how to capture error on Translate(typeof(NTAccount)

[Guest]

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a user it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however MSDN does
not show that there is only "The converted identity". but what if like in my
case there is no translation. how can i just present id without translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n", aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " + iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an ACE in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next commented
line,
* but it's more intuitive to get the account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username is to
use the translate
* method to convert the IdentityReference (SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount)); <---where the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);

 

[Willy Denoyette [MVP]]

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a user
it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however MSDN
does
not show that there is only "The converted identity". but what if like in
my
case there is no translation. how can i just present id without
translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n", aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " +
iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an ACE
in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next commented
line,
* but it's more intuitive to get the account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username is
to
use the translate
* method to convert the IdentityReference
(SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount)); <---where
the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);

Please, include the error message (the Exception message) when posting,
also, remove the comments from your sample, it'll make it more readable.
I'm also not clear on this - "because it is not vaild SID any more", do you
mean that you have SID's that no longer correspond to anything valid?

That said, you better make sure that the target type is an NTAccount before
calling Translate.

if(aCE.IdentityReference.IsValidTargetType(typeof(NTAccount))
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch(...) {
// handle cases where the name look-up fails
}
}


Willy.

 

[Guest]

hello Willy,
you are corret the SID no longer corresponds to anything Vaild.
{S-1-23-45-96} for example. i'm not able to trap on messages to print to the
console so i can only see when i step through the code. it seems that it is
an orphan SID.

i will try your recommendations and let you know.

thanks very much.

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a user
it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however MSDN
does
not show that there is only "The converted identity". but what if like in
my
case there is no translation. how can i just present id without
translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n", aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " +
iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an ACE
in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next commented
line,
* but it's more intuitive to get the account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username is
to
use the translate
* method to convert the IdentityReference
(SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount)); <---where
the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);

Please, include the error message (the Exception message) when posting,
also, remove the comments from your sample, it'll make it more readable.
I'm also not clear on this - "because it is not vaild SID any more", do you
mean that you have SID's that no longer correspond to anything valid?

That said, you better make sure that the target type is an NTAccount before
calling Translate.

if(aCE.IdentityReference.IsValidTargetType(typeof(NTAccount))
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch(...) {
// handle cases where the name look-up fails
}
}


Willy.

 

[Guest]

hello Willy,
i tried what you asked. it seems that the SID is a valid type or at least
"isvalidtargetype" thinks so:

System.Security.Principal.IdentityNotMappedException was unhandled
Message="Some or all identity references could not be translated."
Source="mscorlib"
StackTrace:
at
System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType)
at msdnDS2.ADSecurity.ADSReadACEsExp(AuthorizationRuleCollection aCL)
in E:\project\DirectoryServices\ADSecurity.cs:line 137
at msdnDS2.Program.Main(String[] args) in
E:\project\DirectoryServices\Program.cs:line 103
at System.AppDomain.nExecuteAssembly(Assembly assembly, String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence
assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

the value returns "{S-1-5-32-554}. this is the reason i'm learning to build
this tool is to identify problems.

i just don't know how to trap this error and move on.

thanks for your help.
herb

hello Willy,
you are corret the SID no longer corresponds to anything Vaild.
{S-1-23-45-96} for example. i'm not able to trap on messages to print to the
console so i can only see when i step through the code. it seems that it is
an orphan SID.

i will try your recommendations and let you know.

thanks very much.

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a user
it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however MSDN
does
not show that there is only "The converted identity". but what if like in
my
case there is no translation. how can i just present id without
translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n", aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " +
iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an ACE
in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next commented
line,
* but it's more intuitive to get the account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username is
to
use the translate
* method to convert the IdentityReference
(SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount)); <---where
the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);

Please, include the error message (the Exception message) when posting,
also, remove the comments from your sample, it'll make it more readable.
I'm also not clear on this - "because it is not vaild SID any more", do you
mean that you have SID's that no longer correspond to anything valid?

That said, you better make sure that the target type is an NTAccount before
calling Translate.

if(aCE.IdentityReference.IsValidTargetType(typeof(NTAccount))
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch(...) {
// handle cases where the name look-up fails
}
}


Willy.

 

[Willy Denoyette [MVP]]

Did you try this?

....
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch (IdentityNotMappedException ex
{
Console.WriteLine("No account mapped to the SID");
}
....

Willy.

hello Willy,
i tried what you asked. it seems that the SID is a valid type or at least
"isvalidtargetype" thinks so:

System.Security.Principal.IdentityNotMappedException was unhandled
Message="Some or all identity references could not be translated."
Source="mscorlib"
StackTrace:
at
System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType)
at msdnDS2.ADSecurity.ADSReadACEsExp(AuthorizationRuleCollection
aCL)
in E:\project\DirectoryServices\ADSecurity.cs:line 137
at msdnDS2.Program.Main(String[] args) in
E:\project\DirectoryServices\Program.cs:line 103
at System.AppDomain.nExecuteAssembly(Assembly assembly, String[]
args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence
assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

the value returns "{S-1-5-32-554}. this is the reason i'm learning to
build
this tool is to identify problems.

i just don't know how to trap this error and move on.

thanks for your help.
herb

hello Willy,
you are corret the SID no longer corresponds to anything Vaild.
{S-1-23-45-96} for example. i'm not able to trap on messages to print to
the
console so i can only see when i step through the code. it seems that it
is
an orphan SID.

i will try your recommendations and let you know.

thanks very much.

