Solved

Add a manager to an Active Directory Distribution Group using C# *with permissions*

Posted on 2007-03-19
7
3,130 Views
Last Modified: 2012-05-05
I've been searching and have not found an answer to this. I am writing an application to automate the create of Distribution Groups at my company. I can create the list with realative easy, but I am having problems assigning security to it. I can set the manager easily enough with the "managedBy" attribute, but making it so the manager can do something (in ADUC I would just check the little box that says 'Manager can update membership list') to the list rather than just be a contact name... I'm lost. I realize it has to do with DACL and ACE's, but I just couldnt find a good source for this.
0
Comment
Question by:ALogvin
7 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18752880
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18752955
You need to use the managed ObjectSecurity to do that:

using (DirectoryEntry entry = new DirectoryEntry("LDAP://..."))
            {
                foreach (DirectoryEntry child in entry.Children)
                {
                    // Get the objects ObjectSecurity
                    ActiveDirectorySecurity compSecurity = child.ObjectSecurity;
                    // Setup accessRule
                    ActiveDirectoryAccessRule accesRule = new ActiveDirectoryAccessRule(new NTAccount("user1"), ActiveDirectoryRights.AccessSystemSecurity, System.Security.AccessControl.AccessControlType.Allow);
                    compSecurity.AddAccessRule(acceRule);
                    child.CommitChanges();
                }
            }
You can add more permission to the Entry by adding a bitwise to the Rights enum:

ActiveDirectoryRights.AccessSystemSecurity | ActiveDirectoryRights.ListObject.

HTH
0
 
LVL 11

Author Comment

by:ALogvin
ID: 18756088
I attempted to do that Kate, but it never really worked. Here is my code:

try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA",null,null,AuthenticationTypes.Secure);
           
ActiveDirectorySecurity sec = entry.ObjectSecurity;
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new NTAccount("NACORP", "NAUSERID"), ActiveDirectoryRights.WriteProperty,  AccessControlType.Allow, ActiveDirectorySecurityInheritance.None);
sec.AddAccessRule(rule);
entry.CommitChanges();
}
catch (Exception myExp)
{
       Console.WriteLine(myExp.Message.ToString());
}


And every time I run it, i get an exeption:
A constraint violation occurred. (Exception from HRESULT: 0x8007202F)

with the extended error message:
0000051B: AtrErr: DSID-031508EC, #1:
      0: 0000051B: DSID-031508EC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)


At least I know I am on the right path. All of your continued help is appreciated!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 11

Author Comment

by:ALogvin
ID: 18760348
I rule. I found what I was missing here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=386e54af-2b4d-4280-b7b2-882c9ebaee60&p=1

Good ol Joe Kaplan (who writes an awesome Directory Services programming book) had the missing line of code..

de.Options.SecurityMasks = SecurityMasks.Dacl;

I had the tell the directory entry I was talking about a DACL so it knew what I was sending at it. Once I added this line in, It was smooooth sailing.

            DirectoryEntry de = new DirectoryEntry("LDAP://CN=$TEST,OU=DistributionLists,OU=Outlook,OU=NA,DC=NA,DC=NA", null, null, AuthenticationTypes.Secure);
            de.Options.SecurityMasks = SecurityMasks.Dacl;
            ActiveDirectorySecurity sd = de.ObjectSecurity;
            Guid myGuid = new Guid("bf9679c0-0de6-11d0-a285-00aa003049e2");
            NTAccount accountName = new NTAccount("NACORP", "NAUSERID");
            IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier));
            ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, myGuid);
            sd.AddAccessRule(myRule);
            de.CommitChanges();


This is now resolved. I would recommend saving this ticket around, as it would be usefull to have the reference.
0
 
LVL 3

Expert Comment

by:Kate12
ID: 18762342
Well done... i'll keep that one under my hat! :-)
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19090287
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question