从Active Directory ACL获取用户标识

时间:2018-04-11 14:30:22

标签: c# active-directory exchange-server

我正在尝试将帐户关联到一个扩展权限为“send-to”的群组。

ActiveDirectorySecurity ads = myGroup.ObjectSecurity;
foreach (ActiveDirectoryAccessRule ar in ads.GetAccessRules(true, false, typeof(NTAccount)))
{
  if (ar.ObjectType.ToString() == "ab721a55-1e2f-11d0-9819-00aa0040529b")
  {
    Console.WriteLine(ar.IdentityReference);
  }
}

问题是IdentityReference持有“NT AUTHORITY \ Authenticated Users”而不是我正在搜索的帐户。

如何找回它?

我知道它应该是可行的,因为powershell可以做到。

Get-ADPermission -identity myGroup | where {($_.ExtendedRights -like "*Send*") -an
d ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-List *

1 个答案:

答案 0 :(得分:0)

您正在获取权限列表,但这并不能确定有效访问/实际访问权限(如果某处有拒绝)。只是想确保你知道这一点。

根据MSDN,在检索访问规则时,目标类型必须是可以强制转换为SecurityIdentifier对象的对象。 (我建议使用它,以防它无法再解决,你将永远留下一个SID而不是错误)

了解更多信息:DirectoryObjectSecurity.GetAccessRules Method

我更喜欢使用"格式表-AutoSize"而不是" |格式列表*"。

Get-ADPermission -identity myGroup | where {($_.ExtendedRights -like "*Send*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table -AutoSize

这里有一些帮助代码:

 //REFERENCES
 using System.DirectoryServices;
 using System.DirectoryServices.AccountManagement;
 using System.Security.Principal;
 using System.Security.AccessControl;
 //END OF REFERENCES

 //Exchange Shell Command:
 //Get-ADPermission -identity "<AD Distinguished Name>" | where {($_.ExtendedRights -like "*Send*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table -AutoSize

 string groupSAMAccountName = "YOUR_GROUP_NAME";
 GroupPrincipal pGroup = GroupPrincipal.FindByIdentity(new PrincipalContext(ContextType.Domain), IdentityType.SamAccountName, groupSAMAccountName);
 DirectoryEntry deGroup = pGroup.GetUnderlyingObject() as DirectoryEntry;

 //Extended Rights Reference - https://technet.microsoft.com/en-us/library/ff405676.aspx
 //Exchange right: allows sending mail as the mailbox.
 Guid exRight_SendAs = new Guid("{ab721a54-1e2f-11d0-9819-00aa0040529b}"); //GUID has 54
 //Exchange right: allows sending to a mailbox.
 Guid exRight_SendTo = new Guid("{ab721a55-1e2f-11d0-9819-00aa0040529b}"); //GUID has 55

 ActiveDirectorySecurity ads = deGroup.ObjectSecurity;
 AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));

 List<ActiveDirectoryAccessRule> exRight_SendTo_Rules = new List<ActiveDirectoryAccessRule>();

 foreach (ActiveDirectoryAccessRule ar in rules)
 {
    //Goal - get all entries that are classified as exRight_SendTo
    if(ar.ObjectType.Equals(exRight_SendTo))
    {
        exRight_SendTo_Rules.Add(ar);
    }
 }

 //This is where you would need to get all the sids of a account that it is a member of to filter down what rules apply to your account
  //You would probably want to include the Everyone SID and Authenticated Users SID as well.
  //From there you would bitwise operate each rule all over the place to determine if you actually have access granted on an account.
  //Just because an entry has ALLOW Send-As, doesn't mean that's your EFFECTIVE ACCESS... you don't know if another entry of another membership you belong to has DENY.
 foreach(ActiveDirectoryAccessRule ar in exRight_SendTo_Rules)
 {
    string friendlyName = "";
    try
    {
        friendlyName = ar.IdentityReference.Translate(typeof(NTAccount)).Value;
    }
    catch
    {
        friendlyName = "[Unable to resolve] SID " + ar.IdentityReference.Value;
    }

    string ar_Result = string.Format(@"Identity={0}, User={1}, Deny={2}, Inherited={3}", 
                pGroup.DistinguishedName,
                friendlyName, 
                (ar.AccessControlType == AccessControlType.Deny).ToString(), 
                ar.IsInherited);

     Console.WriteLine(ar_Result);
     System.Diagnostics.Debug.WriteLine(ar_Result);
 }

如果有帮助,请记得upvote!

编辑:

&#34;使用扩展权限ACE时,必须将ADS_RIGHT_DS_CONTROL_ACCESS right分配给AccessMask。&#34;

这是0x100 ...这意味着它的ActiveDirectoryRights.ExtendedRight

ActiveDirectoryRights test = (ActiveDirectoryRights)0x100;

我不知道如果你不给它,那么是否会强制执行:

ar.ActiveDirectoryRights = ActiveDirectoryRights.ExtendedRight;

因此,如果您将其视为条目,我不知道您是否找到任何没有此值的扩展权利aces。我认为如果它没有扩展的标志,我应该被忽视。

编辑#2:正确的逻辑方法是获得&#34; EXTENDEDRIGHT&#34;的所有权限。然后比较ObjectType GUID,您还必须包括空GUID {00000000-0000-0000-0000-000000000000}条目,因为它们适用于所有扩展权限....然后您筛选哪些条目适用于匹配所有sid的特定帐户帐户属于,然后您将适用的内容合并,并查看该帐户是否最终被允许或拒绝。