問題描述
如何以編程方式對 AD OU 條目設置“列出內容”和“列出對象”權限? (How can I programmatically set "List Content" and "List Object" permissions on AD OU entries?)
I'd like to set List Content
and List Object
options for an AD (Active Directory, Windows Server 2008 R2) OU for a particular user group using C# (.NET 4.0).
I managed to set the gPOptions
and gPLink
properties according to Microsoft, but I did not find an example of how to set List Content
and List Object
. Setting the other two properties works as shown below:
[...]
byte[] binaryForm = new byte[ groupPrincipal.Sid.BinaryLength ];
groupPrincipal.Sid.GetBinaryForm( binaryForm, 0 );
IdentityReference identityReference =
new SecurityIdentifier( binaryForm, 0 );
PropertyAccessRule propertyAccessRule =
new PropertyAccessRule(
identityReference,
AccessControlType.Allow,
PropertyAccess.Read,
new Guid( "...value provided by MSDN link..." ) );
...
// ouEntry is of type DirectoryEntry
ouEntry.ObjectSecurity.AddAccessRule( propertyAccessRule );
ouEntry.CommitChanges();
...
// Same for gPLink with the corresponding GUID
Please ask if you need any more information.
‑‑‑‑‑
參考解法
方法 1:
List content
and List object
have to be set somewhat differently:
...
ActiveDirectoryAccessRule activeDirectoryAccessRule =
new ActiveDirectoryAccessRule(
identityReference,
ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ListObject,
AccessControlType.Allow,
ActiveDirectorySecurityInheritance.None );
...
This ActiveDirectoryAccessRule
has to be added to the corresponding DirectoryEntry
as in the question above.
(by Gorgsenegger、Gorgsenegger)