如何使用 C# 检查用户是否在 Active Directory 中具有写权限?

How can I check if a user has write rights in Active Directory using C#?(如何使用 C# 检查用户是否在 Active Directory 中具有写权限?)
本文介绍了如何使用 C# 检查用户是否在 Active Directory 中具有写权限?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

在我的 .NET 2.0 C# 应用程序中,我需要确定用户(使用密码)是否能够修改(写入)Active Directory 中的选项.我希望有一种方法可以使用 DirectoryEntry,而无需在 AD 中创建然后删除新对象.

In my .NET 2.0 C# applcation I need to determine if a user (with password) has ability to modify (write) option in Active Directory. I hope there is a way using DirectoryEntry without creating and then deleting new object in AD.

感谢您的帮助.

推荐答案

就像 Olive 所说的那样,自己很难做好.很难做到正确,因为权限可以通过 Active Directory 组传递到您的用户帐户.因此,为了找出特定用户帐户的有效权限,您必须找出该用户所属的所有组.

Like Olive said, it's difficult to do it right yourself. It's difficult to do right because the permissions can be passed onto your user account via Active Directory groups. So, in order to find out the effective permission for a particular user account, you have to find out all the groups the user belongs to.

幸运的是,Active Directory 有一种特殊类型的属性,称为构造属性.默认情况下,如果您使用 AD Explorer 或 ADSI Edit 浏览您的对象,则不会显示这些类型的属性.在 ADSI Edit 中,您可以设置 Filter 以包含这些构造的属性.此处有用的构造属性之一是 allowedAttributesEffective.它是一个多值属性,它包含您当前用户有权写入的所有属性.它由 Active Directory 动态计算.它负责所有的继承、拒绝覆盖和组权限.如果您有权写入 cn 属性,您将看到 cn 作为其中的值之一.

Fortunately, Active Directory has a special type of attributes called constructed attributes. By default, if you are using AD Explorer or ADSI Edit to browse your object's, these kinds of attributes are not shown. In ADSI Edit, you can set the Filter to include these constructed attributes. One of the useful constructed attributes here is allowedAttributesEffective. It's a multi-value attribute and it contains all attributes that your current user has permission to write to. It's calculated by Active Directory on the fly. It takes care all the inheritance, deny override and group permissions. If you have permission to write to cn attribute, you will see cn as one of the values in it.

以下示例用于检查特定用户对 Active Directory 上特定对象的特定属性集具有写入权限.

Here is a sample for checking a particular user has write permissions on a particular sets of attributes on a specific object on Active Directory.

static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] {"allowedAttributesEffective"});
        return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
    }
}

是的,这不是您想要的.您要求检查用户是否具有 WriteAllProperties 权限.实际上,WriteAllProperties 权限是对不同属性的写属性权限的集合.您可能需要做一些功课来找出您的应用程序真正关心的属性.然后,只需传入这些属性即可.

Yes, it's not exactly what you want. You are asking to check if a user has WriteAllProperties permission. Actually, WriteAllProperties permission is a collection of write property permissions on different attributes. You may need to do some homework to find out what attributes your application really cares. Then, just pass in those attributes.

如果你真的不知道要检查什么属性,这个应该足够了

If you really have no idea what attributes to check, this one should be good enough

static bool CheckWritePermission(string path, string username, string password)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] { "allowedAttributesEffective" });
        return de.Properties["allowedAttributesEffective"].Value != null;
    }            
}

在这里,我正在检查返回的 allowedAttributesEffective 是否为空.如果为 null,则表示它没有写入任何属性的任何权限.我假设您的管理员要么授予所有写入属性权限,要么拒绝所有写入属性.我认为在大多数情况下这是一个有效的假设.

Here, I am checking if the returned allowedAttributesEffective is null or not. If null, it means it doesn't have any permissions to write to any attributes. I am assuming your administrator would either grant all write properties permission or deny all write properties. I think this is a valid assumption in most cases.

这篇关于如何使用 C# 检查用户是否在 Active Directory 中具有写权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

What#39;s the difference between retrieving WindowsPrincipal from WindowsIdentity and Thread.CurrentPrincipal?(从 WindowsIdentity 和 Thread.CurrentPrincipal 检索 WindowsPrincipal 之间有什么区别?)
How do I find a user#39;s Active Directory display name in a C# web application?(如何在 C# Web 应用程序中查找用户的 Active Directory 显示名称?)
How to use Servicestack Authentication with Active Directory/Windows Authentication?(如何在 Active Directory/Windows 身份验证中使用 Servicestack 身份验证?)
How can I authenticate against Active Directory in Nancy?(如何在 Nancy 中对 Active Directory 进行身份验证?)
How to get a username in Active Directory from a display name in C#?(如何从 C# 中的显示名称获取 Active Directory 中的用户名?)
Oauth 2 token for Active Directory accounts(Active Directory 帐户的 Oauth 2 令牌)