internal static void SetAvailabilityAces(SecurityIdentifier exchangeServersSid, AvailabilityConfig availabilityConfig, Task.TaskVerboseLoggingDelegate verboseLogger)
{
Guid schemaGuid;
using (ActiveDirectorySchema currentSchema = ActiveDirectorySchema.GetCurrentSchema())
{
using (ActiveDirectorySchemaClass activeDirectorySchemaClass = currentSchema.FindClass("msExchAvailabilityAddressSpace"))
{
schemaGuid = activeDirectorySchemaClass.SchemaGuid;
}
}
Guid schemaGuid2;
using (ActiveDirectorySchema currentSchema2 = ActiveDirectorySchema.GetCurrentSchema())
{
using (ActiveDirectorySchemaProperty activeDirectorySchemaProperty = currentSchema2.FindProperty("msExchAvailabilityUserPassword"))
{
schemaGuid2 = activeDirectorySchemaProperty.SchemaGuid;
}
}
DirectoryCommon.SetAces(verboseLogger, null, availabilityConfig, new List <ActiveDirectoryAccessRule>
{
new ActiveDirectoryAccessRule(exchangeServersSid, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, schemaGuid2, ActiveDirectorySecurityInheritance.Descendents, schemaGuid)
}.ToArray());
}
protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
{
TaskLogger.LogEnter();
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.DataObject, modifiedAces);
base.WriteResults(modifiedAces);
TaskLogger.LogExit();
}
public static void SetMailboxAces(ADUser mailbox, IConfigDataProvider writableAdSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.TaskWarningLoggingDelegate logWarning, Task.ErrorLoggerDelegate logError, IConfigurationSession adSession, ref MapiMessageStoreSession storeSession, bool remove, params ActiveDirectoryAccessRule[] aces)
{
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor(mailbox, adSession, logVerbose, logError);
if (activeDirectorySecurity != null)
{
DirectoryCommon.ApplyAcesOnAcl(logVerbose, logWarning, null, mailbox.DistinguishedName, activeDirectorySecurity, remove, aces);
PermissionTaskHelper.SaveMailboxSecurityDescriptor(mailbox, activeDirectorySecurity, writableAdSession, ref storeSession, logVerbose, logError);
}
}
private void GrantServerAdminRole()
{
try
{
ActiveDirectoryAccessRule[] acesToServerAdmin = PermissionTaskHelper.GetAcesToServerAdmin(this.ConfigurationSession, ((IADSecurityPrincipal)this.user).Sid);
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.server, acesToServerAdmin);
}
catch (SecurityDescriptorAccessDeniedException exception)
{
base.WriteError(exception, ErrorCategory.PermissionDenied, null);
}
this.WriteWarning(Strings.CouldNotFindLocalAdministratorGroup(this.server.Name, this.Identity.ToString()));
}
public static bool IsLocalDomainConfigUpToDate()
{
bool result = false;
bool flag = false;
int num = 0;
ADDomain addomain = ADForest.GetLocalForest().FindLocalDomain();
if (addomain == null)
{
throw new ADInitializationException(Strings.LocalDomainNotFoundException);
}
ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 531, "IsLocalDomainConfigUpToDate", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\Deployment\\DirectoryUtilities.cs");
topologyConfigurationSession.UseConfigNC = false;
MesoContainer mesoContainer = topologyConfigurationSession.FindMesoContainer(addomain);
if (mesoContainer != null)
{
flag = true;
ValidationError validationError;
if (!DirectoryUtilities.IsPropertyValid(mesoContainer, MesoContainerSchema.ObjectVersion, out validationError))
{
throw new ADInitializationException(Strings.MesoVersionInvalidException(validationError.Description));
}
num = mesoContainer.ObjectVersion;
}
if (flag && num >= MesoContainer.DomainPrepVersion)
{
topologyConfigurationSession.UseGlobalCatalog = true;
ADGroup adgroup = topologyConfigurationSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.ExSWkGuid, topologyConfigurationSession.ConfigurationNamingContext);
topologyConfigurationSession.UseGlobalCatalog = false;
