Example #1
0
        internal static void SetAvailabilityAces(SecurityIdentifier exchangeServersSid, AvailabilityConfig availabilityConfig, Task.TaskVerboseLoggingDelegate verboseLogger)
        {
            Guid schemaGuid;

            using (ActiveDirectorySchema currentSchema = ActiveDirectorySchema.GetCurrentSchema())
            {
                using (ActiveDirectorySchemaClass activeDirectorySchemaClass = currentSchema.FindClass("msExchAvailabilityAddressSpace"))
                {
                    schemaGuid = activeDirectorySchemaClass.SchemaGuid;
                }
            }
            Guid schemaGuid2;

            using (ActiveDirectorySchema currentSchema2 = ActiveDirectorySchema.GetCurrentSchema())
            {
                using (ActiveDirectorySchemaProperty activeDirectorySchemaProperty = currentSchema2.FindProperty("msExchAvailabilityUserPassword"))
                {
                    schemaGuid2 = activeDirectorySchemaProperty.SchemaGuid;
                }
            }
            DirectoryCommon.SetAces(verboseLogger, null, availabilityConfig, new List <ActiveDirectoryAccessRule>
            {
                new ActiveDirectoryAccessRule(exchangeServersSid, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, schemaGuid2, ActiveDirectorySecurityInheritance.Descendents, schemaGuid)
            }.ToArray());
        }
Example #2
0
 protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
 {
     TaskLogger.LogEnter();
     DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.DataObject, modifiedAces);
     base.WriteResults(modifiedAces);
     TaskLogger.LogExit();
 }
Example #3
0
        public static void SetMailboxAces(ADUser mailbox, IConfigDataProvider writableAdSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.TaskWarningLoggingDelegate logWarning, Task.ErrorLoggerDelegate logError, IConfigurationSession adSession, ref MapiMessageStoreSession storeSession, bool remove, params ActiveDirectoryAccessRule[] aces)
        {
            ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor(mailbox, adSession, logVerbose, logError);

            if (activeDirectorySecurity != null)
            {
                DirectoryCommon.ApplyAcesOnAcl(logVerbose, logWarning, null, mailbox.DistinguishedName, activeDirectorySecurity, remove, aces);
                PermissionTaskHelper.SaveMailboxSecurityDescriptor(mailbox, activeDirectorySecurity, writableAdSession, ref storeSession, logVerbose, logError);
            }
        }
Example #4
0
 private void GrantServerAdminRole()
 {
     try
     {
         ActiveDirectoryAccessRule[] acesToServerAdmin = PermissionTaskHelper.GetAcesToServerAdmin(this.ConfigurationSession, ((IADSecurityPrincipal)this.user).Sid);
         DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.server, acesToServerAdmin);
     }
     catch (SecurityDescriptorAccessDeniedException exception)
     {
         base.WriteError(exception, ErrorCategory.PermissionDenied, null);
     }
     this.WriteWarning(Strings.CouldNotFindLocalAdministratorGroup(this.server.Name, this.Identity.ToString()));
 }
        public static bool IsLocalDomainConfigUpToDate()
        {
            bool     result   = false;
            bool     flag     = false;
            int      num      = 0;
            ADDomain addomain = ADForest.GetLocalForest().FindLocalDomain();

            if (addomain == null)
            {
                throw new ADInitializationException(Strings.LocalDomainNotFoundException);
            }
            ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 531, "IsLocalDomainConfigUpToDate", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\Deployment\\DirectoryUtilities.cs");

            topologyConfigurationSession.UseConfigNC = false;
            MesoContainer mesoContainer = topologyConfigurationSession.FindMesoContainer(addomain);

