Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Access Control List in C# 2.0

0.00/5 (No votes)
5 Oct 2006 2  
A tool to enumerate all access control list entries
Sample Image - ADPermissions.jpg

Introduction

I have created an ACL Viewer utility which does the following:

  1. Resolve Sid in current domain and trusted domains only. Currently it does not resolve in the forest and few well-know sids
  2. Show all the permissions assigned to a Trustee
  3. Show inheritance information
  4. Resolve all the object-guids ==> property, property-set and object types

Microsoft has developed a very good architecture to get the data from Active Directory in .NET. However I did not find a good document on the same. I did some R&D and created an ACL viewer which I required to test my effective permission algorithm.

I will talk about effective permission in my next article. This is just the beginning for permission in active directory.

Algorithm

Input

  1. LDAP path of the Object
  2. Credentials => UserName and Password

Output

  • List all the permissions assigned on the given object

Algorithm

  1. Bind to the object using the credentials ==> Use DirectoryEntry class for this
  2. Get the security information from the object ==> Use ActiveDirectorySecurity class for this
  3. Get the Security Descriptor from the security information ==> In SDDL format (basically it's a string format)
  4. Get all the access rules, access control entries ==> Use AuthorizationRuleCollection class for this
  5. For each rule, resolve the SID and object-Type
  6. Display all the entries to the user

Code

DirectoryEntry objDE = new DirectoryEntry(adPath, credUser, credPassword);
ActiveDirectorySecurity adSecurity = objDE.ObjectSecurity;
string sd = adSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
AuthorizationRuleCollection rules = 
    adSecurity.GetAccessRules(true, true, typeof(NTAccount);

NTAccount class resolves SIDs in the current domain. I have used ::LookupAccountSid to resolve SIDs in trusted domains and to resolve well-known SIDs.

To resolve Object-Types, I get all the object-types from the active directory and cache them. The code is really simple and you can figure it out very easily.

If you still have problems, please contact me at SumitKJain@hotmail.com.

History

  • 6th October, 2006: Initial post

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here