向 Active Directory 中的对象读取/写入安全属性（与权利委派的工作方式相同）C#

发布于 2024-11-14 10:59:40 字数 176 浏览 3 评论 0原文

我正在寻找一种方法来读取和设置 Windows Server 2008+ 上 Active Directory 中的对象（OU 或用户/计算机）的安全权限。与使用 Active Directory 向导进行委派的方式相同吗？我希望能够选择 OU 并为其分配组并具有重置密码权限或能够创建/管理用户？

我怎样才能做到这一点？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

过潦 2024-11-21 10:59:40

因此，这里是一个简单的示例，允许域用户 'user1' 为 OU 'ForUser1' 中存在的用户重置密码，

/* Connection to Active Directory
 */
DirectoryEntry workingOU = new DirectoryEntry();
workingOU.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;
workingOU.Path = "LDAP://WM2008R2ENT:389/ou=ForUser1,dc=dom,dc=fr";

/* Retreive Obect security
 */
ActiveDirectorySecurity adsOUSec = workingOU.ObjectSecurity;

/* Ellaborate the user to delegate
 */
NTAccount ntaToDelegate = new NTAccount("dom", "user1");
SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate (typeof(SecurityIdentifier));

/* Specils Guids
 */
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529");
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2");

/* Ellaborate ACEs
 */
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
adsOUSec.AddAccessRule(erarResetPwd);
adsOUSec.AddAccessRule(parPwdLastSetW);
adsOUSec.AddAccessRule(parPwdLastSetR);

workingOU.CommitChanges();

之后您需要：

a 查找 ExtendedRightAccessRule 的位置。

查找 Active-Directory 架构属性和类信息。

So here is a simple example that allow the domain user 'user1' to reset password for users presents in OU 'ForUser1'

/* Connection to Active Directory
 */
DirectoryEntry workingOU = new DirectoryEntry();
workingOU.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;
workingOU.Path = "LDAP://WM2008R2ENT:389/ou=ForUser1,dc=dom,dc=fr";

/* Retreive Obect security
 */
ActiveDirectorySecurity adsOUSec = workingOU.ObjectSecurity;

/* Ellaborate the user to delegate
 */
NTAccount ntaToDelegate = new NTAccount("dom", "user1");
SecurityIdentifier sidToDelegate = (SecurityIdentifier)ntaToDelegate.Translate (typeof(SecurityIdentifier));

/* Specils Guids
 */
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529");
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
Guid pwdLastSetSchemaGuid = new Guid("bf967a0a-0de6-11d0-a285-00aa003049e2");

/* Ellaborate ACEs
 */
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(ntaToDelegate, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
PropertyAccessRule parPwdLastSetW = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Write, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
PropertyAccessRule parPwdLastSetR = new PropertyAccessRule(ntaToDelegate, AccessControlType.Allow, PropertyAccess.Read, pwdLastSetSchemaGuid, ActiveDirectorySecurityInheritance.Descendents, userSchemaGuid);
adsOUSec.AddAccessRule(erarResetPwd);
adsOUSec.AddAccessRule(parPwdLastSetW);
adsOUSec.AddAccessRule(parPwdLastSetR);

workingOU.CommitChanges();

After that you need :

a place to find ExtendedRightAccessRule.

a place to find Active-Directory schema attributes and classes informations.

回复收藏 0 原文

~没有更多了~