Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I query effective permissions on an Active Directory Object?

Tags:

permissions

active-directory

exchange-server

adsi

I'm trying to programmatically determine whether the current user has certain permissions on a given Active Directory object (specifically in this case, I'm trying to determine whether the user has the "Send As" permission for another Exchange user or distribution list object).

I already figured out how to access the ntSecurityDescriptor attribute using ADSI: I can enumerate the ACEs in the IADsSecurityDescriptor's DiscretionaryACL property. But:

  • How do I determine from that data whether the "Send As"-permission is explicitly allowed or denied for a trustee?
  • How do I discover this when the permission has been granted indirectly via group membership? Do I really have to parse the effective permissions myself by (recursively) checking all groups the user is a member of? Surely there must be an API for that task...

FWIW, I'm coding in Delphi (i.e. native Win32 code) using the ActiveDs.dll typelibrary, so .NET-specific solutions won't really help me much unless their source code gives me clues to how to do the same thing in native code. The same goes for PowerShell.

Before anyone starts: I already know about the PR_EMS_AB_PUBLIC_DELEGATES and PR_EMS_AB_PUBLIC_DELEGATES_BL_O Extended MAPI properties. However, this is not what I'm after. These properties refer to the "Send on behalf of"-right (a.k.a. delegates), not the "Send As" permission, which is quite a different thing.

like image 584
Oliver Giesen Avatar asked Nov 30 '11 15:11

Oliver Giesen

People also ask

Where are Active Directory permissions stored?

You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they're stored in the Users container in Active Directory Users and Computers.

What effective permission does the user have for the resource?

Effective Permissions is the cumulative permissions a user has for accessing a resource based on his or her individual permissions, group permissions, and group membership.

What methods can you use to configure permissions on an object in Active Directory?

The most common way to apply Active Directory permissions is through the tool Active Directory Users and Computers (ADUC). There are two ways in ADUC to apply permissions, the delegation wizard and navigating to an object, using the security tab, and applying permissions directly to the object or its descendants.

How are effective permissions determined?

If the user is a member of more than one group, effective permissions are calculated by taking all the groups' membership into account and the approximating them. Effective permissions for groups do not involve group membership. It shows only the explicitly assigned permissions in the ACL.

1 Answers

Here's the MSDN article that explains - http://msdn.microsoft.com/en-us/library/windows/desktop/ms675580(v=VS.85).aspx. There is an attached sample that shows how to call the API.

like image 95
Brian Desmond Avatar answered Sep 20 '22 13:09

Brian Desmond
Sign in to Comment

Related questions

"Permission Denied" in Node on Linux, when running start-script /w local nodemon/mocha/babel-node
Setting File Permissions in Windows with PHP
docker mounting volume with permission denied
Permission required when using Intent to call phone?
Permission Error When Trying To Install Rails (OSX)
Running compiled python (py2exe) as administrator in Vista
Fix permissions with git post-merge
Start-Process: Access is denied (even though i've provided credentials
Store image from camera into private app cache directory
Facebook SDK 3.8 : permission publish_actions not returned
Android: Find API calls requiring permissions
Django Inlines user permissions + view only - permissions issues

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!