All geek questions in one place

How to check if a user has write permissions in Active Directory using C #?

In my .NET 2.0 C # application, I need to determine if the user (with password) has the ability to change (write) in Active Directory. I hope that there is a way that uses DirectoryEntry without creating and subsequently deleting a new object in AD.

Thank you for your help.

+2
source share
2 answers

As Olive said, it's hard to do it right. This is hard to do right, because permissions can be transferred to your user account through Active Directory groups. So, in order to find out the effective resolution for a specific user account, you need to know all the groups to which the user belongs.

Fortunately, Active Directory has a special type of attribute called built attribute . By default, if you use AD Explorer or ADSI Edit to view your object, these attributes are not displayed. In ADSI Editor, you can set a filter to include these constructed attributes. One of the useful built attributes here: allowedAttributesEffective . This is a multi-value attribute and contains all the attributes that your current user has write permission. It is calculated by Active Directory on the fly. It takes care of all inheritances, prohibits overriding and group permissions. If you have permission to write to the cn attribute, you will see cn as one of the values ​​in it.

Here is an example to verify that a particular user has write permissions for specific attribute sets for a specific object in Active Directory.

static bool CheckWritePermission(string path, string username, string password, string[] properties) { using (DirectoryEntry de = new DirectoryEntry(path, username, password)) { de.RefreshCache(new string[] {"allowedAttributesEffective"}); return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property)); } }

Yes, that’s not exactly what you want. You are asking to check if the user has WriteAllProperties permission. In fact, a WriteAllProperties permission is a set of write property permissions for different attributes. You may need to do your homework to find out which attributes you really like. Then just pass these attributes.

If you really don't know which attributes to check, this should be good enough.

 static bool CheckWritePermission(string path, string username, string password) { using (DirectoryEntry de = new DirectoryEntry(path, username, password)) { de.RefreshCache(new string[] { "allowedAttributesEffective" }); return de.Properties["allowedAttributesEffective"].Value != null; } }

Here I check if the allowAttributesEffective returned is null or not. If null, it means that it does not have write permissions to any attributes. I assume that your administrator will either grant permission to all write permissions or reject all write properties. I think this is a valid assumption in most cases.

+8
source

As you can see in my question , there is no way to simply find out the rights of a random user on a specfic object in AD.

If anyone knows the easiest way, please let me know.

0
source

Source: https://habr.com/ru/post/1332780/

More articles:


All Articles