Introduction
I have created an ACL Viewer utility which does the following:
- Resolve Sid in current domain and trusted domains only. Currently it does not resolve in the forest and few well-know sids
- Show all the permissions assigned to a Trustee
- Show inheritance information
- Resolve all the object-guids ==> property, property-set and object types
Microsoft has developed a very good architecture to get the data from Active Directory in .NET. However I did not find a good document on the same. I did some R&D and created an ACL viewer which I required to test my effective permission algorithm.
I will talk about effective permission in my next article. This is just the beginning for permission in active directory.
Algorithm
Input
- LDAP path of the Object
- Credentials => UserName and Password
Output
- List all the permissions assigned on the given object
Algorithm
- Bind to the object using the credentials ==> Use
DirectoryEntry
class for this
- Get the security information from the object ==> Use
ActiveDirectorySecurity
class for this
- Get the Security Descriptor from the security information ==> In SDDL format (basically it's a
string
format)
- Get all the access rules, access control entries ==> Use
AuthorizationRuleCollection
class for this
- For each rule, resolve the SID and object-Type
- Display all the entries to the user
Code
DirectoryEntry objDE = new DirectoryEntry(adPath, credUser, credPassword);
ActiveDirectorySecurity adSecurity = objDE.ObjectSecurity;
string sd = adSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
AuthorizationRuleCollection rules =
adSecurity.GetAccessRules(true, true, typeof(NTAccount);
NTAccount
class resolves SIDs in the current domain. I have used ::LookupAccountSid
to resolve SIDs in trusted domains and to resolve well-known SIDs.
To resolve Object-Types, I get all the object-types from the active directory and cache them. The code is really simple and you can figure it out very easily.
If you still have problems, please contact me at SumitKJain@hotmail.com.
History
- 6th October, 2006: Initial post