            if (mesoContainer != null)
            {
                flag = true;
                ValidationError validationError;
                if (!DirectoryUtilities.IsPropertyValid(mesoContainer, MesoContainerSchema.ObjectVersion, out validationError))
                {
                    throw new ADInitializationException(Strings.MesoVersionInvalidException(validationError.Description));
                }
                num = mesoContainer.ObjectVersion;
            }
            if (flag && num >= MesoContainer.DomainPrepVersion)
            {
                topologyConfigurationSession.UseGlobalCatalog = true;
                ADGroup adgroup = topologyConfigurationSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.ExSWkGuid, topologyConfigurationSession.ConfigurationNamingContext);
                topologyConfigurationSession.UseGlobalCatalog = false;
                if (adgroup != null)
                {
                    ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.DeleteTree, AccessControlType.Deny, ActiveDirectorySecurityInheritance.All);
                    result = DirectoryCommon.FindAces(mesoContainer, new ActiveDirectoryAccessRule[]
                    {
                        activeDirectoryAccessRule
                    });
                }
            }
            return(result);
        }
Example #6
0
 protected override void InternalProcessRecord()
 {
     TaskLogger.LogEnter();
     try
     {
         ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.RgDelegatedSetupWkGuid);
         if (adgroup != null)
         {
             ADObjectId descendantId = this.configurationSession.GetOrgContainerId().GetDescendantId(new ADObjectId("CN=UM DialPlan Container", Guid.Empty));
             ActiveDirectoryAccessRule[] umdialPlanAcesToServerAdmin = this.GetUMDialPlanAcesToServerAdmin(this.configurationSession, adgroup.Sid);
             DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.configurationSession, descendantId, umdialPlanAcesToServerAdmin);
         }
     }
     catch (SecurityDescriptorAccessDeniedException exception)
     {
         base.WriteError(exception, ErrorCategory.PermissionDenied, null);
     }
     base.InternalProcessRecord();
     TaskLogger.LogExit();
 }
 protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
 {
     TaskLogger.LogEnter();
     if (this.trustee != null)
     {
         List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();
         foreach (SecurityIdentifier identity in ((IADSecurityPrincipal)this.trustee).SidHistory)
         {
             foreach (RecipientAccessRight right in base.AccessRights)
             {
                 list.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, RecipientPermissionHelper.GetRecipientAccessRightGuid(right), this.GetInheritanceType(), Guid.Empty));
             }
         }
         if (list.Count > 0)
         {
             list.AddRange(modifiedAces);
             modifiedAces = list.ToArray();
         }
     }
     DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(base.WriteError), this.DataObject, modifiedAces);
     TaskLogger.LogExit();
 }
Example #8
0
        internal void SetOrganizationManagementACLs(ADObject obj)
        {
            ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest();
            ADSessionSettings  sessionSettings = ADSessionSettings.FromOrganizationIdWithoutRbacScopes(this.OrganizationId.ConfigurationUnit, this.OrganizationId, this.taskInstance.ExecutingUserOrganizationId, false);
            IRecipientSession  tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(false, ConsistencyMode.PartiallyConsistent, sessionSettings, 403, "SetOrganizationManagementACLs", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\PFTreeManagement.cs");
            ADObjectId         childId            = this.OrganizationId.OrganizationalUnit.GetChildId("Organization Management");
            ADGroup            adgroup            = (ADGroup)tenantOrRootOrgRecipientSession.Read(childId);
            SecurityIdentifier sid                = adgroup.Sid;
            List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();

            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(this.taskInstance.WriteVerbose), null, obj, list.ToArray());
        }
Example #9
0
        internal static void StampWellKnownObjectGuid(IConfigurationSession writableConfigSession, OrganizationId organizationId, string distinguishedName, Guid wellKnownObjectGuid)
        {
            bool flag = false;
            ExchangeConfigurationUnit exchangeConfigurationUnit = writableConfigSession.Read <ExchangeConfigurationUnit>(organizationId.ConfigurationUnit);
            DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(exchangeConfigurationUnit.OtherWellKnownObjects, wellKnownObjectGuid);

