How can I check if a user has write rights in Active Directory using C#?

8.1k views Asked by At

In my .NET 2.0 C# applcation I need to determine if a user (with password) has ability to modify (write) option in Active Directory. I hope there is a way using DirectoryEntry without creating and then deleting new object in AD.

Thank you for your help.

2

There are 2 answers

2
Harvey Kwok On BEST ANSWER

Like Olive said, it's difficult to do it right yourself. It's difficult to do right because the permissions can be passed onto your user account via Active Directory groups. So, in order to find out the effective permission for a particular user account, you have to find out all the groups the user belongs to.

Fortunately, Active Directory has a special type of attributes called constructed attributes. By default, if you are using AD Explorer or ADSI Edit to browse your object's, these kinds of attributes are not shown. In ADSI Edit, you can set the Filter to include these constructed attributes. One of the useful constructed attributes here is allowedAttributesEffective. It's a multi-value attribute and it contains all attributes that your current user has permission to write to. It's calculated by Active Directory on the fly. It takes care all the inheritance, deny override and group permissions. If you have permission to write to cn attribute, you will see cn as one of the values in it.

Here is a sample for checking a particular user has write permissions on a particular sets of attributes on a specific object on Active Directory.

static bool CheckWritePermission(string path, string username, string password, string[] properties)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] {"allowedAttributesEffective"});
        return properties.All( property => de.Properties["allowedAttributesEffective"].Contains(property));
    }
}

Yes, it's not exactly what you want. You are asking to check if a user has WriteAllProperties permission. Actually, WriteAllProperties permission is a collection of write property permissions on different attributes. You may need to do some homework to find out what attributes your application really cares. Then, just pass in those attributes.

If you really have no idea what attributes to check, this one should be good enough

static bool CheckWritePermission(string path, string username, string password)
{
    using (DirectoryEntry de = new DirectoryEntry(path, username, password))
    {
        de.RefreshCache(new string[] { "allowedAttributesEffective" });
        return de.Properties["allowedAttributesEffective"].Value != null;
    }            
}

Here, I am checking if the returned allowedAttributesEffective is null or not. If null, it means it doesn't have any permissions to write to any attributes. I am assuming your administrator would either grant all write properties permission or deny all write properties. I think this is a valid assumption in most cases.

3
Oliver On

As you can see in my question, there seems no possibility to simply find out the rights of a random user to a specfic object within the AD.

If anyone knows for a simple way, please let me know.