internal static void SetAvailabilityAces(SecurityIdentifier exchangeServersSid, AvailabilityConfig availabilityConfig, Task.TaskVerboseLoggingDelegate verboseLogger) { Guid schemaGuid; using (ActiveDirectorySchema currentSchema = ActiveDirectorySchema.GetCurrentSchema()) { using (ActiveDirectorySchemaClass activeDirectorySchemaClass = currentSchema.FindClass("msExchAvailabilityAddressSpace")) { schemaGuid = activeDirectorySchemaClass.SchemaGuid; } } Guid schemaGuid2; using (ActiveDirectorySchema currentSchema2 = ActiveDirectorySchema.GetCurrentSchema()) { using (ActiveDirectorySchemaProperty activeDirectorySchemaProperty = currentSchema2.FindProperty("msExchAvailabilityUserPassword")) { schemaGuid2 = activeDirectorySchemaProperty.SchemaGuid; } } DirectoryCommon.SetAces(verboseLogger, null, availabilityConfig, new List <ActiveDirectoryAccessRule> { new ActiveDirectoryAccessRule(exchangeServersSid, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, schemaGuid2, ActiveDirectorySecurityInheritance.Descendents, schemaGuid) }.ToArray()); }
protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces) { TaskLogger.LogEnter(); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.DataObject, modifiedAces); base.WriteResults(modifiedAces); TaskLogger.LogExit(); }
public static void SetMailboxAces(ADUser mailbox, IConfigDataProvider writableAdSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.TaskWarningLoggingDelegate logWarning, Task.ErrorLoggerDelegate logError, IConfigurationSession adSession, ref MapiMessageStoreSession storeSession, bool remove, params ActiveDirectoryAccessRule[] aces) { ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor(mailbox, adSession, logVerbose, logError); if (activeDirectorySecurity != null) { DirectoryCommon.ApplyAcesOnAcl(logVerbose, logWarning, null, mailbox.DistinguishedName, activeDirectorySecurity, remove, aces); PermissionTaskHelper.SaveMailboxSecurityDescriptor(mailbox, activeDirectorySecurity, writableAdSession, ref storeSession, logVerbose, logError); } }
private void GrantServerAdminRole() { try { ActiveDirectoryAccessRule[] acesToServerAdmin = PermissionTaskHelper.GetAcesToServerAdmin(this.ConfigurationSession, ((IADSecurityPrincipal)this.user).Sid); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.server, acesToServerAdmin); } catch (SecurityDescriptorAccessDeniedException exception) { base.WriteError(exception, ErrorCategory.PermissionDenied, null); } this.WriteWarning(Strings.CouldNotFindLocalAdministratorGroup(this.server.Name, this.Identity.ToString())); }
public static bool IsLocalDomainConfigUpToDate() { bool result = false; bool flag = false; int num = 0; ADDomain addomain = ADForest.GetLocalForest().FindLocalDomain(); if (addomain == null) { throw new ADInitializationException(Strings.LocalDomainNotFoundException); } ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 531, "IsLocalDomainConfigUpToDate", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\Deployment\\DirectoryUtilities.cs"); topologyConfigurationSession.UseConfigNC = false; MesoContainer mesoContainer = topologyConfigurationSession.FindMesoContainer(addomain); if (mesoContainer != null) { flag = true; ValidationError validationError; if (!DirectoryUtilities.IsPropertyValid(mesoContainer, MesoContainerSchema.ObjectVersion, out validationError)) { throw new ADInitializationException(Strings.MesoVersionInvalidException(validationError.Description)); } num = mesoContainer.ObjectVersion; } if (flag && num >= MesoContainer.DomainPrepVersion) { topologyConfigurationSession.UseGlobalCatalog = true; ADGroup adgroup = topologyConfigurationSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.ExSWkGuid, topologyConfigurationSession.ConfigurationNamingContext); topologyConfigurationSession.UseGlobalCatalog = false; if (adgroup != null) { ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.DeleteTree, AccessControlType.Deny, ActiveDirectorySecurityInheritance.All); result = DirectoryCommon.FindAces(mesoContainer, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } } return(result); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); try { ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.RgDelegatedSetupWkGuid); if (adgroup != null) { ADObjectId descendantId = this.configurationSession.GetOrgContainerId().GetDescendantId(new ADObjectId("CN=UM DialPlan Container", Guid.Empty)); ActiveDirectoryAccessRule[] umdialPlanAcesToServerAdmin = this.GetUMDialPlanAcesToServerAdmin(this.configurationSession, adgroup.Sid); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.configurationSession, descendantId, umdialPlanAcesToServerAdmin); } } catch (SecurityDescriptorAccessDeniedException exception) { base.WriteError(exception, ErrorCategory.PermissionDenied, null); } base.InternalProcessRecord(); TaskLogger.LogExit(); }
protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces) { TaskLogger.LogEnter(); if (this.trustee != null) { List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(); foreach (SecurityIdentifier identity in ((IADSecurityPrincipal)this.trustee).SidHistory) { foreach (RecipientAccessRight right in base.AccessRights) { list.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, RecipientPermissionHelper.GetRecipientAccessRightGuid(right), this.GetInheritanceType(), Guid.Empty)); } } if (list.Count > 0) { list.AddRange(modifiedAces); modifiedAces = list.ToArray(); } } DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(base.WriteError), this.DataObject, modifiedAces); TaskLogger.LogExit(); }
internal void SetOrganizationManagementACLs(ADObject obj) { ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest(); ADSessionSettings sessionSettings = ADSessionSettings.FromOrganizationIdWithoutRbacScopes(this.OrganizationId.ConfigurationUnit, this.OrganizationId, this.taskInstance.ExecutingUserOrganizationId, false); IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(false, ConsistencyMode.PartiallyConsistent, sessionSettings, 403, "SetOrganizationManagementACLs", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\PFTreeManagement.cs"); ADObjectId childId = this.OrganizationId.OrganizationalUnit.GetChildId("Organization Management"); ADGroup adgroup = (ADGroup)tenantOrRootOrgRecipientSession.Read(childId); SecurityIdentifier sid = adgroup.Sid; List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(this.taskInstance.WriteVerbose), null, obj, list.ToArray()); }
internal static void StampWellKnownObjectGuid(IConfigurationSession writableConfigSession, OrganizationId organizationId, string distinguishedName, Guid wellKnownObjectGuid) { bool flag = false; ExchangeConfigurationUnit exchangeConfigurationUnit = writableConfigSession.Read <ExchangeConfigurationUnit>(organizationId.ConfigurationUnit); DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(exchangeConfigurationUnit.OtherWellKnownObjects, wellKnownObjectGuid); if (dnwithBinary != null) { if (dnwithBinary.DistinguishedName.Equals(distinguishedName, StringComparison.OrdinalIgnoreCase)) { flag = true; } else { exchangeConfigurationUnit.OtherWellKnownObjects.Remove(dnwithBinary); } } if (!flag) { dnwithBinary = new DNWithBinary(distinguishedName, wellKnownObjectGuid.ToByteArray()); exchangeConfigurationUnit.OtherWellKnownObjects.Add(dnwithBinary); writableConfigSession.Save(exchangeConfigurationUnit); } }
internal static ActiveDirectoryAccessRule[] GetAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid) { return(new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All), new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All), new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All), new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild, AccessControlType.Deny, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchPublicMDB"), ActiveDirectorySecurityInheritance.All) }); }
internal static ADSystemMailbox SaveSystemMailbox(MailboxDatabase mdb, Server owningServer, ADObjectId rootOrgContainerId, ITopologyConfigurationSession configSession, IRecipientSession recipientSession, ADObjectId[] forcedReplicationSites, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskVerboseLoggingDelegate writeVerbose) { TaskLogger.LogEnter(); bool useConfigNC = configSession.UseConfigNC; bool useGlobalCatalog = configSession.UseGlobalCatalog; string text = "SystemMailbox" + mdb.Guid.ToString("B"); SecurityIdentifier securityIdentifier = new SecurityIdentifier("SY"); ADSystemMailbox adsystemMailbox = new ADSystemMailbox(); adsystemMailbox.StampPersistableDefaultValues(); adsystemMailbox.Name = text; adsystemMailbox.DisplayName = text; adsystemMailbox.Alias = text; adsystemMailbox.HiddenFromAddressListsEnabled = true; adsystemMailbox.Database = mdb.Id; if (owningServer == null) { throw new InvalidOperationException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString())); } adsystemMailbox.ServerLegacyDN = owningServer.ExchangeLegacyDN; adsystemMailbox.ExchangeGuid = Guid.NewGuid(); AcceptedDomain defaultAcceptedDomain = configSession.GetDefaultAcceptedDomain(); if (defaultAcceptedDomain == null || defaultAcceptedDomain.DomainName == null || defaultAcceptedDomain.DomainName.Domain == null) { throw new ManagementObjectNotFoundException(Strings.ErrorNoDefaultAcceptedDomainFound(mdb.Identity.ToString())); } adsystemMailbox.EmailAddresses.Add(ProxyAddress.Parse("SMTP:" + adsystemMailbox.Alias + "@" + defaultAcceptedDomain.DomainName.Domain.ToString())); adsystemMailbox.WindowsEmailAddress = adsystemMailbox.PrimarySmtpAddress; adsystemMailbox.SendModerationNotifications = TransportModerationNotificationFlags.Never; Organization organization = configSession.Read <Organization>(rootOrgContainerId); if (organization == null) { throw new ManagementObjectNotFoundException(Strings.ErrorOrganizationNotFound(rootOrgContainerId.Name)); } string parentLegacyDN = string.Format(CultureInfo.InvariantCulture, "{0}/ou={1}/cn=Recipients", new object[] { organization.LegacyExchangeDN, configSession.GetAdministrativeGroupId().Name }); adsystemMailbox.LegacyExchangeDN = LegacyDN.GenerateLegacyDN(parentLegacyDN, adsystemMailbox); ADComputer adcomputer; try { configSession.UseConfigNC = false; configSession.UseGlobalCatalog = true; adcomputer = configSession.FindComputerByHostName(owningServer.Name); } finally { configSession.UseConfigNC = useConfigNC; configSession.UseGlobalCatalog = useGlobalCatalog; } if (adcomputer == null) { throw new ManagementObjectNotFoundException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString())); } ADObjectId adobjectId = adcomputer.Id.DomainId; adobjectId = adobjectId.GetChildId("Microsoft Exchange System Objects"); adsystemMailbox.SetId(adobjectId.GetChildId(text)); GenericAce[] aces = new GenericAce[] { new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 131075, securityIdentifier, false, null) }; DirectoryCommon.SetAclOnAlternateProperty(adsystemMailbox, aces, ADSystemAttendantMailboxSchema.ExchangeSecurityDescriptor, securityIdentifier, securityIdentifier); recipientSession.LinkResolutionServer = mdb.OriginatingServer; bool enforceDefaultScope = recipientSession.EnforceDefaultScope; try { writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox))); recipientSession.EnforceDefaultScope = false; recipientSession.Save(adsystemMailbox); } catch (ADConstraintViolationException ex) { IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(ex.Server, false, ConsistencyMode.PartiallyConsistent, configSession.SessionSettings, 705, "SaveSystemMailbox", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\NewMailboxDatabase.cs"); if (!tenantOrTopologyConfigurationSession.ReplicateSingleObjectToTargetDC(mdb, ex.Server)) { throw; } writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox))); recipientSession.Save(adsystemMailbox); } finally { writeVerbose(TaskVerboseStringHelper.GetSourceVerboseString(recipientSession)); recipientSession.EnforceDefaultScope = enforceDefaultScope; } if (forcedReplicationSites != null) { DagTaskHelper.ForceReplication(recipientSession, adsystemMailbox, forcedReplicationSites, mdb.Name, writeWarning, writeVerbose); } TaskLogger.LogExit(); return(adsystemMailbox); }
protected override void ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces) { DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(this.WriteErrorPerObject), base.GetWritableSession(modifiedObject.Id), modifiedObject.Id, modifiedAces); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); try { ADUser dataObject = this.DataObject; IRecipientSession recipientSession = (IRecipientSession)base.DataSession; recipientSession.Save(dataObject); ADUser aduser = (ADUser)base.DataSession.Read <ADUser>(dataObject.Identity); if (aduser == null) { throw new LocalizedException(Strings.ErrorReadingUpdatedUserFromAD(dataObject.OriginatingServer, recipientSession.LastUsedDc)); } aduser.UserAccountControl = UserAccountControlFlags.None; if (this.LogonEnabled) { using (SecureString randomPassword = MailboxTaskUtilities.GetRandomPassword(this.Name, aduser.SamAccountName)) { recipientSession.SetPassword(aduser, randomPassword); goto IL_98; } } aduser.UserAccountControl |= UserAccountControlFlags.AccountDisabled; IL_98: aduser.UserAccountControl |= UserAccountControlFlags.NormalAccount; this.DataObject = aduser; base.InternalProcessRecord(); } catch (ADObjectAlreadyExistsException ex) { base.WriteVerbose(Strings.UserCreateFailed(this.Name, ex.Message.ToString())); } LocalizedString localizedString = LocalizedString.Empty; try { base.WriteVerbose(Strings.VerboseGrantingEoaFullAccessOnMailbox(this.DataObject.Identity.ToString())); ADGroup adgroup = base.RootOrgGlobalCatalogSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, base.GlobalConfigSession.ConfigurationNamingContext.ToDNString()); if (adgroup == null) { localizedString = Strings.ErrorGroupNotFound(WellKnownGuid.EoaWkGuid.ToString()); } else { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IDirectorySession)base.DataSession, this.DataObject.Id, new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All) }); } } catch (ADTransientException ex2) { localizedString = ex2.LocalizedString; } catch (ADOperationException ex3) { localizedString = ex3.LocalizedString; } catch (SecurityDescriptorAccessDeniedException ex4) { localizedString = ex4.LocalizedString; } if (LocalizedString.Empty != localizedString) { base.WriteError(new InvalidOperationException(Strings.ErrorGrantingEraFullAccessOnMailbox(this.DataObject.Identity.ToString(), localizedString)), ErrorCategory.InvalidOperation, this.DataObject.Identity); } TaskLogger.LogExit(); }
private ActiveDirectoryAccessRule[] GetUMDialPlanAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid) { return(new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, DirectoryCommon.GetSchemaPropertyGuid(configSession, "msExchUMAvailableLanguages"), ActiveDirectorySecurityInheritance.Descendents, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchUMDialPlan")) }); }