Wednesday, August 31, 2011

Reading Extended Rights on an Exchange database using ADSI and C#

Although there are a few better methods of doing this these days this is still handy to have especially if your running older versions of Exchange or you want to audit the raw ACE's that are being added by RBAC in Exchange 2010. Extended rights get used for a number of things EWS Impersonation is one, SendAs is another anyway here's an old C# sample I tripped over today.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Collections;
using System.Security.AccessControl;
using System.DirectoryServices;

namespace showImpRights
class Program
static void Main(string[] args)
DirectoryEntry rootdse = new DirectoryEntry("LDAP://RootDSE");
DirectoryEntry cfg = new DirectoryEntry("LDAP://" + rootdse.Properties["configurationnamingcontext"].Value);
DirectoryEntry exRights = new DirectoryEntry("LDAP://cn=Extended-rights," + rootdse.Properties["configurationnamingcontext"].Value);
Hashtable exRighthash = new Hashtable();
foreach (DirectoryEntry chent in exRights.Children) {
if( exRighthash.ContainsKey(chent.Properties["rightsGuid"].Value) == false){

DirectorySearcher cfgsearch = new DirectorySearcher(cfg);
cfgsearch.Filter = "(objectCategory=msExchPrivateMDB)";
cfgsearch.SearchScope = SearchScope.Subtree;
SearchResultCollection res = cfgsearch.FindAll();
foreach (SearchResult se in res)
DirectoryEntry ssStoreObj = se.GetDirectoryEntry();
ActiveDirectorySecurity StoreobjSec = ssStoreObj.ObjectSecurity;
AuthorizationRuleCollection Storeacls = StoreobjSec.GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
foreach (ActiveDirectoryAccessRule ace in Storeacls)
if (ace.IdentityReference.Value != "S-1-5-7" & ace.IdentityReference.Value != "S-1-1-0" & ace.IsInherited != true)
DirectoryEntry sidUser = new DirectoryEntry("LDAP://");