I have created an ACL Viewer utility which does the following:
- Resolve Sid in current domain and trusted domains only. Currently it does not resolve in the forest and few well-know sids
- Show all the permissions assigned to a Trustee
- Show inheritance information
- Resolve all the object-guids ==> property, property-set and object types
Microsoft has developed a very good architecture to get the data from Active Directory in .NET. However I did not find a good document on the same. I did some R&D and created an ACL viewer which I required to test my effective permission algorithm.
I will talk about effective permission in my next article. This is just the beginning for permission in active directory.
- LDAP path of the Object
- Credentials => UserName and Password
- List all the permissions assigned on the given object
- Bind to the object using the credentials ==> Use
DirectoryEntry class for this
- Get the security information from the object ==> Use
ActiveDirectorySecurity class for this
- Get the Security Descriptor from the security information ==> In SDDL format (basically it's a
- Get all the access rules, access control entries ==> Use
AuthorizationRuleCollection class for this
- For each rule, resolve the SID and object-Type
- Display all the entries to the user
DirectoryEntry objDE = new DirectoryEntry(adPath, credUser, credPassword);
ActiveDirectorySecurity adSecurity = objDE.ObjectSecurity;
string sd = adSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
AuthorizationRuleCollection rules =
adSecurity.GetAccessRules(true, true, typeof(NTAccount);
NTAccount class resolves SIDs in the current domain. I have used
::LookupAccountSid to resolve SIDs in trusted domains and to resolve well-known SIDs.
To resolve Object-Types, I get all the object-types from the active directory and cache them. The code is really simple and you can figure it out very easily.
If you still have problems, please contact me at SumitKJain@hotmail.com.
- 6th October, 2006: Initial post