if (adgroup != null)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.DeleteTree, AccessControlType.Deny, ActiveDirectorySecurityInheritance.All);
result = DirectoryCommon.FindAces(mesoContainer, new ActiveDirectoryAccessRule[]
{
activeDirectoryAccessRule
});
}
}
return(result);
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
try
{
ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.RgDelegatedSetupWkGuid);
if (adgroup != null)
{
ADObjectId descendantId = this.configurationSession.GetOrgContainerId().GetDescendantId(new ADObjectId("CN=UM DialPlan Container", Guid.Empty));
ActiveDirectoryAccessRule[] umdialPlanAcesToServerAdmin = this.GetUMDialPlanAcesToServerAdmin(this.configurationSession, adgroup.Sid);
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.configurationSession, descendantId, umdialPlanAcesToServerAdmin);
}
}
catch (SecurityDescriptorAccessDeniedException exception)
{
base.WriteError(exception, ErrorCategory.PermissionDenied, null);
}
base.InternalProcessRecord();
TaskLogger.LogExit();
}
protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
{
TaskLogger.LogEnter();
if (this.trustee != null)
{
List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();
foreach (SecurityIdentifier identity in ((IADSecurityPrincipal)this.trustee).SidHistory)
{
foreach (RecipientAccessRight right in base.AccessRights)
{
list.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, RecipientPermissionHelper.GetRecipientAccessRightGuid(right), this.GetInheritanceType(), Guid.Empty));
}
}
if (list.Count > 0)
{
list.AddRange(modifiedAces);
modifiedAces = list.ToArray();
}
}
DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(base.WriteError), this.DataObject, modifiedAces);
TaskLogger.LogExit();
}
internal void SetOrganizationManagementACLs(ADObject obj)
{
ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest();
ADSessionSettings sessionSettings = ADSessionSettings.FromOrganizationIdWithoutRbacScopes(this.OrganizationId.ConfigurationUnit, this.OrganizationId, this.taskInstance.ExecutingUserOrganizationId, false);
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(false, ConsistencyMode.PartiallyConsistent, sessionSettings, 403, "SetOrganizationManagementACLs", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\PFTreeManagement.cs");
ADObjectId childId = this.OrganizationId.OrganizationalUnit.GetChildId("Organization Management");
ADGroup adgroup = (ADGroup)tenantOrRootOrgRecipientSession.Read(childId);
SecurityIdentifier sid = adgroup.Sid;
List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(this.taskInstance.WriteVerbose), null, obj, list.ToArray());
}
internal static void StampWellKnownObjectGuid(IConfigurationSession writableConfigSession, OrganizationId organizationId, string distinguishedName, Guid wellKnownObjectGuid)
{
bool flag = false;
ExchangeConfigurationUnit exchangeConfigurationUnit = writableConfigSession.Read <ExchangeConfigurationUnit>(organizationId.ConfigurationUnit);
DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(exchangeConfigurationUnit.OtherWellKnownObjects, wellKnownObjectGuid);
if (dnwithBinary != null)
{
if (dnwithBinary.DistinguishedName.Equals(distinguishedName, StringComparison.OrdinalIgnoreCase))
{
flag = true;
}
else
{
exchangeConfigurationUnit.OtherWellKnownObjects.Remove(dnwithBinary);
}
}
if (!flag)
{
dnwithBinary = new DNWithBinary(distinguishedName, wellKnownObjectGuid.ToByteArray());
exchangeConfigurationUnit.OtherWellKnownObjects.Add(dnwithBinary);
writableConfigSession.Save(exchangeConfigurationUnit);
}
}
internal static ActiveDirectoryAccessRule[] GetAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid)
{
return(new ActiveDirectoryAccessRule[]
{
new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All),
