当前位置：文江博客话题详情

HOWTO - 设置委派的 Active Directory 权限

发布于 2024-07-08 17:28:22 字数 292 浏览 7 评论 0原文

我创建了 ac# webservice，它允许我们的前端支持团队使用 system.directoryservices 查看和更新一些选定的 Active Directory 值。

我要更新的字段是 [职位] 职称、部门、电话和员工 ID。

我可以使用具有“代表权限”的服务帐户来更新[职位]职称、部门、电话等。但是当我尝试更新员工 ID 时，我收到一条“未经授权”的错误消息。

如果我使用域管理员帐户，那么相同的代码可以正常工作。

我不想为此网络服务使用域管理员帐户，那么我需要什么权限？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

被你宠の有点坏 2024-07-15 17:28:22

答案

ADS_SCHEMA_ID_GUID_USER GUID 允许您更新基本用户类详细信息，包括员工 ID

基于 MSDN 文章

用于向服务帐户用户授予所选委派权限的 vbscript：

REM #
REM # Delegate AD property set admin rights to named account
REM # Based on: http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
REM #

Const TRUSTEE_ACCOUNT_SAM           = "ad\ADStaffUpdates"

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT     = &H5
Const ADS_RIGHT_DS_READ_PROP            = &H10
Const ADS_RIGHT_DS_WRITE_PROP           = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT      = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT    = &H2
Const ADS_ACEFLAG_INHERIT_ACE           = &H2

Const ADS_SCHEMA_ID_GUID_USER           = "{bf967aba-0de6-11d0-a285-00aa003049e2}"
Const ADS_SCHEMA_ID_GUID_PS_PERSONAL        = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
Const ADS_SCHEMA_ID_GUID_PS_PUBLIC      = "{e48d0154-bcf8-11d1-8702-00c04fb96050}"

ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_USER
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PERSONAL
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PUBLIC

Function ad_setUserDelegation(          _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        ,ByVal  strSchema_GUID      _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    Set objAce          = CreateObject( "AccessControlEntry" )

    objAce.Trustee          = strTrusteeAccount
    objAce.AceFlags         = ADS_ACEFLAG_INHERIT_ACE
    objAce.AceType          = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
    objAce.Flags            = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

    objAce.ObjectType       = strSchema_GUID

    objACE.InheritedObjectType  = ADS_SCHEMA_ID_GUID_USER
    objAce.AccessMask       = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
    objDacl.AddAce          objAce

    objSD.DiscretionaryAcl      = objDacl

    objSDUtil.Put           "ntSecurityDescriptor", Array( objSD )
    objSDUtil.SetInfo

End Function


Function ad_revokeUserDelegation(       _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    For Each objACE in objDACL
        If UCase(objACE.Trustee) = UCase(strTrusteeAccount) Then
                objDACL.RemoveAce objACE
        End If
    Next

    objSDUtil.Put           "ntSecurityDescriptor", Array(objSD)
    objSDUtil.SetInfo

End Function

ANSWER

The ADS_SCHEMA_ID_GUID_USER GUID allows you to update the base user class details, including the employee id

Based on MSDN article

The vbscript used to grant to the service account user the selected delegated rights:

REM #
REM # Delegate AD property set admin rights to named account
REM # Based on: http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
REM #

Const TRUSTEE_ACCOUNT_SAM           = "ad\ADStaffUpdates"

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT     = &H5
Const ADS_RIGHT_DS_READ_PROP            = &H10
Const ADS_RIGHT_DS_WRITE_PROP           = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT      = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT    = &H2
Const ADS_ACEFLAG_INHERIT_ACE           = &H2

Const ADS_SCHEMA_ID_GUID_USER           = "{bf967aba-0de6-11d0-a285-00aa003049e2}"
Const ADS_SCHEMA_ID_GUID_PS_PERSONAL        = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
Const ADS_SCHEMA_ID_GUID_PS_PUBLIC      = "{e48d0154-bcf8-11d1-8702-00c04fb96050}"

ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_USER
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PERSONAL
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PUBLIC

Function ad_setUserDelegation(          _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        ,ByVal  strSchema_GUID      _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    Set objAce          = CreateObject( "AccessControlEntry" )

    objAce.Trustee          = strTrusteeAccount
    objAce.AceFlags         = ADS_ACEFLAG_INHERIT_ACE
    objAce.AceType          = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
    objAce.Flags            = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

    objAce.ObjectType       = strSchema_GUID

    objACE.InheritedObjectType  = ADS_SCHEMA_ID_GUID_USER
    objAce.AccessMask       = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
    objDacl.AddAce          objAce

    objSD.DiscretionaryAcl      = objDacl

    objSDUtil.Put           "ntSecurityDescriptor", Array( objSD )
    objSDUtil.SetInfo

End Function


Function ad_revokeUserDelegation(       _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    For Each objACE in objDACL
        If UCase(objACE.Trustee) = UCase(strTrusteeAccount) Then
                objDACL.RemoveAce objACE
        End If
    Next

    objSDUtil.Put           "ntSecurityDescriptor", Array(objSD)
    objSDUtil.SetInfo

End Function

回复收藏 0 原文

作死小能手 2024-07-15 17:28:22

代码示例（至少是移动部分）

string distinguishedname = "CN=Wicks\, Guy,OU=Users,DC=ad,DC=com"
using (DirectoryEntry myDirectoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", distinguishedname), null, null, AuthenticationTypes.Secure))
{
    try
    {
        myDirectoryEntry.Username   = "serviceaccount";
        myDirectoryEntry.Password   = "pa55word";

        myDirectoryEntry.Properties["employeeid"][0]    = employeeID;
        myDirectoryEntry.CommitChanges();
        setresult.result        = myDirectoryEntry.Properties["employeeid"][0].ToString();
    }
    catch   ( Exception ex )
    {
        setresult.result        = ex.Message;
    }
} // end using

（我为我的 C# 表示歉意）

A sample of the code (the moving parts at least)

string distinguishedname = "CN=Wicks\, Guy,OU=Users,DC=ad,DC=com"
using (DirectoryEntry myDirectoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", distinguishedname), null, null, AuthenticationTypes.Secure))
{
    try
    {
        myDirectoryEntry.Username   = "serviceaccount";
        myDirectoryEntry.Password   = "pa55word";

        myDirectoryEntry.Properties["employeeid"][0]    = employeeID;
        myDirectoryEntry.CommitChanges();
        setresult.result        = myDirectoryEntry.Properties["employeeid"][0].ToString();
    }
    catch   ( Exception ex )
    {
        setresult.result        = ex.Message;
    }
} // end using

(I do apologise for my c#)

回复收藏 0 原文