473,406 Members | 2,769 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > how to set extended rights in active directory acl

Join Bytes to post your question to a community of 473,406 software developers and data experts.

How to set Extended Rights in Active Directory ACL

Hallo!

Due to the help in this Newgroups I am now able to set basic rights to a
Computer account in active directory.

The following c#-Code works fine
-----------------------------------------------------

using System.Security.Principal;
using System.DirectoryServices;

string strMemberString = "LDAP://OU=Test,DC=Domainname,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=TestComp")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Domainname\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(Secur ityIdentifier));
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
sdc.SetAccessRule(rule);
computer.CommitChanges();
}
}

-------------------------------------------------------

My job is to create a computer account for a managed Computer account for
installing the computer with RIS.
The final ACL of the computer account should be exactly the same as when
creating the account via "AD-Users and Computers" tool.

If I setup a managed Computer account via AD-Users and Computers the ACL
shows the following rights for the destinated User:
- Allow "List Contents"
- Allow "Read All Property"
- Allow "Delete"
- Allow "Detete Subtree"
- Allow "Read Permissions"
- Allow "All Extended Rights"
- Allow "Allow to authenticate"
- Allow "Change Password"
- Allow "Receive as"
- Allow "Reset Password"
- Allow "Send as"
- Allow "Write Account Restrictions"
- Allow "Validate write to DNS-Hostname"
- Allow "Validate Write to service prinzipal name"
- Allow "Write Computer name (pre Windows 2000)

Most of this rights are listet in the extended rights list in
MSDN-documentation
(http://msdn.microsoft.com/library/de...ed_rights.asp).

How can I set these extended rights? Is it possible to extend the code above
to do this job?

Thanks for help!
Sep 3 '06 #1
10 17367
Hi Martin,

Currently I am researching the issue and I will reply to you ASAP.
Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 5 '06 #2
Hallo Peter,

that's fine. Thanks for your efforts.
I'll wait for your answer.

""Peter Huang" [MSFT]" wrote:
Hi Martin,

Currently I am researching the issue and I will reply to you ASAP.
Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 5 '06 #3

"KarlM" <Ma******@newsgroup.nospamwrote in message
news:44**********************************@microsof t.com...
| Hallo Peter,
|
| that's fine. Thanks for your efforts.
| I'll wait for your answer.
|
| ""Peter Huang" [MSFT]" wrote:
|
| Hi Martin,
| >
| Currently I am researching the issue and I will reply to you ASAP.
| >
| >
| Best regards,
| >
| Peter Huang
| >
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >

Well, to set Extended Rights you will have to call native Adsi functions
through the Adsi COM library. But the question is why do you wan't to set
these on Machine accounts objects (most only apply to regular user, group
and OU objects) and which one(s) are you thinking about?
If you could give some more details on this, I could try to post a sample.

Willy.

Sep 5 '06 #4
Hallo Willy,

thanks for your answer. The problem is, that (due to securtity issues) the
result has to be exactly the same as it is, when the computer account is
generated via "AD-User and Computers".
I wrote them down in detail in this request.

Is it possible to send files here? (I am using the web interface).
I would like to send you a screenshot with the original settings, generated
by AD-User & Computers.

Thanks in advance
"Willy Denoyette [MVP]" wrote:
>
"KarlM" <Ma******@newsgroup.nospamwrote in message
news:44**********************************@microsof t.com...
| Hallo Peter,
|
| that's fine. Thanks for your efforts.
| I'll wait for your answer.
|
| ""Peter Huang" [MSFT]" wrote:
|
| Hi Martin,
| >
| Currently I am researching the issue and I will reply to you ASAP.
| >
| >
| Best regards,
| >
| Peter Huang
| >
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >

Well, to set Extended Rights you will have to call native Adsi functions
through the Adsi COM library. But the question is why do you wan't to set
these on Machine accounts objects (most only apply to regular user, group
and OU objects) and which one(s) are you thinking about?
If you could give some more details on this, I could try to post a sample.

Willy.

