S
Sebastian Sosna
Hello NG!
Iam trying to write Access Control Settings for Users in Active Dir.
First what i do is to delegate a Trustee in a Container, with
permissions. This works fine. Lets take Guests as Trustee. Setting
rights like "Full Control" or "Read" or "Write" is not the issue, my
problem ar the Subrights like "Read logon time" or write "logon time"
i cannot achieve this. Ok heres some code:
using ActiveDs;
AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD =
(SecurityDescriptor)src.Properties["ntSecurityDescriptor"].Value;
AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
ADsSecurityUtilityClass asu = new ADsSecurityUtilityClass();
asu.SecurityMask=(int)(ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL);
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
newAce.AceType=aceType;
newAce.AccessMask=accessMask;
newAce.AceFlags=aceFlags;
//Problems must be here! or the newAce.Flags Attribute!
newAce.ObjectType="{28630ebf-41d5-11d1-a9c1-0000f80367c1}";
newAce.InheritedObjectType="{bf967aba-0de6-11d0-a285-00aa003049e2}";
//Here we go with the SubRights like "Lockout Time"
//here i set "Lockout time", wich dont work, no error, no exception!
newAce.Trustee=GetTextualSID(de);
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl=usrAcl;
src.Properties["ntSecurityDescriptor"].Value=usrSD;
src.CommitChanges();
OK everything works except those lines:
1.newAce.Flags....
2.newAce.ObjectType...
3.newAce.InheritedObjectType...
I have tried same stuff in VB wich worked without a Problem!!!!! ( ???
)
Here is the VB Code wich works fine! :
(Mention: not posted the declaration of the ADS variables!)
' ADS_FLAG_OBJECTS
Public Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Public Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
' Delegation der Admin-OU
Set ou = GetObject("LDAP://ou=123,ou=agis,dc=adtsfbbd3,dc=adtsfbb,dc=net")
Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
' You can also use Set ace = new ADsAccessControlEntry.
' Grant access to the object.
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Create and delete child objects.
ace.AccessMask = ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP
' Attribute LockOutTime
ace.ObjectType = "{28630ebf-41d5-11d1-a9c1-0000f80367c1}"
' User object class of the schema IDGUID.
ace.InheritedObjectType = "{bf967aba-0de6-11d0-a285-00aa003049e2}"
' Propagate the ACE down.
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
' Provide an option that notifies that the objectType is filled.
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT or
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
' Show the beneficiary of this ACE.
ace.Trustee = "adtsfbbd3\test123"
acl.AddAce ace
sec.DiscretionaryAcl = acl
ou.Put "ntSecurityDescriptor", Array(sec)
' Use SetInfo to commit the data to Active Directory.
ou.SetInfo
If Err.number<>0 Then
MsgBox "Delegation nicht eingerichtet.",48
Wscript.Quit
End If
' Release the objects.
Set ace = Nothing
Set acl = Nothing
Set sec = Nothing
MsgBox "Delegation von LockOutTime der Gruppe " & strGroup & "
durchgefuehrt.
So why this works under VB but doesnt work under C#? What iam doing
wrong??
Thank u all very much !
Regards Sebastian
Iam trying to write Access Control Settings for Users in Active Dir.
First what i do is to delegate a Trustee in a Container, with
permissions. This works fine. Lets take Guests as Trustee. Setting
rights like "Full Control" or "Read" or "Write" is not the issue, my
problem ar the Subrights like "Read logon time" or write "logon time"
i cannot achieve this. Ok heres some code:
using ActiveDs;
AccessControlEntry newAce = new AccessControlEntryClass();
SecurityDescriptor usrSD =
(SecurityDescriptor)src.Properties["ntSecurityDescriptor"].Value;
AccessControlList usrAcl= (AccessControlList) usrSD.DiscretionaryAcl;
ADsSecurityUtilityClass asu = new ADsSecurityUtilityClass();
asu.SecurityMask=(int)(ADS_SECURITY_INFO_ENUM.ADS_SECURITY_INFO_DACL);
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT;
newAce.AceType=aceType;
newAce.AccessMask=accessMask;
newAce.AceFlags=aceFlags;
//Problems must be here! or the newAce.Flags Attribute!
newAce.ObjectType="{28630ebf-41d5-11d1-a9c1-0000f80367c1}";
newAce.InheritedObjectType="{bf967aba-0de6-11d0-a285-00aa003049e2}";
//Here we go with the SubRights like "Lockout Time"
//here i set "Lockout time", wich dont work, no error, no exception!
newAce.Trustee=GetTextualSID(de);
usrAcl.AddAce(newAce);
usrSD.DiscretionaryAcl=usrAcl;
src.Properties["ntSecurityDescriptor"].Value=usrSD;
src.CommitChanges();
OK everything works except those lines:
1.newAce.Flags....
2.newAce.ObjectType...
3.newAce.InheritedObjectType...
I have tried same stuff in VB wich worked without a Problem!!!!! ( ???
)
Here is the VB Code wich works fine! :
(Mention: not posted the declaration of the ADS variables!)
' ADS_FLAG_OBJECTS
Public Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Public Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
' Delegation der Admin-OU
Set ou = GetObject("LDAP://ou=123,ou=agis,dc=adtsfbbd3,dc=adtsfbb,dc=net")
Set sec = ou.Get("ntSecurityDescriptor")
Set acl = sec.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
' You can also use Set ace = new ADsAccessControlEntry.
' Grant access to the object.
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Create and delete child objects.
ace.AccessMask = ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP
' Attribute LockOutTime
ace.ObjectType = "{28630ebf-41d5-11d1-a9c1-0000f80367c1}"
' User object class of the schema IDGUID.
ace.InheritedObjectType = "{bf967aba-0de6-11d0-a285-00aa003049e2}"
' Propagate the ACE down.
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
' Provide an option that notifies that the objectType is filled.
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT or
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
' Show the beneficiary of this ACE.
ace.Trustee = "adtsfbbd3\test123"
acl.AddAce ace
sec.DiscretionaryAcl = acl
ou.Put "ntSecurityDescriptor", Array(sec)
' Use SetInfo to commit the data to Active Directory.
ou.SetInfo
If Err.number<>0 Then
MsgBox "Delegation nicht eingerichtet.",48
Wscript.Quit
End If
' Release the objects.
Set ace = Nothing
Set acl = Nothing
Set sec = Nothing
MsgBox "Delegation von LockOutTime der Gruppe " & strGroup & "
durchgefuehrt.
So why this works under VB but doesnt work under C#? What iam doing
wrong??
Thank u all very much !
Regards Sebastian