为AD中的用户设置send as安全属性

在AD中，可以为用户设置Send As属性，虽然并没有怎么用过这个，但有时却是需要设置一下。

手动设置时，需要右键点击用户，选择安全标签，如果没有找到此标签，则需要选择view 菜单中的advanced feature。之后添加用户，设置用户的send as 属性：allow或deny。

用c#程序完成此操作略显复杂， 具体代码实现如下：

 

SetExtendedRights(newcustADObj, "{ab721a54-1e2f-11d0-9819-00aa0040529b}", tokenExtendedRight.InnerText.ToLower().Trim(), Common.GetValueFromParam(Common.ADForest + "/DomainAdminUserName"), Common.GetValueFromParam(Common.ADForest + "/DomainAdminUserPWD"))

 

public static void SetExtendedRights(ADBaseType newCustObject, string rightsGuid, string tpye, string adminUpn, string adminPwd)

{

bool modified = false;

using (DirectoryEntry computer = new DirectoryEntry(newCustObject.ParentLdapPath.Replace("LDAP://", "LDAP://CN=" + newCustObject.Name + ","), adminUpn, adminPwd, AuthenticationTypes.Secure))

{

computer.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;

ActiveDirectorySecurity sdc = computer.ObjectSecurity;

NTAccount Account = new NTAccount("domain\\SendAsUser");

ExtendedRightAccessRule erar = new ExtendedRightAccessRule(Account, tpye == "allow" ? AccessControlType.Allow : AccessControlType.Deny, new Guid(rightsGuid));

sdc.ModifyAccessRule(AccessControlModification.Add, erar, out modified);

sdc.SetAccessRule(erar);

computer.CommitChanges();

Console.WriteLine("The Extended Rights assigned successfully.");

}

}