Sep 5 '06 #5
Hi Martin,

Based on my research, here is the code snippet for your reference.

NOTE: You need to add reference to DirectoryService and Active Directory
Type Library(COM Lib)
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
+
const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
string strTrustee = @"testdomain\testaccount";

string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";

DirectoryEntry objRoot = new DirectoryEntry(ldapString);
DirectoryEntry objComputer =
objRoot.Children.Add("cn=TestComputer","computer") ;
objComputer.CommitChanges();

ActiveDs.SecurityDescriptor sd =
(ActiveDs.SecurityDescriptor)objComputer.Propertie s["ntSecurityDescriptor"].
Value;
ActiveDs.AccessControlList dacl =
(ActiveDs.AccessControlList)sd.DiscretionaryAcl;
ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
ace.Trustee = strTrustee;
ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_AL L;
ace.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED_OBJECT;
ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT _ACE;
ace.ObjectType = SENDAS;
ace.Flags = 0x1;
dacl.AddAce(ace);
sd.DiscretionaryAcl = dacl;
objComputer.Properties["ntSecurityDescriptor"].Value = sd;
objComputer.CommitChanges();
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
+

The code above will add a computer account into TestOU, and set the account
"testdomain\testaccount" with the Send As Permission for the TestComputer.

For the other GUID for the permission you may check the link in your last
post.
http://msdn.microsoft.com/library/de...us/adschema/ad
schema/r_send_as.asp
Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 6 '06 #6
Peter,

The V2 FCL has built-in support for this, no need to use Adsi (ActiveDs) any
longer.

Here is a sample that set SENDAS on a existing computer account object for
'Everyone'.

bool modified = false;
using(DirectoryEntry computers = new
DirectoryEntry("LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net")
{
computers.Options.SecurityMasks = SecurityMasks.Owner |
SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=Testcomputer")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Everyone");
ExtendedRightAccessRule erar = new
ExtendedRightAccessRule(Account,
AccessControlType.Allow,
new Guid("{0xab721a54, 0x1e2f,
0x11d0,0x98,0x19,0x00,0xaa,0x00,0x40,0x52,0x9b}}") );

sdc.ModifyAccessRule(AccessControlModification.Add , erar, out
modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("Sucess? {0}",modified);
}
}
}

// Guid.Empty);

If you set the Guid argument to Guid.Empty, all extended rights are set, and
I guess this is what the OP is after.

Willy.

""Peter Huang" [MSFT]" <v-******@online.microsoft.comwrote in message
news:cK**************@TK2MSFTNGXA01.phx.gbl...
| Hi Martin,
|
| Based on my research, here is the code snippet for your reference.
|
| NOTE: You need to add reference to DirectoryService and Active Directory
| Type Library(COM Lib)
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
| +
| const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
| string strTrustee = @"testdomain\testaccount";
|
| string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";
|
| DirectoryEntry objRoot = new DirectoryEntry(ldapString);
| DirectoryEntry objComputer =
| objRoot.Children.Add("cn=TestComputer","computer") ;
| objComputer.CommitChanges();
|
| ActiveDs.SecurityDescriptor sd =
|
(ActiveDs.SecurityDescriptor)objComputer.Propertie s["ntSecurityDescriptor"].
| Value;
| ActiveDs.AccessControlList dacl =
| (ActiveDs.AccessControlList)sd.DiscretionaryAcl;
| ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
| ace.Trustee = strTrustee;
| ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_AL L;
| ace.AceType =
| (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED_OBJECT;
| ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT _ACE;
| ace.ObjectType = SENDAS;
| ace.Flags = 0x1;
| dacl.AddAce(ace);
| sd.DiscretionaryAcl = dacl;
| objComputer.Properties["ntSecurityDescriptor"].Value = sd;
| objComputer.CommitChanges();
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
| +
|
| The code above will add a computer account into TestOU, and set the
account
| "testdomain\testaccount" with the Send As Permission for the TestComputer.
|
| For the other GUID for the permission you may check the link in your last
| post.
|
http://msdn.microsoft.com/library/de...us/adschema/ad
| schema/r_send_as.asp
|
|
| Best regards,
|
| Peter Huang
|
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
Sep 6 '06 #7
See my reply to Peter's last posting.
But still I don't understand what you are trying to achieve, computer
account objects have several ACE's, which entry are you looking at and which
one do you want to have extended rights?
Normally when you create a computer account using .NET, the account is
created with the same defaults (same entries) as done by the AD tool.

Willy.

"KarlM" <Ma******@newsgroup.nospamwrote in message
news:00**********************************@microsof t.com...
| Hallo Willy,
|
| thanks for your answer. The problem is, that (due to securtity issues) the
| result has to be exactly the same as it is, when the computer account is
| generated via "AD-User and Computers".
| I wrote them down in detail in this request.
|
| Is it possible to send files here? (I am using the web interface).
| I would like to send you a screenshot with the original settings,
generated
| by AD-User & Computers.
|
| Thanks in advance
|
|
| "Willy Denoyette [MVP]" wrote:
|
| >
| "KarlM" <Ma******@newsgroup.nospamwrote in message
| news:44**********************************@microsof t.com...
| | Hallo Peter,
| |
| | that's fine. Thanks for your efforts.
| | I'll wait for your answer.
| |
| | ""Peter Huang" [MSFT]" wrote:
| |
| | Hi Martin,
| | >
| | Currently I am researching the issue and I will reply to you ASAP.
| | >
| | >
| | Best regards,
| | >
| | Peter Huang
| | >
| | Microsoft Online Community Support
| | ==================================================
| | When responding to posts, please "Reply to Group" via your
newsreader so
| | that others may learn and benefit from your issue.
| | ==================================================
| | This posting is provided "AS IS" with no warranties, and confers no
| rights.
| | >
| | >
| >
| Well, to set Extended Rights you will have to call native Adsi functions
| through the Adsi COM library. But the question is why do you wan't to
set
| these on Machine accounts objects (most only apply to regular user,
group
| and OU objects) and which one(s) are you thinking about?
| If you could give some more details on this, I could try to post a
sample.
| >
| Willy.
| >
| >
| >
| >
| >
| >
Sep 6 '06 #8
Hi Willy,

Yes you are right, the .NET Framework 2.0 provided more supporting for AD.
Thanks for your knowledge sharing,

For Martin, I am sorry I did not mention in my last post that this is a
NET 1.1 solution.
Anyway, if you still have any concern, on this issue, please feel free to
post here.
I think the community and me will be glad of be of assistance.

Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 7 '06 #9
Willy,

Thank you very much for your answer.
I'll test it and will rate your answer afterwards.

"Willy Denoyette [MVP]" wrote:
Peter,

The V2 FCL has built-in support for this, no need to use Adsi (ActiveDs) any
longer.

Here is a sample that set SENDAS on a existing computer account object for
'Everyone'.

bool modified = false;
using(DirectoryEntry computers = new
DirectoryEntry("LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net")
{
computers.Options.SecurityMasks = SecurityMasks.Owner |
SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=Testcomputer")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Everyone");
ExtendedRightAccessRule erar = new
ExtendedRightAccessRule(Account,
AccessControlType.Allow,
new Guid("{0xab721a54, 0x1e2f,
0x11d0,0x98,0x19,0x00,0xaa,0x00,0x40,0x52,0x9b}}") );

sdc.ModifyAccessRule(AccessControlModification.Add , erar, out
modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("Sucess? {0}",modified);
}
}
}

// Guid.Empty);

If you set the Guid argument to Guid.Empty, all extended rights are set, and
I guess this is what the OP is after.

Willy.

