Question

我是多个Outlook分发列表（DL）的共同所有者。我可以在Outlook中编辑它们，直接在那里添加和删除成员。但是，我无法通过简单的.NET程序编辑它们：

using System;
using System.DirectoryServices.AccountManagement;

namespace DL_Remove_User
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                RemoveUser("My Distribution List", "jimtut");
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error: " + ex.ToString());
            }
        }

        private static void RemoveUser(string dl, string username)
        {
            using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "CORP"))
            {
                GroupPrincipal group = GroupPrincipal.FindByIdentity(pc, dl);
                bool result = group.Members.Remove(pc, IdentityType.SamAccountName, username);
                Console.WriteLine(result.ToString());
                group.Save();
            }
        }
    }
}

这个代码适用于许多其他DL，但对于一对，我收到消息“Access is Denied”。完整堆栈跟踪：

at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()

at System.DirectoryServices.DirectoryEntry.CommitChanges()

at System.DirectoryServices.AccountManagement.ADStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)

at System.DirectoryServices.AccountManagement.ADStoreCtx.Update(Principal p)

at System.DirectoryServices.AccountManagement.Principal.Save()

at Department_Distribution_Lists.Program.RemoveUser(String dl, String username) in Program.cs:line 483

当然，“拒绝访问”确实表示权限问题，但我可以直接在Outlook中编辑这些DL。我甚至可以在AD / LDAP中查询DL“所有者”，并且我在“msExchCoManagedByLink”集合中。

有关为什么我可以在Outlook中编辑而不是通过.NET编辑的任何想法？

Answer 1

我终于想通了。这个权限问题使我感到困惑，因为我可以在Outlook中编辑DL，但不能通过.NET编辑该。

我开始寻找可以通过.NET编辑的DL与无法编辑的DL之间的差异，并发现该差异在此GUI中显示的AD属性中表示为“经理可以更新成员列表”：

即使我是“经理”（列表所有者），但如果DL没有设置该属性，我只能在Outlook中进行编辑。

我不想目视检查所有DL，因此我编写了以下代码来检测DL的“真实”所有者/编辑者：

    static List<string> GetGroupOwners(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        ActiveDirectorySecurity ads = deGroup.ObjectSecurity;
        AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));
        Guid exRight_Member = new Guid("{bf9679c0-0de6-11d0-a285-00aa003049e2}");

        foreach (ActiveDirectoryAccessRule ar in rules)
        {
            if (ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.GenericWrite) || (ar.ObjectType.Equals(exRight_Member) && ar.ActiveDirectoryRights.HasFlag(ActiveDirectoryRights.WriteProperty)))
            {
                string friendlyName = "";
                try
                {
                    friendlyName = ar.IdentityReference.Translate(typeof(NTAccount)).Value;
                }
                catch
                {
                }
                owners.Add(friendlyName);
            }
        }
        return owners;
    }

如果您想知道谁具有基于Outlook的编辑权限，那就不一样了

    static List<string> GetGroupOwnersOutlook(GroupPrincipal group)
    {
        List<string> owners = new List<string>();
        DirectoryEntry deGroup = group.GetUnderlyingObject() as DirectoryEntry;
        System.DirectoryServices.PropertyCollection r = deGroup.Properties;
        foreach (string a in r["managedBy"])
        {
            owners.Add(a);
        }
        foreach (string a in r["msExchCoManagedByLink"])
        {
            owners.Add(a);
        }

        return owners;
    }

通过.NET添加/删除Outlook分发列表用户时出错

1 个答案: