How to set Extended Rights in Active Directory ACL

[Guest]

Hallo!

Due to the help in this Newgroups I am now able to set basic rights to a
Computer account in active directory.

The following c#-Code works fine
-----------------------------------------------------

using System.Security.Principal;
using System.DirectoryServices;

string strMemberString = "LDAP://OU=Test,DC=Domainname,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=TestComp")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Domainname\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
sdc.SetAccessRule(rule);
computer.CommitChanges();
}
}

-------------------------------------------------------

My job is to create a computer account for a managed Computer account for
installing the computer with RIS.
The final ACL of the computer account should be exactly the same as when
creating the account via "AD-Users and Computers" tool.

If I setup a managed Computer account via AD-Users and Computers the ACL
shows the following rights for the destinated User:
- Allow "List Contents"
- Allow "Read All Property"
- Allow "Delete"
- Allow "Detete Subtree"
- Allow "Read Permissions"
- Allow "All Extended Rights"
- Allow "Allow to authenticate"
- Allow "Change Password"
- Allow "Receive as"
- Allow "Reset Password"
- Allow "Send as"
- Allow "Write Account Restrictions"
- Allow "Validate write to DNS-Hostname"
- Allow "Validate Write to service prinzipal name"
- Allow "Write Computer name (pre Windows 2000)

Most of this rights are listet in the extended rights list in
MSDN-documentation
(http://msdn.microsoft.com/library/d...y/en-us/adschema/adschema/extended_rights.asp).

How can I set these extended rights? Is it possible to extend the code above
to do this job?

Thanks for help!

 

[Peter Huang [MSFT]]

Hi Martin,

Currently I am researching the issue and I will reply to you ASAP.


Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hallo Peter,

that's fine. Thanks for your efforts.
I'll wait for your answer.

 

[Willy Denoyette [MVP]]

| Hallo Peter,
|
| that's fine. Thanks for your efforts.
| I'll wait for your answer.
|
| ""Peter Huang" [MSFT]" wrote:
|
| > Hi Martin,
| >
| > Currently I am researching the issue and I will reply to you ASAP.
| >
| >
| > Best regards,
| >
| > Peter Huang
| >
| > Microsoft Online Community Support
| > ==================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ==================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >

Well, to set Extended Rights you will have to call native Adsi functions
through the Adsi COM library. But the question is why do you wan't to set
these on Machine accounts objects (most only apply to regular user, group
and OU objects) and which one(s) are you thinking about?
If you could give some more details on this, I could try to post a sample.

Willy.

 

[Guest]

Hallo Willy,

thanks for your answer. The problem is, that (due to securtity issues) the
result has to be exactly the same as it is, when the computer account is
generated via "AD-User and Computers".
I wrote them down in detail in this request.

Is it possible to send files here? (I am using the web interface).
I would like to send you a screenshot with the original settings, generated
by AD-User & Computers.

Thanks in advance

 

[Peter Huang [MSFT]]

Hi Martin,

Based on my research, here is the code snippet for your reference.

NOTE: You need to add reference to DirectoryService and Active Directory
Type Library(COM Lib)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
string strTrustee = @"testdomain\testaccount";

string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";

DirectoryEntry objRoot = new DirectoryEntry(ldapString);
DirectoryEntry objComputer =
objRoot.Children.Add("cn=TestComputer","computer");
objComputer.CommitChanges();

ActiveDs.SecurityDescriptor sd =
(ActiveDs.SecurityDescriptor)objComputer.Properties["ntSecurityDescriptor"].
Value;
ActiveDs.AccessControlList dacl =
(ActiveDs.AccessControlList)sd.DiscretionaryAcl;
ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
ace.Trustee = strTrustee;
ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
ace.AceType =
(int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
ace.ObjectType = SENDAS;
ace.Flags = 0x1;
dacl.AddAce(ace);
sd.DiscretionaryAcl = dacl;
objComputer.Properties["ntSecurityDescriptor"].Value = sd;
objComputer.CommitChanges();
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+

The code above will add a computer account into TestOU, and set the account
"testdomain\testaccount" with the Send As Permission for the TestComputer.