new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All),
new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All),
new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild, AccessControlType.Deny, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchPublicMDB"), ActiveDirectorySecurityInheritance.All)
});
}
internal static ADSystemMailbox SaveSystemMailbox(MailboxDatabase mdb, Server owningServer, ADObjectId rootOrgContainerId, ITopologyConfigurationSession configSession, IRecipientSession recipientSession, ADObjectId[] forcedReplicationSites, Task.TaskWarningLoggingDelegate writeWarning, Task.TaskVerboseLoggingDelegate writeVerbose)
{
TaskLogger.LogEnter();
bool useConfigNC = configSession.UseConfigNC;
bool useGlobalCatalog = configSession.UseGlobalCatalog;
string text = "SystemMailbox" + mdb.Guid.ToString("B");
SecurityIdentifier securityIdentifier = new SecurityIdentifier("SY");
ADSystemMailbox adsystemMailbox = new ADSystemMailbox();
adsystemMailbox.StampPersistableDefaultValues();
adsystemMailbox.Name = text;
adsystemMailbox.DisplayName = text;
adsystemMailbox.Alias = text;
adsystemMailbox.HiddenFromAddressListsEnabled = true;
adsystemMailbox.Database = mdb.Id;
if (owningServer == null)
{
throw new InvalidOperationException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString()));
}
adsystemMailbox.ServerLegacyDN = owningServer.ExchangeLegacyDN;
adsystemMailbox.ExchangeGuid = Guid.NewGuid();
AcceptedDomain defaultAcceptedDomain = configSession.GetDefaultAcceptedDomain();
if (defaultAcceptedDomain == null || defaultAcceptedDomain.DomainName == null || defaultAcceptedDomain.DomainName.Domain == null)
{
throw new ManagementObjectNotFoundException(Strings.ErrorNoDefaultAcceptedDomainFound(mdb.Identity.ToString()));
}
adsystemMailbox.EmailAddresses.Add(ProxyAddress.Parse("SMTP:" + adsystemMailbox.Alias + "@" + defaultAcceptedDomain.DomainName.Domain.ToString()));
adsystemMailbox.WindowsEmailAddress = adsystemMailbox.PrimarySmtpAddress;
adsystemMailbox.SendModerationNotifications = TransportModerationNotificationFlags.Never;
Organization organization = configSession.Read <Organization>(rootOrgContainerId);
if (organization == null)
{
throw new ManagementObjectNotFoundException(Strings.ErrorOrganizationNotFound(rootOrgContainerId.Name));
}
string parentLegacyDN = string.Format(CultureInfo.InvariantCulture, "{0}/ou={1}/cn=Recipients", new object[]
{
organization.LegacyExchangeDN,
configSession.GetAdministrativeGroupId().Name
});
adsystemMailbox.LegacyExchangeDN = LegacyDN.GenerateLegacyDN(parentLegacyDN, adsystemMailbox);
ADComputer adcomputer;
try
{
configSession.UseConfigNC = false;
configSession.UseGlobalCatalog = true;
adcomputer = configSession.FindComputerByHostName(owningServer.Name);
}
finally
{
configSession.UseConfigNC = useConfigNC;
configSession.UseGlobalCatalog = useGlobalCatalog;
}
if (adcomputer == null)
{
throw new ManagementObjectNotFoundException(Strings.ErrorDBOwningServerNotFound(mdb.Identity.ToString()));
}
ADObjectId adobjectId = adcomputer.Id.DomainId;
adobjectId = adobjectId.GetChildId("Microsoft Exchange System Objects");
adsystemMailbox.SetId(adobjectId.GetChildId(text));
GenericAce[] aces = new GenericAce[]
{
new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 131075, securityIdentifier, false, null)
};
DirectoryCommon.SetAclOnAlternateProperty(adsystemMailbox, aces, ADSystemAttendantMailboxSchema.ExchangeSecurityDescriptor, securityIdentifier, securityIdentifier);
recipientSession.LinkResolutionServer = mdb.OriginatingServer;
bool enforceDefaultScope = recipientSession.EnforceDefaultScope;
try
{
writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox)));
recipientSession.EnforceDefaultScope = false;
recipientSession.Save(adsystemMailbox);
}
catch (ADConstraintViolationException ex)
