/// <summary>
/// This method validates the requirements under
/// ServiceAndQueryPolicyContainer for both AD/DS and LDS Scenario's
/// </summary>
public void LDSAndDSCommonCallForServices(DirectoryEntry reqEntry)
{
PropertyValueCollection objectClass;
DirectoryEntry requiredEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
requiredEntry = reqEntry;
//MS-ADTS-Schema_R482
string parentAttribute = requiredEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Configuration"),
482,
"The parent of the Services Container must be Config NC root object.");
//MS-ADTS-Schema_R483
objectClass = requiredEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"container"),
483,
"The ObjectClass attribute of the Services Container must be container.");
//MS-ADTS-Schema_R484
childEntry = requiredEntry.Children.Find("CN=Windows NT");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Services"),
484,
"The Parent of the Windows NT Service must be Services.");
//MS-ADTS-Schema_R485
PropertyValueCollection objectClassForWinNT = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassForWinNT.Contains((object)"container"),
485,
"The ObjectClass attribute of the Windows NT Service must be container.");
//MS-ADTS-Schema_R486
childEntry = childEntry.Children.Find("CN=Directory Service");
requiredEntry = childEntry;
string parentAttributeDirectory = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttributeDirectory.Equals("CN=Windows NT"),
486,
"The Parent of the Directory Service which is a type of Windows NT Service must be Windows NT.");
//MS-ADTS-Schema_R487
PropertyValueCollection objectClassForDirService = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassForDirService.Contains((object)"nTDSService"),
487,
@"The ObjectClass attribute of the Directory Service which is a type of Windows NT Service must
be nTDSService.");
//MS-ADTS-Schema_R102689
PropertyValueCollection dSHeuristicsForDirService = childEntry.Properties["dSHeuristics"];
if (dSHeuristicsForDirService.Value == null)
{
DataSchemaSite.CaptureRequirementIfIsNull(
dSHeuristicsForDirService.Value,
102689,
"[In Directory Service] dSHeuristics: By default, this attribute is not set.");
}
else
{
DataSchemaSite.Log.Add(LogEntryKind.Comment, "dSHeuristics has been changed by other test suites, the value is: {0}", dSHeuristicsForDirService.Value);
}
//MS-ADTS-Schema_R490
childEntry = childEntry.Children.Find("CN=Query-Policies");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Directory Service"),
490,
"The Parent of the Query-Policies which is a type of Windows NT Service must be Directory Service.");
//MS-ADTS-Schema_R491
PropertyValueCollection objectClassQueryPolicy = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassQueryPolicy.Contains((object)"container"),
491,
"The ObjectClass attribute of the Query-Policies which is a type of Windows NT Service must be container.");
//MS-ADTS-Schema_R492
childEntry = childEntry.Children.Find("CN=Default Query Policy");
parentAttribute = childEntry.Parent.Name.ToString();
DataSchemaSite.CaptureRequirementIfIsTrue(
parentAttribute.Equals("CN=Query-Policies"),
492,
"The Parent of the Default Query Policy must be Query-Policies.");
//MS-ADTS-Schema_R493
objectClassQueryPolicy = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClassQueryPolicy.Contains((object)"queryPolicy"),
493,
"The ObjectClass attribute of the Default Query Policy must be queryPolicy.");
}
/// <summary>
/// Method validates the requirements under RolesContainer Scenario.
/// </summary>
public void ValidateLDSRoleContainer()
{
DirectoryEntry dirEntryConfig = new DirectoryEntry();
DirectoryEntry dirEntryApp = new DirectoryEntry();
DirectoryEntry dirEntrySch = new DirectoryEntry();
DirectoryEntry dirEntry = new DirectoryEntry();
if (!adAdapter.GetLdsObjectByDN("CN=Roles," + adAdapter.LDSApplicationNC, out dirEntryApp))
{
DataSchemaSite.Assert.IsTrue(
false,
"CN=Roles," + adAdapter.LDSApplicationNC
+ " Object is not found in server");
}
if (!adAdapter.GetLdsObjectByDN("CN=Roles,CN=Configuration," + adAdapter.LDSRootObjectName,
out dirEntryConfig))
{
DataSchemaSite.Assert.IsTrue(
false,
"CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
//MS-ADTS-Schema_R768
DataSchemaSite.CaptureRequirementIfIsTrue(
dirEntryApp != null &&
dirEntryConfig != null,
768,
"For the Roles Container the Parent must be Application NC root or config NC root.");
//MS-ADTS-Schema_R769
DataSchemaSite.CaptureRequirementIfIsTrue(
dirEntryApp.Properties["objectClass"].Contains((object)"container"),
769,
"The objectClass attribute of Roles Container must be container.");
//MS-ADTS-Schema_R770
string systemFlag = dirEntryConfig.Properties["systemFlags"].Value.ToString();
int systemFlagVal = ParseSystemFlagsValue("FLAG_DISALLOW_DELETE");
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
systemFlag,
systemFlagVal.ToString(),
770,
"The systemFlags attribute of Roles Container must be FLAG_DISALLOW_DELETE.");
DirectoryEntries rolesChilds = dirEntryConfig.Children;
bool isParentRoles = true;
foreach (DirectoryEntry child in rolesChilds)
{
if (!child.Parent.Name.ToString().Equals("CN=Roles"))
{
isParentRoles = false;
}
}
//MS-ADTS-Schema_R771
DataSchemaSite.CaptureRequirementIfIsTrue(
isParentRoles,
771,
"For each child of the Roles Container the Parent must be Roles Container.");
//MS-ADTS-Schema_R772
rolesChilds = dirEntryConfig.Children;
List <DirectoryEntry> wellKnownRolesChilds = new List <DirectoryEntry>();
bool isGroup = true;