For the other GUID for the permission you may check the link in your last
post.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/r_send_as.asp


Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Willy Denoyette [MVP]]

Peter,

The V2 FCL has built-in support for this, no need to use Adsi (ActiveDs) any
longer.

Here is a sample that set SENDAS on a existing computer account object for
'Everyone'.

bool modified = false;
using(DirectoryEntry computers = new
DirectoryEntry("LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net")
{
computers.Options.SecurityMasks = SecurityMasks.Owner |
SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=Testcomputer")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Everyone");
ExtendedRightAccessRule erar = new
ExtendedRightAccessRule(Account,
AccessControlType.Allow,
new Guid("{0xab721a54, 0x1e2f,
0x11d0,0x98,0x19,0x00,0xaa,0x00,0x40,0x52,0x9b}}"));

sdc.ModifyAccessRule(AccessControlModification.Add, erar, out
modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("Sucess? {0}",modified);
}
}
}

// Guid.Empty);

If you set the Guid argument to Guid.Empty, all extended rights are set, and
I guess this is what the OP is after.

Willy.



| Hi Martin,
|
| Based on my research, here is the code snippet for your reference.
|
| NOTE: You need to add reference to DirectoryService and Active Directory
| Type Library(COM Lib)
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
| const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
| string strTrustee = @"testdomain\testaccount";
|
| string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";
|
| DirectoryEntry objRoot = new DirectoryEntry(ldapString);
| DirectoryEntry objComputer =
| objRoot.Children.Add("cn=TestComputer","computer");
| objComputer.CommitChanges();
|
| ActiveDs.SecurityDescriptor sd =
|
(ActiveDs.SecurityDescriptor)objComputer.Properties["ntSecurityDescriptor"].
| Value;
| ActiveDs.AccessControlList dacl =
| (ActiveDs.AccessControlList)sd.DiscretionaryAcl;
| ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
| ace.Trustee = strTrustee;
| ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
| ace.AceType =
| (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
| ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
| ace.ObjectType = SENDAS;
| ace.Flags = 0x1;
| dacl.AddAce(ace);
| sd.DiscretionaryAcl = dacl;
| objComputer.Properties["ntSecurityDescriptor"].Value = sd;
| objComputer.CommitChanges();
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
|
| The code above will add a computer account into TestOU, and set the
account
| "testdomain\testaccount" with the Send As Permission for the TestComputer.
|
| For the other GUID for the permission you may check the link in your last
| post.
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
| schema/r_send_as.asp
|
|
| Best regards,
|
| Peter Huang
|
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|

 

[Willy Denoyette [MVP]]

See my reply to Peter's last posting.
But still I don't understand what you are trying to achieve, computer
account objects have several ACE's, which entry are you looking at and which
one do you want to have extended rights?
Normally when you create a computer account using .NET, the account is
created with the same defaults (same entries) as done by the AD tool.

Willy.

| Hallo Willy,
|
| thanks for your answer. The problem is, that (due to securtity issues) the
| result has to be exactly the same as it is, when the computer account is
| generated via "AD-User and Computers".
| I wrote them down in detail in this request.
|
| Is it possible to send files here? (I am using the web interface).
| I would like to send you a screenshot with the original settings,
generated
| by AD-User & Computers.
|
| Thanks in advance
|
|
| "Willy Denoyette [MVP]" wrote:
|
| >
| > | > | Hallo Peter,
| > |
| > | that's fine. Thanks for your efforts.
| > | I'll wait for your answer.
| > |
| > | ""Peter Huang" [MSFT]" wrote:
| > |
| > | > Hi Martin,
| > | >
| > | > Currently I am researching the issue and I will reply to you ASAP.
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Peter Huang
| > | >
| > | > Microsoft Online Community Support
| > | > ==================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader so
| > | > that others may learn and benefit from your issue.
| > | > ==================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | >
| >
| > Well, to set Extended Rights you will have to call native Adsi functions
| > through the Adsi COM library. But the question is why do you wan't to
set
| > these on Machine accounts objects (most only apply to regular user,
group
| > and OU objects) and which one(s) are you thinking about?
| > If you could give some more details on this, I could try to post a
sample.
| >
| > Willy.
| >
| >
| >
| >
| >
| >

