityDescriptor"][0] as byte


so far so good



and now I will try to list the permissions:



static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);

//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));

Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }

bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;

Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}


dont understand the result
wrong way



I think I´m on the wrong way
=> I hope anyone can help me










share|improve this question

























  • What part do you not understand? I can help explain, but I don't know what part to explain :)

    – Gabriel Luci
    Nov 21 '18 at 20:19











  • thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

    – beari7
    Nov 22 '18 at 6:37
















1















I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...



I work with Microsoft ActiveDirectory.



With the DirectorySearcher I search like this:



DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};


the ntSecurityDescriptor is a byte array in my Code



group["ntSecurityDescriptor"][0] as byte


so far so good



and now I will try to list the permissions:



static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);

//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));

Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }

bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;

Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}


dont understand the result
wrong way



I think I´m on the wrong way
=> I hope anyone can help me










share|improve this question

























  • What part do you not understand? I can help explain, but I don't know what part to explain :)

    – Gabriel Luci
    Nov 21 '18 at 20:19











  • thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

    – beari7
    Nov 22 '18 at 6:37














1












1








1








I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...



I work with Microsoft ActiveDirectory.



With the DirectorySearcher I search like this:



DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};


the ntSecurityDescriptor is a byte array in my Code



group["ntSecurityDescriptor"][0] as byte


so far so good



and now I will try to list the permissions:



static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);

//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));

Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }

bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;

Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}


dont understand the result
wrong way



I think I´m on the wrong way
=> I hope anyone can help me










share|improve this question
















I like to get the permissions from a group.
e.g. User in this Group can Read, or Write...



I work with Microsoft ActiveDirectory.



With the DirectorySearcher I search like this:



DirectorySearcher searcher = new DirectorySearcher(rootDSE)
{
Filter = searchString,
//SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Sacl
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Group
//SecurityMasks = SecurityMasks.Dacl
//SecurityMasks = SecurityMasks.Group
};


the ntSecurityDescriptor is a byte array in my Code



group["ntSecurityDescriptor"][0] as byte


so far so good



and now I will try to list the permissions:



static void ReadAccess(byte sec)
{
System.DirectoryServices.ActiveDirectorySecurity retVal = new System.DirectoryServices.ActiveDirectorySecurity();
retVal.SetSecurityDescriptorBinaryForm(sec);

//AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.NTAccount));
AuthorizationRuleCollection arc = retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier));

Console.WriteLine("nn");
//AuthorizationRule || ActiveDirectoryAccessRule
foreach (ActiveDirectoryAccessRule acr in arc)
{
string sid = null;
try
{
sid = (acr.IdentityReference).Translate(typeof(NTAccount)).Value;
}
catch { }

bool all = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll;
bool read = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericRead;
bool write = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericWrite;
bool execute = acr.ActiveDirectoryRights == ActiveDirectoryRights.GenericExecute;
bool extended = acr.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight;

Console.WriteLine("{0}t{1}t{2}t{3}t{4}", all, read, write, execute, extended);
Console.WriteLine("{0}t{1}t{2}", acr.ActiveDirectoryRights, acr.AccessControlType, sid);
Console.WriteLine("n");
}
}


dont understand the result
wrong way



I think I´m on the wrong way
=> I hope anyone can help me







c# permissions active-directory ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 21 '18 at 9:04







beari7

















asked Nov 21 '18 at 8:47









beari7beari7

409




409













  • What part do you not understand? I can help explain, but I don't know what part to explain :)

    – Gabriel Luci
    Nov 21 '18 at 20:19











  • thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

    – beari7
    Nov 22 '18 at 6:37



















  • What part do you not understand? I can help explain, but I don't know what part to explain :)

    – Gabriel Luci
    Nov 21 '18 at 20:19











  • thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

    – beari7
    Nov 22 '18 at 6:37

















What part do you not understand? I can help explain, but I don't know what part to explain :)

– Gabriel Luci
Nov 21 '18 at 20:19





What part do you not understand? I can help explain, but I don't know what part to explain :)

– Gabriel Luci
Nov 21 '18 at 20:19













thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

– beari7
Nov 22 '18 at 6:37





thank you. It's a basic communication problem. I want to find out what rights the group "ADM_Group" has on group "Group". The goal is to find out if the user "XY" which is in the "ADM_Group" is allowed to add users to the "Group" or not, and the other direction with which group "Group" can edited. Probably my approach is not right, because I can only filter folder permissions here!?

– beari7
Nov 22 '18 at 6:37












1 Answer
1






active

oldest

votes


















2














If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.



You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():



retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))


So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.



In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.






share|improve this answer
























  • is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

    – beari7
    Nov 23 '18 at 6:41













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408219%2fget-group-permissions-from-ldap-with-c-sharp-read-acl%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.



You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():



retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))


So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.



In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.






share|improve this answer
























  • is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

    – beari7
    Nov 23 '18 at 6:41


















2














If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.



You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():



retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))


So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.



In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.






share|improve this answer
























  • is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

    – beari7
    Nov 23 '18 at 6:41
















2












2








2







If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.



You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():



retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))


So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.



In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.






share|improve this answer













If I am understanding correctly, you are seeing permissions for "ADM_Group" on your group, but you don't see that permission when you look at the permissions in your code.



You are excluding inherited permissions by passing false in the second parameter of GetAccessRules():



retVal.GetAccessRules(true, false, typeof(System.Security.Principal.SecurityIdentifier))


So if it is an inherited permission that is giving "ADM_Group" the permissions, then maybe that is why you are not seeing it.



In AD Users and Computers, you can click on 'Advanced' (or in your case 'Erweitert') to see each individual ACL in the permissions. The view in your screenshot combines ACLs to provide a simplified view of the permissions.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 22 '18 at 15:01









Gabriel LuciGabriel Luci

11.4k11525




11.4k11525













  • is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

    – beari7
    Nov 23 '18 at 6:41





















  • is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

    – beari7
    Nov 23 '18 at 6:41



















is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

– beari7
Nov 23 '18 at 6:41







is it possible to see which access rights the group "ADM_Group" has in "Group"? e.g. Can he change Users...

– beari7
Nov 23 '18 at 6:41






















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408219%2fget-group-permissions-from-ldap-with-c-sharp-read-acl%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)