为AD中的用户设置send as安全属性
在AD中,可以为用户设置Send As属性,虽然并没有怎么用过这个,但有时却是需要设置一下。
手动设置时,需要右键点击用户,选择安全标签,如果没有找到此标签,则需要选择view 菜单中的advanced feature。之后添加用户,设置用户的send as 属性:allow或deny。
用c#程序完成此操作略显复杂, 具体代码实现如下:
SetExtendedRights(newcustADObj, "{ab721a54-1e2f-11d0-9819-00aa0040529b}", tokenExtendedRight.InnerText.ToLower().Trim(), Common.GetValueFromParam(Common.ADForest + "/DomainAdminUserName"), Common.GetValueFromParam(Common.ADForest + "/DomainAdminUserPWD"))
public static void SetExtendedRights(ADBaseType newCustObject, string rightsGuid, string tpye, string adminUpn, string adminPwd)
{
bool modified = false;
using (DirectoryEntry computer = new DirectoryEntry(newCustObject.ParentLdapPath.Replace("LDAP://", "LDAP://CN=" + newCustObject.Name + ","), adminUpn, adminPwd, AuthenticationTypes.Secure))
{
computer.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl;
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("domain\\SendAsUser");
ExtendedRightAccessRule erar = new ExtendedRightAccessRule(Account, tpye == "allow" ? AccessControlType.Allow : AccessControlType.Deny, new Guid(rightsGuid));
sdc.ModifyAccessRule(AccessControlModification.Add, erar, out modified);
sdc.SetAccessRule(erar);
computer.CommitChanges();
Console.WriteLine("The Extended Rights assigned successfully.");
}
}