通过.NET添加/删除Outlook分发列表用户时出错

时间:2018-02-12 15:47:15

标签: c# .net outlook active-directory distribution-list

我是多个Outlook分发列表(DL)的共同所有者。我可以在Outlook中编辑它们,直接在那里添加和删除成员。但是,我无法通过简单的.NET程序编辑它们:

using System;
using System.DirectoryServices.AccountManagement;

namespace DL_Remove_User
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                RemoveUser("My Distribution List", "jimtut");
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error: " + ex.ToString());
            }
        }

        private static void RemoveUser(string dl, string username)
        {
            using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "CORP"))
            {
                GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, dl);
                bool result = group.Members.Remove(pc, IdentityType.SamAccountName, username);
                Console.WriteLine(result.ToString());
                group.Save();
            }
        }
    }
}

这个代码适用于许多其他DL,但对于一对,我收到消息“Access is Denied”。完整堆栈跟踪:

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()

at System.DirectoryServices.DirectoryEntry.CommitChanges()

at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)

at System.DirectoryServices.AccountManagement.Principal.Save()

at Department_Distribution_Lists.Program.RemoveUser(String dl, String username) in Program.cs:line 483

当然,“拒绝访问”确实表示权限问题,但我可以直接在Outlook中编辑这些DL。我甚至可以在AD / LDAP中查询DL“所有者”,并且我在“msExchCoManagedByLink”集合中。

有关为什么我可以在Outlook中编辑而不是通过.NET编辑的任何想法?

1 个答案:

答案 0 :(得分:0)

我终于想通了。这个权限问题使我感到困惑,因为我可以在Outlook中编辑DL,但不能通过.NET编辑该。

我开始寻找可以通过.NET编辑的DL与无法编辑的DL之间的差异,并发现该差异在此GUI中显示的AD属性中表示为“经理可以更新成员列表”:

dl

即使我是“经理”(列表所有者),但如果DL没有设置该属性,我只能在Outlook中进行编辑。

我不想目视检查所有DL,因此我编写了以下代码来检测DL的“真实”所有者/编辑者:

    static List<string> GetGroupOwners(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        ActiveDirectorySecurity ads = deGroup.ObjectSecurity;
        AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));
        Guid exRight_Member = new Guid("{bf9679c0-0de6-11d0-a285-00aa003049e2}");

        foreach (ActiveDirectoryAccessRule ar in rules)
        {
            if (ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.GenericWrite) || (ar.ObjectType.Equals(exRight_Member) && ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.WriteProperty)))
            {
                string friendlyName = "";
                try
                {
                    friendlyName = ar.IdentityReference.Translate(typeof(NTAccount)).Value;
                }
                catch
                {
                }
                owners.Add(friendlyName);
            }
        }
        return owners;
    }

如果您想知道谁具有基于Outlook的编辑权限,那就不一样了

    static List<string> GetGroupOwnersOutlook(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        System.DirectoryServices.PropertyCollection r = deGroup.Properties;
        foreach (string a in r["managedBy"])
        {
            owners.Add(a);
        }
        foreach (string a in r["msExchCoManagedByLink"])
        {
            owners.Add(a);
        }

        return owners;
    }
相关问题
最新问题