Setting Permissions (ACL) in AD with LDAP&ADSI inf C# dont work?!

Setting Permissions (ACL) in AD with LDAP&ADSI inf C# dont work?!

Post by sebastian. » Thu, 04 Sep 2003 19:28:01


Hello All!

In my routine i set Permissions on objects with an trustee, this works
very well! So after a while i inserted in the same routine to more ACL
properties:
ObjectType and InheritedObjectType to set permissions on special
attributes like "lockout time" to read/write able, with the GUIDS as
values. Everything works fine, but the permissions on "lockout time"
are not set. So the properties ObjectType&InheritedPbjectType dont
really affect a thing!
Why?! What iam doing wrong?

Heres my code:
DirectoryEntry src......

AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD =
(SecurityDescriptor)src.Properties["ntSecurityDescriptor"].Value;
AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
ADsSecurityUtilityClass asu = new ADsSecurityUtilityClass();
asu.SecurityMask=(int)(ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL);

//this i inserted, and dont really do anything. Should set "lockout
time" to read/write able (checked):
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
newAce.ObjectType="{28630ebf-41d5-11d1-a9c1-0000f80367c1}";
newAce.InheritedObjectType="{bf967aba-0de6-11d0-a285-00aa003049e2}";
//end of dont do anythig


newAce.AceType=(int)ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
newAce.AccessMask=(int)ADS_RIGHT_DS_READ_PROP |
(int)ADS_RIGHT_DS_WRITE_PROP;
newAce.AceFlags=(int) ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ;
newAce.Trustee=GetTextualSID(de);
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl=usrAcl;
src.Properties["ntSecurityDescriptor"].Value=usrSD;
src.CommitChanges();



i have found a VB script that do the same thing, after i fired it, the
trustee was inserted with rights set ( lockout time ).
Iam using C# and the latest SDK. Any sugestions?
Thank for advice!

Regards
Sebastian
 
 
 

Setting Permissions (ACL) in AD with LDAP&ADSI inf C# dont work?!

Post by sebastian. » Fri, 05 Sep 2003 18:55:39

Hello, if anybody is interested her is the code to set read/write
permissions
on the Attribute "lockout time", just change the GUID and u can set
permis. on other attributes:

using System;
using ActiveDs;
using System.DirectoryServices;

namespace DoRightsTest
{
/// <summary>
/// Summary description for Class1.
/// </summary>
class Class1
{
//Set lockout time read/write
public const string
ObjectGuid="{28630ebf-41d5-11d1-a9c1-0000f80367c1}";
public const string
InhObjectGuid="{bf967aba-0de6-11d0-a285-00aa003049e2}";


/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{

try
{
DirectoryEntry usr = new
DirectoryEntry("LDAP://servername","Username","Password");
AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD =
(SecurityDescriptor)usr.Properties["ntSecurityDescriptor"].Value;
AccessControlList usrAcl= (AccessControlList)
usrSD.DiscretionaryAcl;
//modifies only User Container with Trustee=Guests!
usr=usr.Children.Find("CN=Users");

newAce.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
newAce.AccessMask
=(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_READ_PROP |
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_WRITE_PROP;
newAce.ObjectType=ObjectGuid;
newAce.InheritedObjectType=InhObjectGuid;

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;


newAce.Trustee = @"Builtin\Guests";




usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl = usrAcl;
usr.Properties["ntSecurityDescriptor"].Value = usrSD;
usr.CommitChanges();


int aceType=0;
int accessMask=0;
int aceFlags=0;
int Flags=0;

aceType=(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
accessMask=(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_READ_PROP |
(int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_DS_WRITE_PROP;
aceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

/*
Console.WriteLine(aceType);
Console.WriteLine(accessMask);
Console.WriteLine(aceFlags);
Console.WriteLine(Flags);
Console.ReadLine();
*/

}
catch(Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}
}

 
 
 

Setting Permissions (ACL) in AD with LDAP&ADSI inf C# dont work?!

Post by MVP - AD » Sat, 06 Sep 2003 02:38:02

I can't tell what you are doing wrong. The guids that you are using look
correct (lockout-time attribute and user object).

If you make the change in the UI, do the ACE you create that way look
exactly the same and do what you want?

Also, are you sure you are setting the DACL on the correct object?

Joe K.