How to find all groups in ActiveDirectory where the current user has access to WriteProperty?

Question

How to find all groups in ActiveDirectory where the current user has access to WriteProperty?

Currently, I would like to find all groups in Active Directory where the current user is WriteProperty .

The problem is that I can find all the groups in which the user is directly inserted, but when the user enters the group and this group has write access, it will not be displayed. I thought setting boolean GetAccessRules () would help here, but it is not.

So, here is the code that I already have:

var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); //Apply some filter to focus on only some specfic objects searcher.Filter = "(&(objectClass=group)(name=*part_of_group_name*))"; return searcher; }); var itemsFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast<SearchResult>() .Select(result => result.GetDirectoryEntry())); var itemsWithWriteAccess = itemsFound .Where(entry => entry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast<ActiveDirectoryAccessRule>() .Where(rule => rule.IdentityReference == identity) .Where(rule => (rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty) .Count() > 0); foreach (var item in itemsWithWriteAccess) { Debug.Print(item.Name); }

+2

c # linq active-directory

Oliver May 11 '10 at 12:26

source share

1 answer

Oliver · Accepted Answer · 2011-02-11T09:25:30+0000

After a long time and Harvey's help through this question, I finally found a good working solution.

As Harvey has already explained, it can be a little tricky to understand that you will return to entry.Properties["allowedAttributesEffective"].Value . But for normal purposes, all you need to check write permissions is that this field is simply not empty.

Here is a sample code:

 // (replace "part_of_group_name" with some partial group name existing in your AD) var groupNameContains = "part_of_group_name"; var identity = WindowsIdentity.GetCurrent().User; var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>(); var allSearcher = allDomains.Select(domain => { var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name)); // Apply some filter to focus on only some specfic objects searcher.Filter = String.Format("(&(objectClass=group)(name=*{0}*))", groupNameContains); return searcher; }); var directoryEntriesFound = allSearcher .SelectMany(searcher => searcher.FindAll() .Cast<SearchResult>() .Select(result => result.GetDirectoryEntry())); var allowedTo = directoryEntriesFound.Select(entry => { using (entry) { entry.RefreshCache(new string[] { "allowedAttributesEffective" }); var rights = entry.Properties["allowedAttributesEffective"].Value == null ? "read only" : "write"; return new { Name = entry.Name, AllowedTo = rights }; } }); foreach (var item in allowedTo) { var message = String.Format("Name = {0}, AllowedTo = {1}", item.Name, item.AllowedTo); Debug.Print(message); }

How to find all groups in ActiveDirectory where the current user has access to WriteProperty?

More articles: