Add a manager to an Active Directory Distribution Group using C# *with permissions*

I've been searching and have not found an answer to this. I am writing an application to automate the create of Distribution Groups at my company. I can create the list with realative easy, but I am having problems assigning security to it. I can set the manager easily enough with the "managedBy" attribute, but making it so the manager can do something (in ADUC I would just check the little box that says 'Manager can update membership list') to the list rather than just be a contact name... I'm lost. I realize it has to do with DACL and ACE's, but I just couldnt find a good source for this.
LVL 11
ALogvinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sirbountyCommented:
0
Kate12Commented:
You need to use the managed ObjectSecurity to do that:

using (DirectoryEntry entry = new DirectoryEntry("LDAP://..."))
            {
                foreach (DirectoryEntry child in entry.Children)
                {
                    // Get the objects ObjectSecurity
                    ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
                    // Setup accessRule
                    ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule(new NTAccount("user1"), ActiveDirectoryRights.AccessSystemSecurity, System.Security.AccessControl.AccessControlType.Allow);
                    compSecurity.AddAccessRule(acceRule);
                    child.CommitChanges();
                }
            }
You can add more permission to the Entry by adding a bitwise to the Rights enum:

ActiveDirectoryRights.AccessSystemSecurity | ActiveDirectoryRights.ListObject.

HTH
0
ALogvinAuthor Commented:
I attempted to do that Kate, but it never really worked. Here is my code:

try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA",null,null,AuthenticationTypes.Secure);
           
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new NTAccount("NACORP", "NAUSERID"), ActiveDirectoryRights.WriteProperty,  AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
       Console.WriteLine(myExp.Message.ToString());
}


And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)

with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
      0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)


At least I know I am on the right path. All of your continued help is appreciated!
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

ALogvinAuthor Commented:
I rule. I found what I was missing here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1

Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..

de.Options.SecurityMasks = SecurityMasks.Dacl;

I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.

            DirectoryEntry de = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA", null, null, AuthenticationTypes.Secure);
            de.Options.SecurityMasks = SecurityMasks.Dacl;
            ActiveDirectorySecurity sd = de.ObjectSecurity;
            Guid myGuid = new Guid("bf9679c0-0de6-11d0-a285-00aa003049e2");
            NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
            IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier));
            ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, myGuid);
            sd.AddAccessRule(myRule);
            de.CommitChanges();


This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
0
Kate12Commented:
Well done... i'll keep that one under my hat! :-)
0
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C#

From novice to tech pro — start learning today.