foreach (DirectoryEntry child in rolesChilds)
{
if (child.Properties["cn"].ToString().Equals("Administrators") || child.Properties["cn"].ToString().Equals("Instances") ||
child.Properties["cn"].ToString().Equals("Readers") || child.Properties["cn"].ToString().Equals("Users"))
{
wellKnownRolesChilds.Add(child);
if (!child.Properties["objectClass"].Contains((object)"group"))
{
isGroup = false;
}
}
}
DataSchemaSite.CaptureRequirementIfIsTrue(
isGroup,
772,
"The objectClass attribute for each child of the Roles Container must be group.");
if (serverOS >= OSVersion.WinSvr2008)
{
//MS-ADTS-Schema_R773
if (!adAdapter.GetLdsObjectByDN(
"CN=Administrators,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Administrators,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
byte[] objSid = (byte[])dirEntry.Properties["objectSid"].Value;
dirEntry.RefreshCache(new string[] { "primaryGrouptoken" });
PropertyValueCollection primaryGroup = dirEntry.Properties["primaryGroupToken"];
SecurityIdentifier sid = new SecurityIdentifier(objSid, 0);
string objectSid = sid.ToString();
objectSid = objectSid.Substring(objectSid.LastIndexOf('-') + 1);
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
objectSid,
primaryGroup.Value.ToString(),
773,
@"The objectSid attribute for each child of the Roles Container must be a SID with two SubAuthority
values,consisting of the objectSid of the NC root followed by the RID.");
}
//MS-ADTS-Schema_R778
if (!adAdapter.GetLdsObjectByDN(
"CN=Administrators,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Administrators,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
PropertyValueCollection memberSec = dirEntry.Properties["member"];
bool isForeignSecurityPrincipalsContained = false;
foreach (var prop in memberSec)
{
if (prop.ToString().Contains("CN=ForeignSecurityPrincipals"))
{
isForeignSecurityPrincipalsContained = true;
break;
}
}
DataSchemaSite.CaptureRequirementIfIsTrue(
isForeignSecurityPrincipalsContained,
778,
@"The member attribute of Administrators Group Object must be that at least one foreignSecurityPrincipal
is configured into this group by the administrator when creating a forest.");
//MS-ADTS-Schema_R774
foreach (DirectoryEntry dir1 in wellKnownRolesChilds)
{
PropertyValueCollection groupType = dir1.Properties["groupType"];
//The {ACCOUNT_GROUP | SECURITY_ENABLED} flag value is equivalent to "0x80000002" with reference
//from ADTS groupFlags.
int groupTypeValue = (int)groupType.Value;
string groupValueType = "0x80000002";
int modelGroup = Convert.ToInt32(groupValueType, 16);
if (groupTypeValue == modelGroup)
{
isGroup = true;
}
}
DataSchemaSite.CaptureRequirementIfIsTrue(
isGroup,
774,
@"The groupType attribute for each child of theRoles Container must be
ACCOUNT_GROUP | SECURITY_ENABLED.");
//MS-ADTS-Schema_R776
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
string primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"519",
primary,
776,
"The RID attribute of Administrators Group Object must be 519 (in the config NC).");
//MS-ADTS-Schema_R777
if (!adAdapter.GetLdsObjectByDN(
"CN=Administrators,CN=Roles," + adAdapter.LDSApplicationNC,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Administrators,CN=Roles," + adAdapter.LDSApplicationNC
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"512",
primary,
777,
"The RID attribute of Administrators Group Object must be 512 (in an application NC).");
//MS-ADTS-Schema_R779
if (!adAdapter.GetLdsObjectByDN("CN=Readers,CN=Roles," + adAdapter.LDSApplicationNC, out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Readers,CN=Roles," + adAdapter.LDSApplicationNC
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"514",
primary,
779,
"The RID attribute of Readers Group Object must be 514.");
dirEntry.RefreshCache(new string[] { "member" });
PropertyValueCollection member = dirEntry.Properties["member"];
object memberValue = member.Value;
//MS-ADTS-Schema_R775
DataSchemaSite.CaptureRequirementIfIsNull(
memberValue,
775,
@"Unless otherwise noted, the initial membership of the member attribute,for each child of the Roles
Container must be empty.");
//MS-ADTS-Schema_R779
if (!adAdapter.GetLdsObjectByDN(
"CN=Readers,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Readers,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"514",
primary,
779,
"The RID attribute of Readers Group Object must be 514.");
//MS-ADTS-Schema_R780
if (!adAdapter.GetLdsObjectByDN("CN=Users,CN=Roles," + adAdapter.LDSApplicationNC, out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Users,CN=Roles," + adAdapter.LDSApplicationNC
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"513",
primary,
780,
"The RID attribute of Users Group Object must be 513.");
if (!adAdapter.GetLdsObjectByDN(
"CN=Users,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Users,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"513",
primary,
780,
"The RID attribute of Users Group Object must be 513.");
//MS-ADTS-Schema_R782
if (!adAdapter.GetLdsObjectByDN(
"CN=Instances,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName,
out dirEntry))
{
DataSchemaSite.Assume.IsTrue(
false,
"CN=Instances,CN=Roles,CN=Configuration,"
+ adAdapter.LDSRootObjectName
+ " Object is not found in server");
}
dirEntry.RefreshCache(new string[] { "primaryGroupToken" });
primary = dirEntry.Properties["primaryGroupToken"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"518",
primary,
782,
"The RID attribute of Instances Group Object must be 518.");
}