{
IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(ex.Server, false, ConsistencyMode.PartiallyConsistent, configSession.SessionSettings, 705, "SaveSystemMailbox", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\NewMailboxDatabase.cs");
if (!tenantOrTopologyConfigurationSession.ReplicateSingleObjectToTargetDC(mdb, ex.Server))
{
throw;
}
writeVerbose(TaskVerboseStringHelper.GetSaveObjectVerboseString(adsystemMailbox, recipientSession, typeof(ADSystemMailbox)));
recipientSession.Save(adsystemMailbox);
}
finally
{
writeVerbose(TaskVerboseStringHelper.GetSourceVerboseString(recipientSession));
recipientSession.EnforceDefaultScope = enforceDefaultScope;
}
if (forcedReplicationSites != null)
{
DagTaskHelper.ForceReplication(recipientSession, adsystemMailbox, forcedReplicationSites, mdb.Name, writeWarning, writeVerbose);
}
TaskLogger.LogExit();
return(adsystemMailbox);
}
protected override void ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces)
{
DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(this.WriteErrorPerObject), base.GetWritableSession(modifiedObject.Id), modifiedObject.Id, modifiedAces);
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
try
{
ADUser dataObject = this.DataObject;
IRecipientSession recipientSession = (IRecipientSession)base.DataSession;
recipientSession.Save(dataObject);
ADUser aduser = (ADUser)base.DataSession.Read <ADUser>(dataObject.Identity);
if (aduser == null)
{
throw new LocalizedException(Strings.ErrorReadingUpdatedUserFromAD(dataObject.OriginatingServer, recipientSession.LastUsedDc));
}
aduser.UserAccountControl = UserAccountControlFlags.None;
if (this.LogonEnabled)
{
using (SecureString randomPassword = MailboxTaskUtilities.GetRandomPassword(this.Name, aduser.SamAccountName))
{
recipientSession.SetPassword(aduser, randomPassword);
goto IL_98;
}
}
aduser.UserAccountControl |= UserAccountControlFlags.AccountDisabled;
IL_98:
aduser.UserAccountControl |= UserAccountControlFlags.NormalAccount;
this.DataObject = aduser;
base.InternalProcessRecord();
}
catch (ADObjectAlreadyExistsException ex)
{
base.WriteVerbose(Strings.UserCreateFailed(this.Name, ex.Message.ToString()));
}
LocalizedString localizedString = LocalizedString.Empty;
try
{
base.WriteVerbose(Strings.VerboseGrantingEoaFullAccessOnMailbox(this.DataObject.Identity.ToString()));
ADGroup adgroup = base.RootOrgGlobalCatalogSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, base.GlobalConfigSession.ConfigurationNamingContext.ToDNString());
if (adgroup == null)
{
localizedString = Strings.ErrorGroupNotFound(WellKnownGuid.EoaWkGuid.ToString());
}
else
{
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IDirectorySession)base.DataSession, this.DataObject.Id, new ActiveDirectoryAccessRule[]
{
new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)
});
}
}
catch (ADTransientException ex2)
{
localizedString = ex2.LocalizedString;
}
catch (ADOperationException ex3)
{
localizedString = ex3.LocalizedString;
}
catch (SecurityDescriptorAccessDeniedException ex4)
{
localizedString = ex4.LocalizedString;
}
if (LocalizedString.Empty != localizedString)
{
base.WriteError(new InvalidOperationException(Strings.ErrorGrantingEraFullAccessOnMailbox(this.DataObject.Identity.ToString(), localizedString)), ErrorCategory.InvalidOperation, this.DataObject.Identity);
}
TaskLogger.LogExit();
}
private ActiveDirectoryAccessRule[] GetUMDialPlanAcesToServerAdmin(IConfigurationSession configSession, SecurityIdentifier sid)
{
return(new ActiveDirectoryAccessRule[]
{
new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, DirectoryCommon.GetSchemaPropertyGuid(configSession, "msExchUMAvailableLanguages"), ActiveDirectorySecurityInheritance.Descendents, DirectoryCommon.GetSchemaClassGuid(configSession, "msExchUMDialPlan"))
});
}
