Currently i'd like to find all groups within the Active Directory where the current user has the right WriteProperty.
The problem is that i can find all groups where the user directly is inserted, but when the user is within a group and that group has write access it won't show up. I thought that setting the booleans of GetAccessRules() would help here, but it doesn't.
So here is the code i already have:
var identity = WindowsIdentity.GetCurrent().User;
var allDomains = Forest.GetCurrentForest().Domains.Cast<Domain>();
var allSearcher = allDomains.Select(domain =>
{
var searcher = new DirectorySearcher(new DirectoryEntry("LDAP://" + domain.Name));
//Apply some filter to focus on only some specfic objects
searcher.Filter = "(&(objectClass=group)(name=*part_of_group_name*))";
return searcher;
});
var itemsFound = allSearcher
.SelectMany(searcher => searcher.FindAll()
.Cast<SearchResult>()
.Select(result => result.GetDirectoryEntry()));
var itemsWithWriteAccess = itemsFound
.Where(entry => entry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))
.Cast<ActiveDirectoryAccessRule>()
.Where(rule => rule.IdentityReference == identity)
.Where(rule => (rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty)
.Count() > 0);
foreach (var item in itemsWithWriteAccess)
{
Debug.Print(item.Name);
}