            if (dnwithBinary != null)
            {
                if (dnwithBinary.DistinguishedName.Equals(distinguishedName, StringComparison.OrdinalIgnoreCase))
                {
                    flag = true;
                }
                else
                {
                    exchangeConfigurationUnit.OtherWellKnownObjects.Remove(dnwithBinary);
                }
            }
            if (!flag)
            {
                dnwithBinary = new DNWithBinary(distinguishedName, wellKnownObjectGuid.ToByteArray());
                exchangeConfigurationUnit.OtherWellKnownObjects.Add(dnwithBinary);
                writableConfigSession.Save(exchangeConfigurationUnit);
            }
        }
Example #10
0
 internal static ActiveDirectoryAccessRule[] GetAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid)
 {
     return(new ActiveDirectoryAccessRule[]
     {
         new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All),
         new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All),
         new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All),
         new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild, AccessControlType.Deny, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchPublicMDB"), ActiveDirectorySecurityInheritance.All)
     });
 }
        internal static ADSystemMailbox SaveSystemMailbox(MailboxDatabase mdb, Server owningServer, ADObjectId rootOrgContainerId, ITopologyConfigurationSession configSession, IRecipientSession recipientSession, ADObjectId[] forcedReplicationSites, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskVerboseLoggingDelegate writeVerbose)
        {
            TaskLogger.LogEnter();
            bool               useConfigNC        = configSession.UseConfigNC;
            bool               useGlobalCatalog   = configSession.UseGlobalCatalog;
            string             text               = "SystemMailbox" + mdb.Guid.ToString("B");
            SecurityIdentifier securityIdentifier = new SecurityIdentifier("SY");
            ADSystemMailbox    adsystemMailbox    = new ADSystemMailbox();

            adsystemMailbox.StampPersistableDefaultValues();
            adsystemMailbox.Name        = text;
            adsystemMailbox.DisplayName = text;
            adsystemMailbox.Alias       = text;
            adsystemMailbox.HiddenFromAddressListsEnabled = true;
            adsystemMailbox.Database = mdb.Id;
            if (owningServer == null)
            {
                throw new InvalidOperationException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString()));
            }
            adsystemMailbox.ServerLegacyDN = owningServer.ExchangeLegacyDN;
            adsystemMailbox.ExchangeGuid   = Guid.NewGuid();
            AcceptedDomain defaultAcceptedDomain = configSession.GetDefaultAcceptedDomain();

            if (defaultAcceptedDomain == null || defaultAcceptedDomain.DomainName == null || defaultAcceptedDomain.DomainName.Domain == null)
            {
                throw new ManagementObjectNotFoundException(Strings.ErrorNoDefaultAcceptedDomainFound(mdb.Identity.ToString()));
            }
            adsystemMailbox.EmailAddresses.Add(ProxyAddress.Parse("SMTP:" + adsystemMailbox.Alias + "@" + defaultAcceptedDomain.DomainName.Domain.ToString()));
            adsystemMailbox.WindowsEmailAddress         = adsystemMailbox.PrimarySmtpAddress;
            adsystemMailbox.SendModerationNotifications = TransportModerationNotificationFlags.Never;
            Organization organization = configSession.Read <Organization>(rootOrgContainerId);

            if (organization == null)
            {
                throw new ManagementObjectNotFoundException(Strings.ErrorOrganizationNotFound(rootOrgContainerId.Name));
            }
            string parentLegacyDN = string.Format(CultureInfo.InvariantCulture, "{0}/ou={1}/cn=Recipients", new object[]
            {
                organization.LegacyExchangeDN,
                configSession.GetAdministrativeGroupId().Name
            });

            adsystemMailbox.LegacyExchangeDN = LegacyDN.GenerateLegacyDN(parentLegacyDN, adsystemMailbox);
            ADComputer adcomputer;

            try
            {
                configSession.UseConfigNC      = false;
                configSession.UseGlobalCatalog = true;
                adcomputer = configSession.FindComputerByHostName(owningServer.Name);
            }
            finally
            {
                configSession.UseConfigNC      = useConfigNC;
                configSession.UseGlobalCatalog = useGlobalCatalog;
            }
            if (adcomputer == null)
            {
                throw new ManagementObjectNotFoundException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString()));
            }
            ADObjectId adobjectId = adcomputer.Id.DomainId;

            adobjectId = adobjectId.GetChildId("Microsoft Exchange System Objects");
            adsystemMailbox.SetId(adobjectId.GetChildId(text));
            GenericAce[] aces = new GenericAce[]
            {
                new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 131075, securityIdentifier, false, null)
            };
            DirectoryCommon.SetAclOnAlternateProperty(adsystemMailbox, aces, ADSystemAttendantMailboxSchema.ExchangeSecurityDescriptor, securityIdentifier, securityIdentifier);
            recipientSession.LinkResolutionServer = mdb.OriginatingServer;
            bool enforceDefaultScope = recipientSession.EnforceDefaultScope;