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a
user
it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however
MSDN
does
not show that there is only "The converted identity". but what if
like in
my
case there is no translation. how can i just present id without
translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with
this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first
ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a
SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n",
aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " +
iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an
ACE
in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next
commented
line,
* but it's more intuitive to get the
account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username
is
to
use the translate
* method to convert the IdentityReference
(SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount
class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount));
<---where
the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);




Please, include the error message (the Exception message) when posting,
also, remove the comments from your sample, it'll make it more
readable.
I'm also not clear on this - "because it is not vaild SID any more", do
you
mean that you have SID's that no longer correspond to anything valid?

That said, you better make sure that the target type is an NTAccount
before
calling Translate.

if(aCE.IdentityReference.IsValidTargetType(typeof(NTAccount))
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch(...) {
// handle cases where the name look-up fails
}
}


Willy.

 

[Guest]

i guess i did not.
that my friend is very impressive!

great job thanks maybe one day i can figure this out.

Did you try this?

....
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch (IdentityNotMappedException ex
{
Console.WriteLine("No account mapped to the SID");
}
....

Willy.

hello Willy,
i tried what you asked. it seems that the SID is a valid type or at least
"isvalidtargetype" thinks so:

System.Security.Principal.IdentityNotMappedException was unhandled
Message="Some or all identity references could not be translated."
Source="mscorlib"
StackTrace:
at
System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType)
at msdnDS2.ADSecurity.ADSReadACEsExp(AuthorizationRuleCollection
aCL)
in E:\project\DirectoryServices\ADSecurity.cs:line 137
at msdnDS2.Program.Main(String[] args) in
E:\project\DirectoryServices\Program.cs:line 103
at System.AppDomain.nExecuteAssembly(Assembly assembly, String[]
args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence
assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext
executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()

the value returns "{S-1-5-32-554}. this is the reason i'm learning to
build
this tool is to identify problems.

i just don't know how to trap this error and move on.

thanks for your help.
herb

hello Willy,
you are corret the SID no longer corresponds to anything Vaild.
{S-1-23-45-96} for example. i'm not able to trap on messages to print to
the
console so i can only see when i step through the code. it seems that it
is
an orphan SID.

i will try your recommendations and let you know.

thanks very much.


:

i have sample set i'm working through. it is presenting ACE rights on
exchange containers. the problem is that as it tries to translate a
user
it
fails because it is not vaild SID any more.

when i try to use "try and catch" i will exit the program. however
MSDN
does
not show that there is only "The converted identity". but what if
like in
my
case there is no translation. how can i just present id without
translation?

here is the sample code...

public static void ADSReadACEsExp(AuthorizationRuleCollection aCL)
{
int iCounter = 1;
if (aCL.Count == 0)
{
Console.WriteLine("There are no ACEs associated with
this
ACL.");
}
else
{
// try
// {

//Determine the type of ACL by calling the first
ACE in
the index
//and returning its type name.
//aCL[0].GetType().Name returns
ActiveDirectoryAccessRule if it's
//a DACL (called by GetAccessRule)
//and it reutrn ActiveDirectoryAuditRule if it's a
SACL
(called by GetAuditRule)
string aCEType =
(aCL[0].GetType().Name ==
"ActiveDirectoryAccessRule") ? "DACL" : "SACL";

Console.WriteLine("\r\nRead ACEs in {0}\n",
aCEType);

#region //if the aCEType is a DACL iterate an
ActiveDirectoryAccessRule collection
if (aCEType == "DACL")
{
foreach (ActiveDirectoryAccessRule aCE in aCL)
//For reading ACE's in a DACL
{
Console.WriteLine("\t\t\tCounter = " +
iCounter);
iCounter++;
//Ace is an allow or deny type. Use the
AuditFlags property
//to get a success or failure value of an
ACE
in
a SACL
Console.WriteLine("ACE Type:\t\t{0}",
aCE.AccessControlType);

/* You can get the sid from the next
commented
line,
* but it's more intuitive to get the
account
name
* as shown after the commented code.
* Console.WriteLine("Identity Reference
(SID):\t{0}",
* aCE.IdentityReference.Value);

/* An efficient way to get to the username
is
to
use the translate
* method to convert the IdentityReference
(SID)
to an
* IdentityReference NTAccount, then call
* the value property of the NTAccount
class to
retrieve
* the account name. */
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(typeof(NTAccount));
<---where
the
error can appear.
Console.WriteLine("Trustee:\t\t{0}",
nTAcctInfo.Value);




Please, include the error message (the Exception message) when posting,
also, remove the comments from your sample, it'll make it more
readable.
I'm also not clear on this - "because it is not vaild SID any more", do
you
mean that you have SID's that no longer correspond to anything valid?

That said, you better make sure that the target type is an NTAccount
before
calling Translate.

if(aCE.IdentityReference.IsValidTargetType(typeof(NTAccount))
try {
NTAccount nTAcctInfo =
(NTAccount)aCE.IdentityReference.Translate(.....
Console.WriteLine(....);
}
catch(...) {
// handle cases where the name look-up fails
}
}


Willy.