我正在尝试将帐户关联到一个扩展权限为“send-to”的群组。
ActiveDirectorySecurity ads = myGroup.ObjectSecurity;
foreach (ActiveDirectoryAccessRule ar in ads.GetAccessRules(true, false, typeof(NTAccount)))
{
if (ar.ObjectType.ToString() == "ab721a55-1e2f-11d0-9819-00aa0040529b")
{
Console.WriteLine(ar.IdentityReference);
}
}
问题是IdentityReference持有“NT AUTHORITY \ Authenticated Users”而不是我正在搜索的帐户。
如何找回它?
我知道它应该是可行的,因为powershell可以做到。
Get-ADPermission -identity myGroup | where {($_.ExtendedRights -like "*Send*") -an
d ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-List *
答案 0 :(得分:0)
您正在获取权限列表,但这并不能确定有效访问/实际访问权限(如果某处有拒绝)。只是想确保你知道这一点。
根据MSDN,在检索访问规则时,目标类型必须是可以强制转换为SecurityIdentifier对象的对象。 (我建议使用它,以防它无法再解决,你将永远留下一个SID而不是错误)
了解更多信息:DirectoryObjectSecurity.GetAccessRules Method
我更喜欢使用"格式表-AutoSize"而不是" |格式列表*"。
Get-ADPermission -identity myGroup | where {($_.ExtendedRights -like "*Send*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table -AutoSize
这里有一些帮助代码:
//REFERENCES
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.Security.Principal;
using System.Security.AccessControl;
//END OF REFERENCES
//Exchange Shell Command:
//Get-ADPermission -identity "<AD Distinguished Name>" | where {($_.ExtendedRights -like "*Send*") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Format-Table -AutoSize
string groupSAMAccountName = "YOUR_GROUP_NAME";
GroupPrincipal pGroup = GroupPrincipal.FindByIdentity(new PrincipalContext(ContextType.Domain), IdentityType.SamAccountName, groupSAMAccountName);
DirectoryEntry deGroup = pGroup.GetUnderlyingObject() as DirectoryEntry;
//Extended Rights Reference - https://technet.microsoft.com/en-us/library/ff405676.aspx
//Exchange right: allows sending mail as the mailbox.
Guid exRight_SendAs = new Guid("{ab721a54-1e2f-11d0-9819-00aa0040529b}"); //GUID has 54
//Exchange right: allows sending to a mailbox.
Guid exRight_SendTo = new Guid("{ab721a55-1e2f-11d0-9819-00aa0040529b}"); //GUID has 55
ActiveDirectorySecurity ads = deGroup.ObjectSecurity;
AuthorizationRuleCollection rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));
List<ActiveDirectoryAccessRule> exRight_SendTo_Rules = new List<ActiveDirectoryAccessRule>();
foreach (ActiveDirectoryAccessRule ar in rules)
{
//Goal - get all entries that are classified as exRight_SendTo
if(ar.ObjectType.Equals(exRight_SendTo))
{
exRight_SendTo_Rules.Add(ar);
}
}
//This is where you would need to get all the sids of a account that it is a member of to filter down what rules apply to your account
//You would probably want to include the Everyone SID and Authenticated Users SID as well.
//From there you would bitwise operate each rule all over the place to determine if you actually have access granted on an account.
//Just because an entry has ALLOW Send-As, doesn't mean that's your EFFECTIVE ACCESS... you don't know if another entry of another membership you belong to has DENY.
foreach(ActiveDirectoryAccessRule ar in exRight_SendTo_Rules)
{
string friendlyName = "";
try
{
friendlyName = ar.IdentityReference.Translate(typeof(NTAccount)).Value;
}
catch
{
friendlyName = "[Unable to resolve] SID " + ar.IdentityReference.Value;
}
string ar_Result = string.Format(@"Identity={0}, User={1}, Deny={2}, Inherited={3}",
pGroup.DistinguishedName,
friendlyName,
(ar.AccessControlType == AccessControlType.Deny).ToString(),
ar.IsInherited);
Console.WriteLine(ar_Result);
System.Diagnostics.Debug.WriteLine(ar_Result);
}
如果有帮助,请记得upvote!
编辑:
&#34;使用扩展权限ACE时,必须将ADS_RIGHT_DS_CONTROL_ACCESS right分配给AccessMask。&#34;
这是0x100 ...这意味着它的ActiveDirectoryRights.ExtendedRight
ActiveDirectoryRights test = (ActiveDirectoryRights)0x100;
我不知道如果你不给它,那么是否会强制执行:
ar.ActiveDirectoryRights = ActiveDirectoryRights.ExtendedRight;
因此,如果您将其视为条目,我不知道您是否找到任何没有此值的扩展权利aces。我认为如果它没有扩展的标志,我应该被忽视。
编辑#2:正确的逻辑方法是获得&#34; EXTENDEDRIGHT&#34;的所有权限。然后比较ObjectType GUID,您还必须包括空GUID {00000000-0000-0000-0000-000000000000}条目,因为它们适用于所有扩展权限....然后您筛选哪些条目适用于匹配所有sid的特定帐户帐户属于,然后您将适用的内容合并,并查看该帐户是否最终被允许或拒绝。