internal static void SetAvailabilityAces(SecurityIdentifier exchangeServersSid, AvailabilityConfig availabilityConfig, Task.TaskVerboseLoggingDelegate verboseLogger)
{
Guid schemaGuid;
using (ActiveDirectorySchema currentSchema = ActiveDirectorySchema.GetCurrentSchema())
{
using (ActiveDirectorySchemaClass activeDirectorySchemaClass = currentSchema.FindClass("msExchAvailabilityAddressSpace"))
{
schemaGuid = activeDirectorySchemaClass.SchemaGuid;
}
}
Guid schemaGuid2;
using (ActiveDirectorySchema currentSchema2 = ActiveDirectorySchema.GetCurrentSchema())
{
using (ActiveDirectorySchemaProperty activeDirectorySchemaProperty = currentSchema2.FindProperty("msExchAvailabilityUserPassword"))
{
schemaGuid2 = activeDirectorySchemaProperty.SchemaGuid;
}
}
DirectoryCommon.SetAces(verboseLogger, null, availabilityConfig, new List <ActiveDirectoryAccessRule>
{
new ActiveDirectoryAccessRule(exchangeServersSid, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, schemaGuid2, ActiveDirectorySecurityInheritance.Descendents, schemaGuid)
}.ToArray());
}
protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
{
TaskLogger.LogEnter();
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.DataObject, modifiedAces);
base.WriteResults(modifiedAces);
TaskLogger.LogExit();
}
private void GrantServerAdminRole()
{
try
{
ActiveDirectoryAccessRule[] acesToServerAdmin = PermissionTaskHelper.GetAcesToServerAdmin(this.ConfigurationSession, ((IADSecurityPrincipal)this.user).Sid);
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.server, acesToServerAdmin);
}
catch (SecurityDescriptorAccessDeniedException exception)
{
base.WriteError(exception, ErrorCategory.PermissionDenied, null);
}
this.WriteWarning(Strings.CouldNotFindLocalAdministratorGroup(this.server.Name, this.Identity.ToString()));
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
try
{
ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.RgDelegatedSetupWkGuid);
if (adgroup != null)
{
ADObjectId descendantId = this.configurationSession.GetOrgContainerId().GetDescendantId(new ADObjectId("CN=UM DialPlan Container", Guid.Empty));
ActiveDirectoryAccessRule[] umdialPlanAcesToServerAdmin = this.GetUMDialPlanAcesToServerAdmin(this.configurationSession, adgroup.Sid);
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.configurationSession, descendantId, umdialPlanAcesToServerAdmin);
}
}
catch (SecurityDescriptorAccessDeniedException exception)
{
base.WriteError(exception, ErrorCategory.PermissionDenied, null);
}
base.InternalProcessRecord();
TaskLogger.LogExit();
}
internal void SetOrganizationManagementACLs(ADObject obj)
{
ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest();
ADSessionSettings sessionSettings = ADSessionSettings.FromOrganizationIdWithoutRbacScopes(this.OrganizationId.ConfigurationUnit, this.OrganizationId, this.taskInstance.ExecutingUserOrganizationId, false);
IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(false, ConsistencyMode.PartiallyConsistent, sessionSettings, 403, "SetOrganizationManagementACLs", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\PFTreeManagement.cs");
ADObjectId childId = this.OrganizationId.OrganizationalUnit.GetChildId("Organization Management");
ADGroup adgroup = (ADGroup)tenantOrRootOrgRecipientSession.Read(childId);
SecurityIdentifier sid = adgroup.Sid;
List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(this.taskInstance.WriteVerbose), null, obj, list.ToArray());
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
try
{
ADUser dataObject = this.DataObject;
IRecipientSession recipientSession = (IRecipientSession)base.DataSession;
recipientSession.Save(dataObject);
ADUser aduser = (ADUser)base.DataSession.Read <ADUser>(dataObject.Identity);
if (aduser == null)
{
throw new LocalizedException(Strings.ErrorReadingUpdatedUserFromAD(dataObject.OriginatingServer, recipientSession.LastUsedDc));
}
aduser.UserAccountControl = UserAccountControlFlags.None;
if (this.LogonEnabled)
{
using (SecureString randomPassword = MailboxTaskUtilities.GetRandomPassword(this.Name, aduser.SamAccountName))
{
recipientSession.SetPassword(aduser, randomPassword);
goto IL_98;
}
}
aduser.UserAccountControl |= UserAccountControlFlags.AccountDisabled;
IL_98:
aduser.UserAccountControl |= UserAccountControlFlags.NormalAccount;
this.DataObject = aduser;
base.InternalProcessRecord();
}
catch (ADObjectAlreadyExistsException ex)
{
base.WriteVerbose(Strings.UserCreateFailed(this.Name, ex.Message.ToString()));
}
LocalizedString localizedString = LocalizedString.Empty;
try
{
base.WriteVerbose(Strings.VerboseGrantingEoaFullAccessOnMailbox(this.DataObject.Identity.ToString()));
ADGroup adgroup = base.RootOrgGlobalCatalogSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, base.GlobalConfigSession.ConfigurationNamingContext.ToDNString());
if (adgroup == null)
{
localizedString = Strings.ErrorGroupNotFound(WellKnownGuid.EoaWkGuid.ToString());
}
else
{
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IDirectorySession)base.DataSession, this.DataObject.Id, new ActiveDirectoryAccessRule[]
{
new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)
});
}
}
catch (ADTransientException ex2)
{
localizedString = ex2.LocalizedString;
}
catch (ADOperationException ex3)
{
localizedString = ex3.LocalizedString;
}
catch (SecurityDescriptorAccessDeniedException ex4)
{
localizedString = ex4.LocalizedString;
}
if (LocalizedString.Empty != localizedString)
{
base.WriteError(new InvalidOperationException(Strings.ErrorGrantingEraFullAccessOnMailbox(this.DataObject.Identity.ToString(), localizedString)), ErrorCategory.InvalidOperation, this.DataObject.Identity);
}
TaskLogger.LogExit();
}
protected override void ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces)
{
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(this.WriteErrorPerObject), base.GetWritableSession(modifiedObject.Id), modifiedObject.Id, modifiedAces);
}