如何以編程方式對 AD OU 條目設置“列出內容”和“列出對象”權限？ (How can I programmatically set "List Content" and "List Object" permissions on AD OU entries?)

問題描述

如何以編程方式對 AD OU 條目設置“列出內容”和“列出對象”權限？ (How can I programmatically set "List Content" and "List Object" permissions on AD OU entries?)

I'd like to set List Content and List Object options for an AD (Active Directory, Windows Server 2008 R2) OU for a particular user group using C# (.NET 4.0).

I managed to set the gPOptions and gPLinkproperties according to Microsoft, but I did not find an example of how to set List Content and List Object. Setting the other two properties works as shown below:

[...]

byte[] binaryForm = new byte[ groupPrincipal.Sid.BinaryLength ];
groupPrincipal.Sid.GetBinaryForm( binaryForm, 0 );
IdentityReference identityReference =
    new SecurityIdentifier( binaryForm, 0 );
PropertyAccessRule propertyAccessRule =
    new PropertyAccessRule(
        identityReference,
        AccessControlType.Allow,
        PropertyAccess.Read,
        new Guid( "...value provided by MSDN link..." ) );
...
// ouEntry is of type DirectoryEntry
ouEntry.ObjectSecurity.AddAccessRule( propertyAccessRule );
ouEntry.CommitChanges();

...
// Same for gPLink with the corresponding GUID

Please ask if you need any more information.

‑‑‑‑‑

參考解法

方法 1:

List content and List object have to be set somewhat differently:

...
ActiveDirectoryAccessRule activeDirectoryAccessRule =
    new ActiveDirectoryAccessRule(
        identityReference,
        ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ListObject,
        AccessControlType.Allow,
        ActiveDirectorySecurityInheritance.None );
...

This ActiveDirectoryAccessRule has to be added to the corresponding DirectoryEntry as in the question above.

(by Gorgsenegger、Gorgsenegger)

參考文件

1. How can I programmatically set "List Content" and "List Object" permissions on AD OU entries? (CC BY‑SA 3.0/4.0)