如何使用 C# 检查用户是否在 Active Directory 中具有写入权限?

发布于 2024-10-16 16:27:42 字数 137 浏览 7 评论 0原文

在我的 .NET 2.0 C# 应用程序中,我需要确定用户(使用密码)是否能够修改(写入)Active Directory 中的选项。我希望有一种方法可以使用 DirectoryEntry,而无需在 AD 中创建然后删除新对象。

感谢您的帮助。

In my .NET 2.0 C# applcation I need to determine if a user (with password) has ability to modify (write) option in Active Directory. I hope there is a way using DirectoryEntry without creating and then deleting new object in AD.

Thank you for your help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

青巷忧颜 2024-10-23 16:27:43

就像奥利弗说的那样,自己很难做好这件事。由于权限可以通过 Active Directory 组传递到您的用户帐户,因此很难做到正确。因此,为了找出特定用户帐户的有效权限,您必须找出该用户所属的所有组。

幸运的是,Active Directory 有一种特殊类型的属性,称为构造属性。默认情况下,如果您使用 AD Explorer 或 ADSI Edit 来浏览对象,则不会显示这些类型的属性。在 ADSI Edit 中,您可以设置过滤器以包含这些构造的属性。这里有用的构造属性之一是allowedAttributesEffective。它是一个多值属性,包含当前用户有权写入的所有属性。它由 Active Directory 动态计算。它负责所有继承、拒绝覆盖和组权限。如果您有权写入 cn 属性,您将看到 cn 作为其中的值之一。

以下示例用于检查特定用户对 Active Directory 上特定对象的特定属性集是否具有写入权限。

static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] {"allowedAttributesEffective"});
        return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
    }
}

是的,这不完全是你想要的。您要求检查用户是否具有 WriteAllProperties 权限。实际上,WriteAllProperties权限是对不同属性的写属性权限的集合。您可能需要做一些功课来找出您的应用程序真正关心的属性。然后,只需传入这些属性即可。

如果你真的不知道要检查哪些属性,这个应该足够了。

static bool CheckWritePermission(string path, string username, string password)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] { "allowedAttributesEffective" });
        return de.Properties["allowedAttributesEffective"].Value != null;
    }            
}

在这里,我检查返回的 allowedAttributesEffective 是否为空。如果为 null,则意味着它没有任何权限写入任何属性。我假设您的管理员会授予所有写入属性权限或拒绝所有写入属性。我认为在大多数情况下这是一个有效的假设。

Like Olive said, it's difficult to do it right yourself. It's difficult to do right because the permissions can be passed onto your user account via Active Directory groups. So, in order to find out the effective permission for a particular user account, you have to find out all the groups the user belongs to.

Fortunately, Active Directory has a special type of attributes called constructed attributes. By default, if you are using AD Explorer or ADSI Edit to browse your object's, these kinds of attributes are not shown. In ADSI Edit, you can set the Filter to include these constructed attributes. One of the useful constructed attributes here is allowedAttributesEffective. It's a multi-value attribute and it contains all attributes that your current user has permission to write to. It's calculated by Active Directory on the fly. It takes care all the inheritance, deny override and group permissions. If you have permission to write to cn attribute, you will see cn as one of the values in it.

Here is a sample for checking a particular user has write permissions on a particular sets of attributes on a specific object on Active Directory.

static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] {"allowedAttributesEffective"});
        return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
    }
}

Yes, it's not exactly what you want. You are asking to check if a user has WriteAllProperties permission. Actually, WriteAllProperties permission is a collection of write property permissions on different attributes. You may need to do some homework to find out what attributes your application really cares. Then, just pass in those attributes.

If you really have no idea what attributes to check, this one should be good enough

static bool CheckWritePermission(string path, string username, string password)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] { "allowedAttributesEffective" });
        return de.Properties["allowedAttributesEffective"].Value != null;
    }            
}

Here, I am checking if the returned allowedAttributesEffective is null or not. If null, it means it doesn't have any permissions to write to any attributes. I am assuming your administrator would either grant all write properties permission or deny all write properties. I think this is a valid assumption in most cases.

许一世地老天荒 2024-10-23 16:27:43

正如您在 我的问题,似乎不可能简单地找出随机用户对 AD 中特定对象的权限。

如果有人知道简单的方法,请告诉我。

As you can see in my question, there seems no possibility to simply find out the rights of a random user to a specfic object within the AD.

If anyone knows for a simple way, please let me know.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文