            try
            {
                writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox)));
                recipientSession.EnforceDefaultScope = false;
                recipientSession.Save(adsystemMailbox);
            }
            catch (ADConstraintViolationException ex)
            {
                IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(ex.Server, false, ConsistencyMode.PartiallyConsistent, configSession.SessionSettings, 705, "SaveSystemMailbox", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\NewMailboxDatabase.cs");
                if (!tenantOrTopologyConfigurationSession.ReplicateSingleObjectToTargetDC(mdb, ex.Server))
                {
                    throw;
                }
                writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox)));
                recipientSession.Save(adsystemMailbox);
            }
            finally
            {
                writeVerbose(TaskVerboseStringHelper.GetSourceVerboseString(recipientSession));
                recipientSession.EnforceDefaultScope = enforceDefaultScope;
            }
            if (forcedReplicationSites != null)
            {
                DagTaskHelper.ForceReplication(recipientSession, adsystemMailbox, forcedReplicationSites, mdb.Name, writeWarning, writeVerbose);
            }
            TaskLogger.LogExit();
            return(adsystemMailbox);
        }
 protected override void ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces)
 {
     DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(this.WriteErrorPerObject), base.GetWritableSession(modifiedObject.Id), modifiedObject.Id, modifiedAces);
 }
        protected override void InternalProcessRecord()
        {
            TaskLogger.LogEnter();
            try
            {
                ADUser            dataObject       = this.DataObject;
                IRecipientSession recipientSession = (IRecipientSession)base.DataSession;
                recipientSession.Save(dataObject);
                ADUser aduser = (ADUser)base.DataSession.Read <ADUser>(dataObject.Identity);
                if (aduser == null)
                {
                    throw new LocalizedException(Strings.ErrorReadingUpdatedUserFromAD(dataObject.OriginatingServer, recipientSession.LastUsedDc));
                }
                aduser.UserAccountControl = UserAccountControlFlags.None;
                if (this.LogonEnabled)
                {
                    using (SecureString randomPassword = MailboxTaskUtilities.GetRandomPassword(this.Name, aduser.SamAccountName))
                    {
                        recipientSession.SetPassword(aduser, randomPassword);
                        goto IL_98;
                    }
                }
                aduser.UserAccountControl |= UserAccountControlFlags.AccountDisabled;
IL_98:
                aduser.UserAccountControl |= UserAccountControlFlags.NormalAccount;
                this.DataObject            = aduser;
                base.InternalProcessRecord();
            }
            catch (ADObjectAlreadyExistsException ex)
            {
                base.WriteVerbose(Strings.UserCreateFailed(this.Name, ex.Message.ToString()));
            }
            LocalizedString localizedString = LocalizedString.Empty;

            try
            {
                base.WriteVerbose(Strings.VerboseGrantingEoaFullAccessOnMailbox(this.DataObject.Identity.ToString()));
                ADGroup adgroup = base.RootOrgGlobalCatalogSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, base.GlobalConfigSession.ConfigurationNamingContext.ToDNString());
                if (adgroup == null)
                {
                    localizedString = Strings.ErrorGroupNotFound(WellKnownGuid.EoaWkGuid.ToString());
                }
                else
                {
                    DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IDirectorySession)base.DataSession, this.DataObject.Id, new ActiveDirectoryAccessRule[]
                    {
                        new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)
                    });
                }
            }
            catch (ADTransientException ex2)
            {
                localizedString = ex2.LocalizedString;
            }
            catch (ADOperationException ex3)
            {
                localizedString = ex3.LocalizedString;
            }
            catch (SecurityDescriptorAccessDeniedException ex4)
            {
                localizedString = ex4.LocalizedString;
            }
            if (LocalizedString.Empty != localizedString)
            {
                base.WriteError(new InvalidOperationException(Strings.ErrorGrantingEraFullAccessOnMailbox(this.DataObject.Identity.ToString(), localizedString)), ErrorCategory.InvalidOperation, this.DataObject.Identity);
            }
            TaskLogger.LogExit();
        }
Example #14
0
 private ActiveDirectoryAccessRule[] GetUMDialPlanAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid)
 {
     return(new ActiveDirectoryAccessRule[]
     {
         new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, DirectoryCommon.GetSchemaPropertyGuid(configSession, "msExchUMAvailableLanguages"), ActiveDirectorySecurityInheritance.Descendents, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchUMDialPlan"))
     });
 }