Solved

Add a manager to an Active Directory Distribution Group using C# *with permissions*

Posted on 2007-03-19
7
3,124 Views
Last Modified: 2012-05-05
I've been searching and have not found an answer to this. I am writing an application to automate the create of Distribution Groups at my company. I can create the list with realative easy, but I am having problems assigning security to it. I can set the manager easily enough with the "managedBy" attribute, but making it so the manager can do something (in ADUC I would just check the little box that says 'Manager can update membership list') to the list rather than just be a contact name... I'm lost. I realize it has to do with DACL and ACE's, but I just couldnt find a good source for this.
0
Comment
Question by:ALogvin
7 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18752880
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18752955
You need to use the managed ObjectSecurity to do that:

using (DirectoryEntry entry = new DirectoryEntry("LDAP://..."))
            {
                foreach (DirectoryEntry child in entry.Children)
                {
                    // Get the objects ObjectSecurity
                    ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
                    // Setup accessRule
                    ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule(new NTAccount("user1"), ActiveDirectoryRights.AccessSystemSecurity, System.Security.AccessControl.AccessControlType.Allow);
                    compSecurity.AddAccessRule(acceRule);
                    child.CommitChanges();
                }
            }
You can add more permission to the Entry by adding a bitwise to the Rights enum:

ActiveDirectoryRights.AccessSystemSecurity | ActiveDirectoryRights.ListObject.

HTH
0
 
LVL 11

Author Comment

by:ALogvin
ID: 18756088
I attempted to do that Kate, but it never really worked. Here is my code:

try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA",null,null,AuthenticationTypes.Secure);
           
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new NTAccount("NACORP", "NAUSERID"), ActiveDirectoryRights.WriteProperty,  AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
       Console.WriteLine(myExp.Message.ToString());
}


And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)

with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
      0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)


At least I know I am on the right path. All of your continued help is appreciated!
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 11

Author Comment

by:ALogvin
ID: 18760348
I rule. I found what I was missing here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1

Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..

de.Options.SecurityMasks = SecurityMasks.Dacl;

I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.

            DirectoryEntry de = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA", null, null, AuthenticationTypes.Secure);
            de.Options.SecurityMasks = SecurityMasks.Dacl;
            ActiveDirectorySecurity sd = de.ObjectSecurity;
            Guid myGuid = new Guid("bf9679c0-0de6-11d0-a285-00aa003049e2");
            NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
            IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier));
            ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, myGuid);
            sd.AddAccessRule(myRule);
            de.CommitChanges();


This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18762342
Well done... i'll keep that one under my hat! :-)
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19090287
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question