 

[Peter Huang [MSFT]]

Hi Willy,

Yes you are right, the .NET Framework 2.0 provided more supporting for AD.
Thanks for your knowledge sharing,

For Martin, I am sorry I did not mention in my last post that this is a
NET 1.1 solution.
Anyway, if you still have any concern, on this issue, please feel free to
post here.
I think the community and me will be glad of be of assistance.

Best regards,

Peter Huang

Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Willy,

Thank you very much for your answer.
I'll test it and will rate your answer afterwards.

Peter,

The V2 FCL has built-in support for this, no need to use Adsi (ActiveDs) any
longer.

Here is a sample that set SENDAS on a existing computer account object for
'Everyone'.

bool modified = false;
using(DirectoryEntry computers = new
DirectoryEntry("LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net")
{
computers.Options.SecurityMasks = SecurityMasks.Owner |
SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=Testcomputer")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Everyone");
ExtendedRightAccessRule erar = new
ExtendedRightAccessRule(Account,
AccessControlType.Allow,
new Guid("{0xab721a54, 0x1e2f,
0x11d0,0x98,0x19,0x00,0xaa,0x00,0x40,0x52,0x9b}}"));

sdc.ModifyAccessRule(AccessControlModification.Add, erar, out
modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("Sucess? {0}",modified);
}
}
}

// Guid.Empty);

If you set the Guid argument to Guid.Empty, all extended rights are set, and
I guess this is what the OP is after.

Willy.



| Hi Martin,
|
| Based on my research, here is the code snippet for your reference.
|
| NOTE: You need to add reference to DirectoryService and Active Directory
| Type Library(COM Lib)
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
| const string SENDAS = "{ab721a54-1e2f-11d0-9819-00aa0040529b}";
| string strTrustee = @"testdomain\testaccount";
|
| string ldapString = "LDAP://testdomain/ou=TestOU,dc=testdomain,dc=net";
|
| DirectoryEntry objRoot = new DirectoryEntry(ldapString);
| DirectoryEntry objComputer =
| objRoot.Children.Add("cn=TestComputer","computer");
| objComputer.CommitChanges();
|
| ActiveDs.SecurityDescriptor sd =
|
(ActiveDs.SecurityDescriptor)objComputer.Properties["ntSecurityDescriptor"].
| Value;
| ActiveDs.AccessControlList dacl =
| (ActiveDs.AccessControlList)sd.DiscretionaryAcl;
| ActiveDs.AccessControlEntry ace = new ActiveDs.AccessControlEntryClass();
| ace.Trustee = strTrustee;
| ace.AccessMask = (int)ActiveDs.ADS_RIGHTS_ENUM.ADS_RIGHT_GENERIC_ALL;
| ace.AceType =
| (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED_OBJECT;
| ace.AceFlags = (int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
| ace.ObjectType = SENDAS;
| ace.Flags = 0x1;
| dacl.AddAce(ace);
| sd.DiscretionaryAcl = dacl;
| objComputer.Properties["ntSecurityDescriptor"].Value = sd;
| objComputer.CommitChanges();
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| +
|
| The code above will add a computer account into TestOU, and set the
account
| "testdomain\testaccount" with the Send As Permission for the TestComputer.
|
| For the other GUID for the permission you may check the link in your last
| post.
|
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
| schema/r_send_as.asp
|
|
| Best regards,
|
| Peter Huang
|
| Microsoft Online Community Support
| ==================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ==================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|

 

[Guest]

Peter,

Thank you very much for your efforts. I'm sure your answer will be helpful
for someone.
I'm goint to test Willys solution.