How to find all groups in ActiveDirectory where the current user has WriteProperty access?

Question

Currently i\'d like to find all groups within the Active Directory where the current user has the right WriteProperty.

The problem is that i can find all groups wher

Answer 1

After a long time and the help of Harvey through this question i finally found a good working solution.

As already explained by Harvey it can be a little difficult to really further understand what you'll get back in entry.Properties["allowedAttributesEffective"].Value. But for normal purposes all you have to check for a write permission is that this field is simply not null.

Here is the sample code:

// (replace "part_of_group_name" with some partial group name existing in your AD)
var groupNameContains = "part_of_group_name";

var identity = WindowsIdentity.GetCurrent().User;
var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();

var allSearcher = allDomains.Select(domain =>
{
    var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name));

    // Apply some filter to focus on only some specfic objects
    searcher.Filter = String.Format("(&(objectClass=group)(name=*{0}*))", groupNameContains);
    return searcher;
});

var directoryEntriesFound = allSearcher
    .SelectMany(searcher => searcher.FindAll()
        .Cast<SearchResult>()
        .Select(result => result.GetDirectoryEntry()));

var allowedTo = directoryEntriesFound.Select(entry =>
    {
        using (entry)
        {
            entry.RefreshCache(new string[] { "allowedAttributesEffective" });
            var rights = entry.Properties["allowedAttributesEffective"].Value == null ? "read only" : "write";
            return new { Name = entry.Name, AllowedTo = rights };
        }
    });

foreach (var item in allowedTo)
{
    var message = String.Format("Name = {0}, AllowedTo = {1}", item.Name, item.AllowedTo);
    Debug.Print(message);
}