0

我创建了 ac# webservice,它允许我们的前端支持团队使用 system.directoryservices 查看和更新​​一些选定的 Active Directory 值

我要更新的字段是 [职位] 职务、部门、电话和员工 ID。

我可以使用具有“代表权限”的服务帐户来更新 [职位] 职位、部门、电话等,但是当我尝试更新员工 ID 时,我收到“未授权”错误消息。

如果我使用域管理员帐户,那么相同的代码可以正常工作。

我不想为此 Web 服务使用域管理员帐户,那么我需要什么权限?

4

3 回答 3

3

回答

ADS_SCHEMA_ID_GUID_USER GUID 允许您更新基本用户类详细信息,包括员工 ID

基于 MSDN 文章

用于向服务帐户用户授予所选委派权限的 vbscript:

REM #
REM # Delegate AD property set admin rights to named account
REM # Based on: http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
REM #

Const TRUSTEE_ACCOUNT_SAM           = "ad\ADStaffUpdates"

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT     = &H5
Const ADS_RIGHT_DS_READ_PROP            = &H10
Const ADS_RIGHT_DS_WRITE_PROP           = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT      = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT    = &H2
Const ADS_ACEFLAG_INHERIT_ACE           = &H2

Const ADS_SCHEMA_ID_GUID_USER           = "{bf967aba-0de6-11d0-a285-00aa003049e2}"
Const ADS_SCHEMA_ID_GUID_PS_PERSONAL        = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
Const ADS_SCHEMA_ID_GUID_PS_PUBLIC      = "{e48d0154-bcf8-11d1-8702-00c04fb96050}"

ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_USER
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PERSONAL
ad_setUserDelegation    "OU=USERS, DC=AD, DC=COM", TRUSTEE_ACCOUNT_SAM, ADS_SCHEMA_ID_GUID_PS_PUBLIC

Function ad_setUserDelegation(          _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        ,ByVal  strSchema_GUID      _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    Set objAce          = CreateObject( "AccessControlEntry" )

    objAce.Trustee          = strTrusteeAccount
    objAce.AceFlags         = ADS_ACEFLAG_INHERIT_ACE
    objAce.AceType          = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
    objAce.Flags            = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

    objAce.ObjectType       = strSchema_GUID

    objACE.InheritedObjectType  = ADS_SCHEMA_ID_GUID_USER
    objAce.AccessMask       = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
    objDacl.AddAce          objAce

    objSD.DiscretionaryAcl      = objDacl

    objSDUtil.Put           "ntSecurityDescriptor", Array( objSD )
    objSDUtil.SetInfo

End Function


Function ad_revokeUserDelegation(       _
        ByVal   strOU           _
        ,ByVal  strTrusteeAccount   _
        )

    Set objSdUtil           = GetObject( "LDAP://" & strOU )

    Set objSD           = objSdUtil.Get( "ntSecurityDescriptor" )
    Set objDACL             = objSD.DiscretionaryACL

    For Each objACE in objDACL
        If UCase(objACE.Trustee) = UCase(strTrusteeAccount) Then
                objDACL.RemoveAce objACE
        End If
    Next

    objSDUtil.Put           "ntSecurityDescriptor", Array(objSD)
    objSDUtil.SetInfo

End Function
于 2008-11-07T17:13:11.870 回答
0

代码示例(至少是移动部分)

string distinguishedname = "CN=Wicks\, Guy,OU=Users,DC=ad,DC=com"
using (DirectoryEntry myDirectoryEntry = new DirectoryEntry(string.Format("LDAP://{0}", distinguishedname), null, null, AuthenticationTypes.Secure))
{
    try
    {
        myDirectoryEntry.Username   = "serviceaccount";
        myDirectoryEntry.Password   = "pa55word";

        myDirectoryEntry.Properties["employeeid"][0]    = employeeID;
        myDirectoryEntry.CommitChanges();
        setresult.result        = myDirectoryEntry.Properties["employeeid"][0].ToString();
    }
    catch   ( Exception ex )
    {
        setresult.result        = ex.Message;
    }
} // end using

(我为我的 C# 道歉)

于 2008-11-07T17:10:00.660 回答
0

您服务的用户是否有权通过 AD 用户和计算机修改这些字段?如果他们是那么也许你可以使用模拟,只是让你的服务主机“受信任的委派”(在它的 AD 属性中)对我来说总是很好。

于 2008-11-10T17:56:46.710 回答