""Peter Huang" [MSFT]" <v-******@online.microsoft.comwrote in message
news:cK**************@TK2MSFTNGXA01.phx.gbl...
| Hi Martin,
|
| Based on my research, here is the code snippet for your reference.
|
| NOTE: You need to add reference to DirectoryService and Active Directory
| Type Library(COM Lib)
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
| +
| const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
| string strTrustee = @"testdomain\testaccount";
|
| string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";
|
| DirectoryEntry objRoot = new DirectoryEntry(ldapString);
| DirectoryEntry objComputer =
| objRoot.Children.Add("cn=TestComputer","computer") ;
| objComputer.CommitChanges();
|
| ActiveDs.SecurityDescriptor sd =
|
(ActiveDs.SecurityDescriptor)objComputer.Propertie s["ntSecurityDescriptor"].
| Value;
| ActiveDs.AccessControlList dacl =
| (ActiveDs.AccessControlList)sd.DiscretionaryAcl;
| ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
| ace.Trustee = strTrustee;
| ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_AL L;
| ace.AceType =
| (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ ALLOWED_OBJECT;
| ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT _ACE;
| ace.ObjectType = SENDAS;
| ace.Flags = 0x1;
| dacl.AddAce(ace);
| sd.DiscretionaryAcl = dacl;
| objComputer.Properties["ntSecurityDescriptor"].Value = sd;
| objComputer.CommitChanges();
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
| +
|
| The code above will add a computer account into TestOU, and set the
account
| "testdomain\testaccount" with the Send As Permission for the TestComputer.
|
| For the other GUID for the permission you may check the link in your last
| post.
|
http://msdn.microsoft.com/library/de...us/adschema/ad
| schema/r_send_as.asp
|
|
| Best regards,
|
| Peter Huang
|
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
Sep 7 '06 #10
Peter,

Thank you very much for your efforts. I'm sure your answer will be helpful
for someone.
I'm goint to test Willys solution.

""Peter Huang" [MSFT]" wrote:
Hi Willy,

Yes you are right, the .NET Framework 2.0 provided more supporting for AD.
Thanks for your knowledge sharing,

For Martin, I am sorry I did not mention in my last post that this is a
.NET 1.1 solution.
Anyway, if you still have any concern, on this issue, please feel free to
post here.
I think the community and me will be glad of be of assistance.

Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 7 '06 #11
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
PHP controlling active directory? Oh my...
by: Eugene Burtsev | last post by:
Yes folks, I finally lost it. I need to make a php script cable of creating/editing users in windows active directory. To make it even harder php is installed as a module on Apache running on...
PHP
0
Active Directory Deployment of .Net Controls
by: Brian Young | last post by:
(Sorry for double post) We are investigating the conversion of all our Legacy applications to VS.Net. Most of our applications run as ActiveX Controls hosted in Internet Explorer. This has...
.NET Framework
0
Active Directory Error - The server is unwilling to process the request
by: microsoft | last post by:
Hi People, when I try to modify an active directory user programatically, I receive the following exception: The server is unwilling to process the request Reading the microsoft web site, I...
.NET Framework
9
"Sudden" Active Directory error on ASP.NET
by: Patrick | last post by:
I have an ASP.NET page that searches for someone in the corporate Active Directory. It had been working fine until recently when I changed from Basic Authentication on IIS6 back to Integrated...
ASP.NET
6
urgent help on Active Directory Authentication from dotnet
by: varkey.mathew | last post by:
Dear all, Bear with me, a poor newbie(atleast in AD).. I have to authenticate a user ID and password for a user as a valid Active Directory user or not. I have created the IsAuthenticated...
ASP.NET
4
ASP.NET 1.1 Application Pool Identity and user authentication problem with AD (Active Directory)
by: pjdouillard | last post by:
Hello all, Here is the context of my problem: We have an ASP.NET 1.1 application that has its own application pool setup and that runs under the identity of a NT Domain service account (this...
ASP.NET
3
Querying Windows Active Directory from Sql Server 2000
by: Lucky | last post by:
Hi guys, after long long time. i'm back again with another problem. this time i think the problem is very very interesting and i really need you help on this. i'm trying to connect to the...
Microsoft SQL Server
4
Active Directory, User Permissions, and .NET?
by: Spam Catcher | last post by:
Hello All, I need to integrate my application into Active Directory. My application has the concept of groups, users, and also individual permissions. Users can be part of a group such as...
C# / C Sharp
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!