检查OU是否受到保护,以防意外删除

时间:2012-08-08 09:20:07

标签: c# active-directory ldap ou

我正在与OU合作,只是想找出

有什么方法可以检查OU是否受到保护,以防止意外删除?

我用Google搜索但无法找到任何解决方案。

我正在寻找C#中没有脚本的解决方案。

提前致谢

5 个答案:

答案 0 :(得分:2)

您需要在对象上打开ACL(ntSecurityDescriptor属性)并查找“拒绝所有人删除”。 ActiveDirectorySecurity类为您提供了一个托管包装器 - http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurity.aspx

答案 1 :(得分:1)

要保护AD对象,必须有两个ACE。一个是"否认删除+删除树"必须在要保护的对象上设置,第二个"拒绝DeleteChild"必须在父对象上设置。 如果应删除保护,则只能删除对象上的ACE。父对象上的ACE必须保留,否则同一OU中的其他对象将不再受到保护!

这是我的代码完美运作:

    //using System.Security.Principal
    //using System.DirectoryServices;


    public static void SetProtectADObject(DirectoryEntry ent, bool Protect = true)
    {
        //get parent object
        var parentEnt = new DirectoryEntry(ent.Parent.Path);

        //refresh objects
        ent.RefreshCache();
        parentEnt.RefreshCache();

        if (Protect)
        {
            #region Protect
            try
            {
                IdentityReference everyOneAccount = new NTAccount("Everyone").Translate(typeof(SecurityIdentifier)); //S-1-1-0
                var objAce = new ActiveDirectoryAccessRule(everyOneAccount, ActiveDirectoryRights.Delete | ActiveDirectoryRights.DeleteTree, AccessControlType.Deny);
                var parentAce = new ActiveDirectoryAccessRule(everyOneAccount, ActiveDirectoryRights.DeleteChild, AccessControlType.Deny);

                //check if ace present on object
                var objACL = ent.ObjectSecurity;
                bool acePresent = false;
                foreach (ActiveDirectoryAccessRule ace in objACL.GetAccessRules(true, false, typeof(NTAccount)))
                {
                    if (ace.IdentityReference.Value == "Everyone")
                    {
                        if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
                        else if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
                    }
                }

                if (!acePresent)
                {
                    //set ace to object
                    objACL.AddAccessRule(objAce);

                    //commit changes
                    ent.CommitChanges();
                }

                //check if ace present on parent object
                var parentACL = parentEnt.ObjectSecurity;
                bool parentAcePresent = false;
                foreach (ActiveDirectoryAccessRule ace in parentACL.GetAccessRules(true, false, typeof(NTAccount)))
                {
                    if (ace.IdentityReference.Value == "Everyone")
                    {
                        if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild)) { parentAcePresent = true; break; }
                        else if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { parentAcePresent = true; break; }
                    }
                }

                if (!parentAcePresent)
                {
                    //set ace to parent object
                    parentACL.AddAccessRule(parentAce);

                    //commit changes
                    parentEnt.CommitChanges();
                }
            }
            catch (Exception ex)
            {
                throw new Exception(string.Format("Error protecting object {0}", ent.Path), ex);
            }
            #endregion
        }
        else
        {
            #region Unprotect
            //to remove the protection we remove only the ACE from the object, not from the parent. 
            //The ACE on the parent must be in place because otherwise other objects on the same level will not protected anymore!

            try
            {
                IdentityReference everyOneAccount = new NTAccount("Everyone").Translate(typeof(SecurityIdentifier)); //S - 1 - 1 - 0
                var objAce = new ActiveDirectoryAccessRule(everyOneAccount, ActiveDirectoryRights.Delete | ActiveDirectoryRights.DeleteTree, AccessControlType.Deny);

                //check if ace present on object
                var objACL = ent.ObjectSecurity;
                bool acePresent = false;
                foreach (ActiveDirectoryAccessRule ace in objACL.GetAccessRules(true, false, typeof(NTAccount)))
                {
                    if (ace.IdentityReference.Value == "Everyone")
                    {
                        if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
                        else if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
                    }
                }

                //set ace to object
                if (acePresent)
                {
                    ent.ObjectSecurity.RemoveAccessRule(objAce);
                    ent.CommitChanges();
                }
            }
            catch (Exception ex)
            {
                throw new Exception(string.Format("Error unprotecting object {0}", ent.Path), ex);
            }
            #endregion 
        }
    }

    public static bool IsADObjectProtected(DirectoryEntry ent)
    {
        //get parent object
        var parentEnt = new DirectoryEntry(ent.Parent.Path);

        //refresh objects
        ent.RefreshCache();
        parentEnt.RefreshCache();

        //get current ACLs
        ActiveDirectorySecurity acl = ent.ObjectSecurity;
        ActiveDirectorySecurity parentAcl = ent.Parent.ObjectSecurity;
        AuthorizationRuleCollection rules = acl.GetAccessRules(true, true, typeof(NTAccount));
        AuthorizationRuleCollection parentRules = parentAcl.GetAccessRules(true, false, typeof(NTAccount));

        //check object acl
        bool acePresent = false;
        foreach (ActiveDirectoryAccessRule ace in rules)
        {
            Console.WriteLine(ace.AccessControlType.ToString());
            if (ace.AccessControlType == AccessControlType.Deny)
            {
                if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
                else if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { acePresent = true; break; }
            }
        }

        //check parent acl
        bool parentAcePresent = false;
        foreach (ActiveDirectoryAccessRule ace in parentRules)
        {
            if (ace.AccessControlType == AccessControlType.Deny)
            {
                if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild)) { parentAcePresent = true; break; }
                else if (ace.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete)) { parentAcePresent = true; break; }
            }
        }

        return parentAcePresent && acePresent;
    }

答案 2 :(得分:0)

检查systemFlags属性。 ADS_SYSTEMFLAG_ENUM上的MS页面有C ++示例,它应该很容易适应C#。

答案 3 :(得分:0)

您可以在PowerShell中使用活动目录cmdlet执行简单的操作 Get-ADObject -Filter * -Properties ProtectedFromAccidentalDeletion |其中{$ _.ProtectedFromAccidentalDeletion -eq $ true}

以后如果你想改变它 - 把它管道给| Set-ADObject -ProtectedFromAccidentalDeletion:$ false

答案 4 :(得分:0)

这是一个代码片段,用于获取OU并查找确定其是否受到保护以防意外删除的ACL。
这是使用[System.DirectoryServices],[System.Security.AccessControl]和[System.Security.Principal]命名空间

bool? protected = null;
DirectoryEntry de = new DirectoryEntry("LDAP://OU=TestOu,DC=Test,DC=Local", "Username", "Password");
ActiveDirectorySecurity ads = de.ObjectSecurity;
AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(NTAccount);
foreach (ActiveDirectoryAccessRule rule in rules)
    if (rule.AccessControlType == AccessControlType.Deny)
        if (rule.ActiveDirectoryRights == (ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.Delete))
            protected = true;
        else
            protected = false;

我在我的一个根OU上运行了这个,并且应用了超过150个ACL,它在一两秒内返回了答案。