问题描述
你好!
由于这个Newgroups的帮助,我现在能够在活动目录中设置一个
计算机帐户的基本权限。 />
以下c#-Code工作正常
------------------------- ----------------------------
使用System.Security.Principal;
使用System.DirectoryServices;
string strMemberString =" LDAP:// OU = Test,DC = Domainname,DC = local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;
foreach(DirectoryEntry computer in computers.Children)
{
if(computer.Name ==" ; CN = TestComp")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount帐户=新NTAccount(" Domainname \\\ \\ XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
sdc.SetAccessRule(rule);
computer.CommitChanges();
}
}
-------- -----------------------------------------------
我的工作是为托管计算机帐户创建一个计算机帐户
用RIS安装计算机。
最终的ACL计算机nt应与通过AD-Users and Computers创建帐户的时间完全相同
工具。
如果我通过AD用户和计算机设置托管计算机帐户ACL
显示目标用户的以下权限:
- 允许列出内容
- 允许阅读所有财产
- 允许删除
- 允许Detete Subtree
- 允许读取权限
- 允许所有扩展权限
- 允许允许验证
- 允许更改密码
- 允许接收为
- 允许重置密码
- 允许发送为>
- 允许写帐户限制
- 允许验证写入DNS主机名
- 允许验证写入服务原则名称
- 允许写入计算机名称(Windows 2000之前版本)
最多此权限是在
MSDN文档
(。
如何设置这些扩展权限?是否可以将代码扩展到
来完成这项工作?
感谢您的帮助!
Hallo!
Due to the help in this Newgroups I am now able to set basic rights to a
Computer account in active directory.
The following c#-Code works fine
-----------------------------------------------------
using System.Security.Principal;
using System.DirectoryServices;
string strMemberString = "LDAP://OU=Test,DC=Domainname,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;
foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=TestComp")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Domainname\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(Secur ityIdentifier));
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
sdc.SetAccessRule(rule);
computer.CommitChanges();
}
}
-------------------------------------------------------
My job is to create a computer account for a managed Computer account for
installing the computer with RIS.
The final ACL of the computer account should be exactly the same as when
creating the account via "AD-Users and Computers" tool.
If I setup a managed Computer account via AD-Users and Computers the ACL
shows the following rights for the destinated User:
- Allow "List Contents"
- Allow "Read All Property"
- Allow "Delete"
- Allow "Detete Subtree"
- Allow "Read Permissions"
- Allow "All Extended Rights"
- Allow "Allow to authenticate"
- Allow "Change Password"
- Allow "Receive as"
- Allow "Reset Password"
- Allow "Send as"
- Allow "Write Account Restrictions"
- Allow "Validate write to DNS-Hostname"
- Allow "Validate Write to service prinzipal name"
- Allow "Write Computer name (pre Windows 2000)
Most of this rights are listet in the extended rights list in
MSDN-documentation
(http://msdn.microsoft.com/library/de...ed_rights.asp).
How can I set these extended rights? Is it possible to extend the code above
to do this job?
Thanks for help!
推荐答案
这篇关于如何在Active Directory ACL中设置扩展权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!