How I add new security group for computer account and set below permissions in AD

Question

0.00/5 (No votes)

See more:

I'd like to set below options for an AD (Active Directory, Windows Server 2008 R2) OU for a particular user group using C# (.NET 4.0).

1.List contents
2.Read all Properties
3.Write all Properties
4.Read Permissions
5.Modify permission
6.Change Password
7.Reset Password
8.Validated write to DNS host Name
9.Validated write to Service Principal Name

Below working for all properties i want above options only

What I have tried:

C#

using (DirectoryEntry computers = new DirectoryEntry(GrpAccpath, LDAPUser, LDAPPassword))
                {
                    computers.Options.SecurityMasks = System.DirectoryServices.SecurityMasks.Owner | System.DirectoryServices.SecurityMasks.Group |
                                                            System.DirectoryServices.SecurityMasks.Dacl | System.DirectoryServices.SecurityMasks.Sacl;

                    foreach (DirectoryEntry computer in computers.Children)
                    {
                        if (computer.Name == "CN=" + ComputerAccountID)
                        {
                            for (i = 0; i < strArry.Length; i++)
                            {
                                ActiveDirectorySecurity sdc = computer.ObjectSecurity;
                                //  NTAccount Account = new NTAccount("Everyone");
                                try
                                {


                                    NTAccount Account = new NTAccount("Domain Admins");

                                    SecurityIdentifier Sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));
                                   

                                    ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid, ActiveDirectoryRights.ExtendedRight |
                                                                     ActiveDirectoryRights.GenericRead | ActiveDirectoryRights.CreateChild |
                                                                     ActiveDirectoryRights.GenericWrite | ActiveDirectoryRights.AccessSystemSecurity |
                                                                     ActiveDirectoryRights.Delete | ActiveDirectoryRights.DeleteChild |
                                                                     ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.GenericAll |
                                                                     ActiveDirectoryRights.GenericExecute | ActiveDirectoryRights.GenericRead |
                                                                     ActiveDirectoryRights.GenericWrite | ActiveDirectoryRights.ListChildren |
                                                                     ActiveDirectoryRights.ListObject | ActiveDirectoryRights.ReadControl |
                                                                     ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.Self |
                                                                     ActiveDirectoryRights.Synchronize | ActiveDirectoryRights.WriteDacl |
                                                                     ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.WriteOwner |
                                                                     ActiveDirectoryRights.WriteProperty, AccessControlType.Allow);

                                         AccessControlType.Allow);
                                    if (Enable == true)
                                        sdc.AddAccessRule(rule);
                                    else
                                        sdc.RemoveAccessRule(rule);

                                                           
                                    computer.CommitChanges();
                                }
                                catch (Exception Ex)
                                {
                                    Logger.LogInfo(" Group Not Found  : " + Ex.ToString() + strArry[i]);
                                }
                            }
                            break;
                        }

Posted 29-Aug-19 21:38pm

Nethaji chennai

Updated 29-Aug-19 21:44pm

CHill60

v2

Add a Solution

Comments

phil.o 30-Aug-19 4:44am

Why don't you just strip off the permissions which you do not want from the list this piece of code is providing?

Nethaji chennai 30-Aug-19 5:20am

can you Explain . iam new ActiveDirectoryAccessRule

DaveAuld 30-Aug-19 5:35am

He means, if the code you have shown above does ALL properties, then delete the parts of it that relate to the properties you don't want.

phil.o 30-Aug-19 6:29am

ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead | ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.GenericWrite | ActiveDirectoryRights.AccessSystemSecurity | ActiveDirectoryRights.Delete | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.GenericAll | ActiveDirectoryRights.GenericExecute | ActiveDirectoryRights.GenericRead | ActiveDirectoryRights.GenericWrite | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ListObject | ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.Self | ActiveDirectoryRights.Synchronize | ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.WriteOwner | ActiveDirectoryRights.WriteProperty

I mean, among all those rights above, just strip off those you do not want. Mathematically, once you have done that, will only remain those you want.

Nethaji chennai 3-Sep-19 0:31am

Yes, but if add any access rule multiple permission(need and not need options) added in ad. i want exact 9 above . Others not need

Ex: ActiveDirectoryRights.ExtendedRight add

below permission added in AD

1.Change Password
2.Reset Password
3.Allowed to authenticate
4.Receieve etc
but i want only
1.Change Password
2.Reset Password

ZurdoDev 3-Sep-19 15:35pm

You have code. What exactly is your question?

Nethaji chennai 3-Sep-19 22:06pm

i want like below

using (DirectoryEntry computers = new DirectoryEntry(GrpAccpath, LDAPUser, LDAPPassword))
{
computers.Options.SecurityMasks = System.DirectoryServices.SecurityMasks.Owner | System.DirectoryServices.SecurityMasks.Group |
System.DirectoryServices.SecurityMasks.Dacl | System.DirectoryServices.SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=" + ComputerAccountID)
{
for (i = 0; i < strArry.Length; i++)
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
// NTAccount Account = new NTAccount("Everyone");
try
{
NTAccount Account = new NTAccount("Domain Admins");

SecurityIdentifier Sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));

ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.List contents | ActiveDirectoryRights.Read all Properties |
ActiveDirectoryRights.Write all Properties | ActiveDirectoryRights.Read Permissions
ActiveDirectoryRights.Modify permission | ActiveDirectoryRights.Change Password |
ActiveDirectoryRights.Reset Password | ActiveDirectoryRights.Validated write to DNS host Name
| | ActiveDirectoryRights.Validated write to Service Principal Name, AccessControlType.Allow);

if (Enable == true)
sdc.AddAccessRule(rule);
else
sdc.RemoveAccessRule(rule);

computer.CommitChanges();
}
catch (Exception Ex)
{
Logger.LogInfo(" Group Not Found : " + Ex.ToString() + strArry[i]);
}
}
break;
}

ZurdoDev 4-Sep-19 7:01am

You have like above.

Nethaji chennai 4-Sep-19 23:58pm

I want give permission to above properties only. but i dont have that format code

Nethaji chennai 9-Sep-19 6:09am

Please update

ZurdoDev 9-Sep-19 6:53am

I don't know what you are asking. You have code that sets permissions. You have not been clear on what you need help with or where you are stuck.

Nethaji chennai 13-Sep-19 2:37am

i want set permission like below with properties. but code not work
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.List contents | ActiveDirectoryRights.Read all Properties |
ActiveDirectoryRights.Write all Properties | ActiveDirectoryRights.Read Permissions
ActiveDirectoryRights.Modify permission | ActiveDirectoryRights.Change Password |
ActiveDirectoryRights.Reset Password | ActiveDirectoryRights.Validated write to DNS host Name
| | ActiveDirectoryRights.Validated write to Service Principal Name, AccessControlType.Allow

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)