Click here to Skip to main content
Click here to Skip to main content

Access Control List in C# 2.0

, 5 Oct 2006 CPOL
Rate this:
Please Sign up or sign in to vote.
A tool to enumerate all access control list entries
Sample Image - ADPermissions.jpg

Introduction

I have created an ACL Viewer utility which does the following:

  1. Resolve Sid in current domain and trusted domains only. Currently it does not resolve in the forest and few well-know sids
  2. Show all the permissions assigned to a Trustee
  3. Show inheritance information
  4. Resolve all the object-guids ==> property, property-set and object types

Microsoft has developed a very good architecture to get the data from Active Directory in .NET. However I did not find a good document on the same. I did some R&D and created an ACL viewer which I required to test my effective permission algorithm.

I will talk about effective permission in my next article. This is just the beginning for permission in active directory.

Algorithm

Input

  1. LDAP path of the Object
  2. Credentials => UserName and Password

Output

  • List all the permissions assigned on the given object

Algorithm

  1. Bind to the object using the credentials ==> Use DirectoryEntry class for this
  2. Get the security information from the object ==> Use ActiveDirectorySecurity class for this
  3. Get the Security Descriptor from the security information ==> In SDDL format (basically it's a string format)
  4. Get all the access rules, access control entries ==> Use AuthorizationRuleCollection class for this
  5. For each rule, resolve the SID and object-Type
  6. Display all the entries to the user

Code

DirectoryEntry objDE = new DirectoryEntry(adPath, credUser, credPassword);
ActiveDirectorySecurity adSecurity = objDE.ObjectSecurity;
string sd = adSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
AuthorizationRuleCollection rules = 
    adSecurity.GetAccessRules(true, true, typeof(NTAccount);

NTAccount class resolves SIDs in the current domain. I have used ::LookupAccountSid to resolve SIDs in trusted domains and to resolve well-known SIDs.

To resolve Object-Types, I get all the object-types from the active directory and cache them. The code is really simple and you can figure it out very easily.

If you still have problems, please contact me at SumitKJain@hotmail.com.

History

  • 6th October, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sumit Jain

India India
Sumit Jain,Software Professional.

Comments and Discussions

 
QuestionHow can get Owner property of user in active diectory ? PinmemberMember 36916288-Feb-12 23:48 
QuestionPermissions PinmemberJonathan Mercer28-Mar-07 5:37 
I was wondering if it is possible to use this app to grab the AD properties for a user and dispaly which ones that user has permission to change. For example: user 'test' has the ability to change the 'homepage' attribute in AD but doesn't have permission to.
 
So far this is the closest article that I have read that contains something similar to this.

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.1411019.1 | Last Updated 6 Oct 2006
Article Copyright 2006 by Sumit Jain
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid