ALogvin
asked on
Add a manager to an Active Directory Distribution Group using C# *with permissions*
I've been searching and have not found an answer to this. I am writing an application to automate the create of Distribution Groups at my company. I can create the list with realative easy, but I am having problems assigning security to it. I can set the manager easily enough with the "managedBy" attribute, but making it so the manager can do something (in ADUC I would just check the little box that says 'Manager can update membership list') to the list rather than just be a contact name... I'm lost. I realize it has to do with DACL and ACE's, but I just couldnt find a good source for this.
You need to use the managed ObjectSecurity to do that:
using (DirectoryEntry entry = new DirectoryEntry("LDAP://... "))
{
foreach (DirectoryEntry child in entry.Children)
{
// Get the objects ObjectSecurity
ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
// Setup accessRule
ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule( new NTAccount("user1"), ActiveDirectoryRights.Acce ssSystemSe curity, System.Security.AccessCont rol.Access ControlTyp e.Allow);
compSecurity.AddAccessRule (acceRule) ;
child.CommitChanges();
}
}
You can add more permission to the Entry by adding a bitwise to the Rights enum:
ActiveDirectoryRights.Acce ssSystemSe curity | ActiveDirectoryRights.List Object.
HTH
using (DirectoryEntry entry = new DirectoryEntry("LDAP://...
{
foreach (DirectoryEntry child in entry.Children)
{
// Get the objects ObjectSecurity
ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
// Setup accessRule
ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule(
compSecurity.AddAccessRule
child.CommitChanges();
}
}
You can add more permission to the Entry by adding a bitwise to the Rights enum:
ActiveDirectoryRights.Acce
HTH
ASKER
I attempted to do that Kate, but it never really worked. Here is my code:
try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN= $TEST,OU=D istributio nLists,OU= Outlook,OU =NA,DC=NA, DC=NA",nul l,null,Aut henticatio nTypes.Sec ure);
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule( new NTAccount("NACORP", "NAUSERID"), ActiveDirectoryRights.Writ eProperty, AccessControlType.Allow, ActiveDirectorySecurityInh eritance.N one);
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
Console.WriteLine(myExp.Me ssage.ToSt ring());
}
And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)
with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
At least I know I am on the right path. All of your continued help is appreciated!
try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
Console.WriteLine(myExp.Me
}
And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)
with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
At least I know I am on the right path. All of your continued help is appreciated!
ASKER
I rule. I found what I was missing here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1
Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..
de.Options.SecurityMasks = SecurityMasks.Dacl;
I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.
DirectoryEntry de = new DirectoryEntry("LDAP://CN= $TEST,OU=D istributio nLists,OU= Outlook,OU =NA,DC=NA, DC=NA", null, null, AuthenticationTypes.Secure );
de.Options.SecurityMasks = SecurityMasks.Dacl;
ActiveDirectorySecurity sd = de.ObjectSecurity;
Guid myGuid = new Guid("bf9679c0-0de6-11d0-a 285-00aa00 3049e2");
NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
IdentityReference acctSID = accountName.Translate(type of(Securit yIdentifie r));
ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule( new SecurityIdentifier(acctSID .Value), ActiveDirectoryRights.Writ eProperty, AccessControlType.Allow, myGuid);
sd.AddAccessRule(myRule);
de.CommitChanges();
This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1
Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..
de.Options.SecurityMasks = SecurityMasks.Dacl;
I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.
DirectoryEntry de = new DirectoryEntry("LDAP://CN=
de.Options.SecurityMasks = SecurityMasks.Dacl;
ActiveDirectorySecurity sd = de.ObjectSecurity;
Guid myGuid = new Guid("bf9679c0-0de6-11d0-a
NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
IdentityReference acctSID = accountName.Translate(type
ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(
sd.AddAccessRule(myRule);
de.CommitChanges();
This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
Well done... i'll keep that one under my hat! :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cruto.com/resources/vbscript/vbscript-examples/ad/groups/List-the-Managed-By-Information-for-a-Group.asp