0

I'm trying to find out what permissions a user has to a given security group. For example do the have Read, Read/Write, Admin, etc...

I get the list of groups they belong to but can't figure out how to get the permissions for those groups.

private static void FindUserById(PrincipalSearcher ps, PrincipalContext pc, string name)
{
    var up = new UserPrincipal(pc)
    {
        // EmailAddress = wildcard
        // GivenName = wildcard
        Name = name
    };

    ps.QueryFilter = up;

    foreach (var found in ps.FindAll())
    {
        if (found is UserPrincipal user)
        {
            string line = $"{{\"Name\":\"{user.DisplayName}\", \"Email\": \"{user.EmailAddress}\"}},";
            var groups = user.GetAuthorizationGroups();

            Console.WriteLine(line);
        }
    }
}
jbassking10
  • 833
  • 4
  • 15
  • 42

1 Answers1

0

GetAuthorizationGroups() will give you a list of GroupPrincipal objects. However, GroupPrincipal doesn't expose the object's permissions. It does use DirectoryEntry behind the scenes, which you can get access to using:

var groupDe = (DirectoryEntry) group.GetUnderlyingObject();

Then you can use the ObjectSecurity property to view the permissions on the group object.

It's not terribly straight-forward though. This question actually has some pretty thorough code to retrieve the permissions (right in the question). Particularly this:

var accessRules = groupDe.ObjectSecurity.GetAccessRules(true, true, typeof(NTAccount));

foreach (ActiveDirectoryAccessRule ar in accessRules)
{
    Console.WriteLine($"{ar.IdentityReference.ToString()}");
    Console.WriteLine($"Inherits - {ar.InheritanceType.ToString()}");
    Console.WriteLine($"ObjectType - {ar.ObjectType.ToString()}");
    Console.WriteLine($"InheritedObjectType - {ar.InheritedObjectType.ToString()}");
    Console.WriteLine($"ObjectFlags - {ar.ObjectFlags.ToString()}");
    Console.WriteLine($"AccessControlType - {ar.AccessControlType.ToString()}");
    Console.WriteLine($"ActiveDirectoryRights - {ar.ActiveDirectoryRights.ToString()}");


    Console.WriteLine($"IsInherited - {ar.IsInherited.ToString()}");
    Console.WriteLine($"PropagationFlags - {ar.PropagationFlags.ToString()}");
    Console.WriteLine("-------");
}
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84