本文介绍了如何在Active Directory ACL中设置扩展权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

你好!


由于这个Newgroups的帮助,我现在能够在活动目录中设置一个

计算机帐户的基本权限。 />

以下c#-Code工作正常

------------------------- ----------------------------


使用System.Security.Principal;

使用System.DirectoryServices;


string strMemberString =" LDAP:// OU = Test,DC = Domainname,DC = local";

DirectoryEntry computers = new DirectoryEntry();

computers.Path = strMemberString;

computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group

| SecurityMasks.Dacl | SecurityMasks.Sacl;


foreach(DirectoryEntry computer in computers.Children)

{

if(computer.Name ==" ; CN = TestComp")

{

ActiveDirectorySecurity sdc = computer.ObjectSecurity;

NTAccount帐户=新NTAccount(" Domainname \\\ \\ XYZ");

SecurityIdentifier Sid =

(SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));

ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,

ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,

AccessControlType.Allow);

sdc.SetAccessRule(rule);

computer.CommitChanges();

}

}


-------- -----------------------------------------------


我的工作是为托管计算机帐户创建一个计算机帐户

用RIS安装计算机。

最终的ACL计算机nt应与通过AD-Users and Computers创建帐户的时间完全相同

工具。


如果我通过AD用户和计算机设置托管计算机帐户ACL

显示目标用户的以下权限:

- 允许列出内容

- 允许阅读所有财产

- 允许删除

- 允许Detete Subtree

- 允许读取权限

- 允许所有扩展权限

- 允许允许验证

- 允许更改密码

- 允许接收为

- 允许重置密码

- 允许发送为>

- 允许写帐户限制

- 允许验证写入DNS主机名

- 允许验证写入服务原则名称

- 允许写入计算机名称(Windows 2000之前版本)

最多此权限是在
MSDN文档

(。


如何设置这些扩展权限?是否可以将代码扩展到

来完成这项工作?


感谢您的帮助!

Hallo!

Due to the help in this Newgroups I am now able to set basic rights to a
Computer account in active directory.

The following c#-Code works fine
-----------------------------------------------------

using System.Security.Principal;
using System.DirectoryServices;

string strMemberString = "LDAP://OU=Test,DC=Domainname,DC=local";
DirectoryEntry computers = new DirectoryEntry();
computers.Path = strMemberString;
computers.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;

foreach (DirectoryEntry computer in computers.Children)
{
if (computer.Name == "CN=TestComp")
{
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("Domainname\\XYZ");
SecurityIdentifier Sid =
(SecurityIdentifier)Account.Translate(typeof(Secur ityIdentifier));
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(Sid,
ActiveDirectoryRights.ExtendedRight | ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
sdc.SetAccessRule(rule);
computer.CommitChanges();
}
}

-------------------------------------------------------

My job is to create a computer account for a managed Computer account for
installing the computer with RIS.
The final ACL of the computer account should be exactly the same as when
creating the account via "AD-Users and Computers" tool.

If I setup a managed Computer account via AD-Users and Computers the ACL
shows the following rights for the destinated User:
- Allow "List Contents"
- Allow "Read All Property"
- Allow "Delete"
- Allow "Detete Subtree"
- Allow "Read Permissions"
- Allow "All Extended Rights"
- Allow "Allow to authenticate"
- Allow "Change Password"
- Allow "Receive as"
- Allow "Reset Password"
- Allow "Send as"
- Allow "Write Account Restrictions"
- Allow "Validate write to DNS-Hostname"
- Allow "Validate Write to service prinzipal name"
- Allow "Write Computer name (pre Windows 2000)

Most of this rights are listet in the extended rights list in
MSDN-documentation
(http://msdn.microsoft.com/library/de...ed_rights.asp).

How can I set these extended rights? Is it possible to extend the code above
to do this job?

Thanks for help!

推荐答案




这篇关于如何在Active Directory ACL中设置扩展权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-23 19:30