如何查找当前用户具有写入属性访问权限的Active Directory中的所有组?

时间:2010-05-11 12:26:26

标签: c# linq active-directory

目前,我想在Active Directory中找到当前用户有权WriteProperty的所有群组。

问题是我可以找到直接插入用户的所有组,但是当用户在组内并且该组具有写访问权限时,它将不会显示。我认为设置GetAccessRules()的布尔值会有所帮助,但事实并非如此。

所以这是我已有的代码:

var identity = WindowsIdentity.GetCurrent().User;
var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();

var allSearcher = allDomains.Select(domain =>
    {
        var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name));
        //Apply some filter to focus on only some specfic objects
        searcher.Filter = "(&(objectClass=group)(name=*part_of_group_name*))";
        return searcher;
    });

var itemsFound = allSearcher
    .SelectMany(searcher => searcher.FindAll()
        .Cast<SearchResult>()
        .Select(result => result.GetDirectoryEntry()));

var itemsWithWriteAccess = itemsFound
    .Where(entry => entry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))
        .Cast<ActiveDirectoryAccessRule>()
        .Where(rule => rule.IdentityReference == identity)
        .Where(rule => (rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty)
        .Count() > 0);

foreach (var item in itemsWithWriteAccess)
{
    Debug.Print(item.Name);
}

1 个答案:

答案 0 :(得分:1)

经过很长一段时间,在Harveythis question的帮助下,我终于找到了一个好的工作解决方案。

正如哈维已经解释的那样,真正进一步了解你将在entry.Properties["allowedAttributesEffective"].Value中得到什么有点困难。但是出于正常目的,您必须检查写入权限是否该字段只是 not null

以下是示例代码:

// (replace "part_of_group_name" with some partial group name existing in your AD)
var groupNameContains = "part_of_group_name";

var identity = WindowsIdentity.GetCurrent().User;
var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();

var allSearcher = allDomains.Select(domain =>
{
    var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name));

    // Apply some filter to focus on only some specfic objects
    searcher.Filter = String.Format("(&(objectClass=group)(name=*{0}*))", groupNameContains);
    return searcher;
});

var directoryEntriesFound = allSearcher
    .SelectMany(searcher => searcher.FindAll()
        .Cast<SearchResult>()
        .Select(result => result.GetDirectoryEntry()));

var allowedTo = directoryEntriesFound.Select(entry =>
    {
        using (entry)
        {
            entry.RefreshCache(new string[] { "allowedAttributesEffective" });
            var rights = entry.Properties["allowedAttributesEffective"].Value == null ? "read only" : "write";
            return new { Name = entry.Name, AllowedTo = rights };
        }
    });

foreach (var item in allowedTo)
{
    var message = String.Format("Name = {0}, AllowedTo = {1}", item.Name, item.AllowedTo);
    Debug.Print(message);
}
相关问题
最新问题