Re: How to set Extended Rights in Active Directory ACL
- From: "Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx>
- Date: Wed, 6 Sep 2006 11:33:58 +0200
Peter,
The V2 FCL has built-in support for this, no need to use Adsi (ActiveDs) any
longer.
Here is a sample that set SENDAS on a existing computer account object for
'Everyone'.
bool modified = false;
using(DirectoryEntry computers = new
DirectoryEntry("LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";)
{
computers.Options.SecurityMasks = SecurityMasks.Owner |
SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;
foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=Testcomputer")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Everyone");
ExtendedRightAccessRule erar = new
ExtendedRightAccessRule(Account,
AccessControlType.Allow,
new Guid("{0xab721a54, 0x1e2f,
0x11d0,0x98,0x19,0x00,0xaa,0x00,0x40,0x52,0x9b}}"));
sdc.ModifyAccessRule(AccessControlModification.Add, erar, out
modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("Sucess? {0}",modified);
}
}
}
// Guid.Empty);
If you set the Guid argument to Guid.Empty, all extended rights are set, and
I guess this is what the OP is after.
Willy.
""Peter Huang" [MSFT]" <v-phuang@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:cKmUipX0GHA.4280@xxxxxxxxxxxxxxxxxxxxxxxx
| Hi Martin,
|
| Based on my research, here is the code snippet for your reference.
|
| NOTE: You need to add reference to DirectoryService and Active Directory
| Type Library(COM Lib)
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
| const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
| string strTrustee = @"testdomain\testaccount";
|
| string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";;
|
| DirectoryEntry objRoot = new DirectoryEntry(ldapString);
| DirectoryEntry objComputer =
| objRoot.Children.Add("cn=TestComputer","computer");
| objComputer.CommitChanges();
|
| ActiveDs.SecurityDescriptor sd =
|
(ActiveDs.SecurityDescriptor)objComputer.Properties["ntSecurityDescriptor"].
| Value;
| ActiveDs.AccessControlList dacl =
| (ActiveDs.AccessControlList)sd.DiscretionaryAcl;
| ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
| ace.Trustee = strTrustee;
| ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
| ace.AceType =
| (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
| ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
| ace.ObjectType = SENDAS;
| ace.Flags = 0x1;
| dacl.AddAce(ace);
| sd.DiscretionaryAcl = dacl;
| objComputer.Properties["ntSecurityDescriptor"].Value = sd;
| objComputer.CommitChanges();
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
|
| The code above will add a computer account into TestOU, and set the
account
| "testdomain\testaccount" with the Send As Permission for the TestComputer.
|
| For the other GUID for the permission you may check the link in your last
| post.
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
| schema/r_send_as.asp
|
|
| Best regards,
|
| Peter Huang
|
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
.
- Follow-Ups:
- References:
- How to set Extended Rights in Active Directory ACL
- From: KarlM
- RE: How to set Extended Rights in Active Directory ACL
- From: "Peter Huang" [MSFT]
- RE: How to set Extended Rights in Active Directory ACL
- From: "Peter Huang" [MSFT]
- How to set Extended Rights in Active Directory ACL
- Prev by Date: Re: draw a line graph
- Next by Date: Re: No distructor in C# :(
- Previous by thread: RE: How to set Extended Rights in Active Directory ACL
- Next by thread: Re: How to set Extended Rights in Active Directory ACL
- Index(es):
Relevant Pages
|
