locked
Getting the Security Descriptor and SID RRS feed

  • Question

  • User843746731 posted

    Hi all,

    As per this thread: http://forums.asp.net/1220177/ShowPost.aspx

    I'd like to get the Security Descriptor using "pure" .NET if possible... I can get the SID (kind of) like so:

    Dim Dir As New DirectoryEntry("WinNT://" & Domain & "/" & Username)
    Dim r As
    PropertyCollection
    r = Dir.Properties
    Return r.Item("objectSID").Value

    But can't seem to find the Security Descriptor property... Any ideas???

    Regards,
    Mark

    Wednesday, March 8, 2006 10:42 AM

All replies

  • User1354132231 posted
    This is more complicated than you probably can imagine.  The SACL, DACL, group, and user information is held on the ntSecurityDescriptor attribute.  Depending on your version of the framework that you are using, it will be difficult to retrieve with the DirectorySearcher (if not impossible).  You can use the DirectoryEntry if you are only looking for non-SACL information (DACL, group, or user).  If you want the SACL (which is admin only), you need to jump through some hoops with the DirectoryEntry or use DirectorySearcher in .NET 2.0.

    What are you trying to accomplish - just DACL (that's pretty typical)?
    Wednesday, March 8, 2006 5:36 PM
  • User843746731 posted

    Thanks for the reply Ryan,

    I'm adding an Exchange 5.5 mailbox, which has 2 LDAP properties:
    objMB.Properties("Assoc-NT-Account").Add(arrSID)
    objMB.Properties("NT-Security-Descriptor").Add(arrSD)

    These associate the Mailbox with a NT4 Domain account.

    I'm currently getting arrDIS and arrSD by using the SDK component, AcctCrt.dll like so:

    Dim objUI As New MSExchangeAcctLib.AcctMgmt
    Dim arrSID, arrSD As
    Object
       
    objUI.GetSidFromName(Domain, Username, arrSID)
       objUI.GenerateSecDescriptor(Domain, Username, arrSD)
    objUI = Nothing

    Ideally I'd like to get those vars from .NET rather than rely on an external component that needs to be registered on the web server, allowing it to be just a bit more portable... However from what you've said it sounds like it'll be a lot more work than it's actually worth!

    Thursday, March 9, 2006 3:32 AM
  • User1354132231 posted

    Well, getting the SID is easy if you need it only in byte format.  Just pull the 'objectSid' property from the user's account and cast to a byte[] array.  If you need the SDDL format, you need to use p/invoke for v.1.x or the SecurityIdentifier class from .NET 2.0.

    Now, the ACL depends on whether the SACL is attached and what format you need (byte array?).  If you tell me what format you need, I can show you how to do it and you won't need the other component.

    Sunday, March 12, 2006 1:31 PM
  • User843746731 posted

    Sorry for the delay in getting back... Good ol' work getting in the way!

    Anyway, that's the strange thing, the AcctCrt.dll returns a byte array but it seems some how different to the one from the "objectSid" property...

    Both are needed for creating an Exchange 5.5 Mailbox on an NT4 domain, so the user it is associated with is already entered, but this needs to be by SID and Security Descriptor... When I get some time I'll have a look into what sizes are being produced by the AcctCrt.dll file...

    Wednesday, March 15, 2006 10:18 AM