问题描述
在我的 .NET 2.0 C# 应用程序中,我需要确定用户(使用密码)是否能够修改(写入)Active Directory 中的选项.我希望有一种方法可以使用 DirectoryEntry,而无需在 AD 中创建然后删除新对象.
In my .NET 2.0 C# applcation I need to determine if a user (with password) has ability to modify (write) option in Active Directory. I hope there is a way using DirectoryEntry without creating and then deleting new object in AD.
感谢您的帮助.
推荐答案
就像 Olive 所说的那样,自己很难做好.很难做到正确,因为权限可以通过 Active Directory 组传递到您的用户帐户.因此,为了找出特定用户帐户的有效权限,您必须找出该用户所属的所有组.
Like Olive said, it's difficult to do it right yourself. It's difficult to do right because the permissions can be passed onto your user account via Active Directory groups. So, in order to find out the effective permission for a particular user account, you have to find out all the groups the user belongs to.
幸运的是,Active Directory 有一种特殊类型的属性,称为构造属性.默认情况下,如果您使用 AD Explorer 或 ADSI Edit 浏览您的对象,则不会显示这些类型的属性.在 ADSI Edit 中,您可以设置 Filter 以包含这些构造的属性.此处有用的构造属性之一是 allowedAttributesEffective.它是一个多值属性,它包含您当前用户有权写入的所有属性.它由 Active Directory 动态计算.它负责所有的继承、拒绝覆盖和组权限.如果您有权写入 cn 属性,您将看到 cn 作为其中的值之一.
Fortunately, Active Directory has a special type of attributes called constructed attributes. By default, if you are using AD Explorer or ADSI Edit to browse your object's, these kinds of attributes are not shown. In ADSI Edit, you can set the Filter to include these constructed attributes. One of the useful constructed attributes here is allowedAttributesEffective. It's a multi-value attribute and it contains all attributes that your current user has permission to write to. It's calculated by Active Directory on the fly. It takes care all the inheritance, deny override and group permissions. If you have permission to write to cn attribute, you will see cn as one of the values in it.
以下示例用于检查特定用户对 Active Directory 上特定对象的特定属性集具有写入权限.
Here is a sample for checking a particular user has write permissions on a particular sets of attributes on a specific object on Active Directory.
static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
using (DirectoryEntry de = new DirectoryEntry(path, username, password))
{
de.RefreshCache(new string[] {"allowedAttributesEffective"});
return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
}
}
是的,这不是您想要的.您要求检查用户是否具有 WriteAllProperties 权限.实际上,WriteAllProperties 权限是对不同属性的写属性权限的集合.您可能需要做一些功课来找出您的应用程序真正关心的属性.然后,只需传入这些属性即可.
Yes, it's not exactly what you want. You are asking to check if a user has WriteAllProperties permission. Actually, WriteAllProperties permission is a collection of write property permissions on different attributes. You may need to do some homework to find out what attributes your application really cares. Then, just pass in those attributes.
如果你真的不知道要检查什么属性,这个应该足够了
If you really have no idea what attributes to check, this one should be good enough
static bool CheckWritePermission(string path, string username, string password)
{
using (DirectoryEntry de = new DirectoryEntry(path, username, password))
{
de.RefreshCache(new string[] { "allowedAttributesEffective" });
return de.Properties["allowedAttributesEffective"].Value != null;
}
}
在这里,我正在检查返回的 allowedAttributesEffective 是否为空.如果为 null,则表示它没有写入任何属性的任何权限.我假设您的管理员要么授予所有写入属性权限,要么拒绝所有写入属性.我认为在大多数情况下这是一个有效的假设.
Here, I am checking if the returned allowedAttributesEffective is null or not. If null, it means it doesn't have any permissions to write to any attributes. I am assuming your administrator would either grant all write properties permission or deny all write properties. I think this is a valid assumption in most cases.
这篇关于如何使用 C# 检查用户是否在 Active Directory 中具有写权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!