Solved

Add a manager to an Active Directory Distribution Group using C# *with permissions*

Posted on 2007-03-19
7
3,143 Views
Last Modified: 2012-05-05
I've been searching and have not found an answer to this. I am writing an application to automate the create of Distribution Groups at my company. I can create the list with realative easy, but I am having problems assigning security to it. I can set the manager easily enough with the "managedBy" attribute, but making it so the manager can do something (in ADUC I would just check the little box that says 'Manager can update membership list') to the list rather than just be a contact name... I'm lost. I realize it has to do with DACL and ACE's, but I just couldnt find a good source for this.
0
Comment
Question by:ALogvin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18752880
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18752955
You need to use the managed ObjectSecurity to do that:

using (DirectoryEntry entry = new DirectoryEntry("LDAP://..."))
            {
                foreach (DirectoryEntry child in entry.Children)
                {
                    // Get the objects ObjectSecurity
                    ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
                    // Setup accessRule
                    ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule(new NTAccount("user1"), ActiveDirectoryRights.AccessSystemSecurity, System.Security.AccessControl.AccessControlType.Allow);
                    compSecurity.AddAccessRule(acceRule);
                    child.CommitChanges();
                }
            }
You can add more permission to the Entry by adding a bitwise to the Rights enum:

ActiveDirectoryRights.AccessSystemSecurity | ActiveDirectoryRights.ListObject.

HTH
0
 
LVL 11

Author Comment

by:ALogvin
ID: 18756088
I attempted to do that Kate, but it never really worked. Here is my code:

try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA",null,null,AuthenticationTypes.Secure);
           
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new NTAccount("NACORP", "NAUSERID"), ActiveDirectoryRights.WriteProperty,  AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
       Console.WriteLine(myExp.Message.ToString());
}


And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)

with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
      0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)


At least I know I am on the right path. All of your continued help is appreciated!
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 11

Author Comment

by:ALogvin
ID: 18760348
I rule. I found what I was missing here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1

Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..

de.Options.SecurityMasks = SecurityMasks.Dacl;

I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.

            DirectoryEntry de = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA", null, null, AuthenticationTypes.Secure);
            de.Options.SecurityMasks = SecurityMasks.Dacl;
            ActiveDirectorySecurity sd = de.ObjectSecurity;
            Guid myGuid = new Guid("bf9679c0-0de6-11d0-a285-00aa003049e2");
            NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
            IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier));
            ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, myGuid);
            sd.AddAccessRule(myRule);
            de.CommitChanges();


This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18762342
Well done... i'll keep that one under my hat! :-)
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19090287
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question