protected override void InternalValidate()
{
TaskLogger.LogEnter();
base.InternalValidate();
MailboxTaskHelper.ValidateGroupManagedBy(base.TenantGlobalCatalogSession, this.DataObject, this.managedByRecipients, new DataAccessHelper.CategorizedGetDataObjectDelegate(base.GetDataObject <ADRecipient>), new Task.ErrorLoggerDelegate(base.WriteError));
if (this.DataObject.IsModified(ADMailboxRecipientSchema.SamAccountName))
{
RecipientTaskHelper.IsSamAccountNameUnique(this.DataObject, this.DataObject.SamAccountName, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError), ExchangeErrorCategory.Client);
}
if (base.ParameterSetName == "Universal")
{
if ((this.DataObject.GroupType & GroupTypeFlags.Universal) == GroupTypeFlags.Universal)
{
base.WriteError(new RecipientTaskException(Strings.ErrorIsUniversalGroupAlready(this.DataObject.Name)), ErrorCategory.InvalidArgument, this.DataObject.Identity);
}
else
{
if ((this.DataObject.GroupType & GroupTypeFlags.BuiltinLocal) == GroupTypeFlags.BuiltinLocal || SetGroup.IsBuiltInObject(this.DataObject))
{
base.WriteError(new RecipientTaskException(Strings.ErrorCannotConvertBuiltInGroup(this.DataObject.Name)), ErrorCategory.InvalidArgument, this.DataObject.Identity);
}
GroupTypeFlags groupTypeFlags = (GroupTypeFlags)7;
this.DataObject.GroupType = ((this.DataObject.GroupType & ~groupTypeFlags) | GroupTypeFlags.Universal);
base.DesiredRecipientType = this.DataObject.RecipientType;
}
}
if (this.DataObject.IsChanged(ADGroupSchema.Members) || base.ParameterSetName == "Universal")
{
MailboxTaskHelper.ValidateAddedMembers(base.TenantGlobalCatalogSession, this.DataObject, new Task.ErrorLoggerDelegate(base.WriteError), new DataAccessHelper.CategorizedGetDataObjectDelegate(base.GetDataObject <ADRecipient>));
}
TaskLogger.LogExit();
}
private static CompositeFilter GenerateTargetFilterForSecurityGroup(GroupTypeFlags flag)
{
return(new AndFilter(new QueryFilter[]
{
new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.ObjectCategory, ADGroup.MostDerivedClass),
new BitMaskOrFilter(ADGroupSchema.GroupType, (ulong)int.MinValue),
new BitMaskAndFilter(ADGroupSchema.GroupType, (ulong)flag)
}));
}
internal static void SecurityEnabledSetter(object value, IPropertyBag propertyBag)
{
GroupTypeFlags groupTypeFlags = (GroupTypeFlags)propertyBag[SyncGroupSchema.GroupType];
if ((bool)value)
{
propertyBag[SyncGroupSchema.GroupType] = (groupTypeFlags | GroupTypeFlags.SecurityEnabled);
return;
}
propertyBag[SyncGroupSchema.GroupType] = (groupTypeFlags & (GroupTypeFlags)2147483647);
}
public static bool ValidateFlags(GroupTypeFlags groupTypeFlags)
{
GroupTypeFlags tmpFlags = groupTypeFlags;
if (tmpFlags.HasFlag(GroupTypeFlags.GROUP_TYPE_BUILTIN_LOCAL_GROUP))
{
tmpFlags = ~GroupTypeFlags.GROUP_TYPE_BUILTIN_LOCAL_GROUP & tmpFlags;
}
if (tmpFlags.HasFlag(GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED))
{
tmpFlags = ~GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED & tmpFlags;
}
return(tmpFlags == GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP ||
tmpFlags == GroupTypeFlags.GROUP_TYPE_APP_BASIC_GROUP ||
tmpFlags == GroupTypeFlags.GROUP_TYPE_APP_QUERY_GROUP ||
tmpFlags == GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP ||
tmpFlags == GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP);
}
private ADGroup CreateGroup(OrganizationId orgId, ADObjectId usgContainerId, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, List <ADObjectId> manageBy)
{
ADGroup adgroup = null;
DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.configurationUnit.OtherWellKnownObjects, wkGuid);
if (null != dnwithBinary)
{
ADObjectId adobjectId = new ADObjectId(dnwithBinary.DistinguishedName);
if (adobjectId.IsDeleted)
{
base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null);
}
ADRecipient adrecipient = this.orgDomainRecipientSession.Read(adobjectId);
if (adrecipient == null)
{
base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null);
}
base.LogReadObject(adrecipient);
if (adrecipient.RecipientType != RecipientType.Group)
{
base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), orgId.ConfigurationUnit.ToString(), adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.InvalidData, null);
}
adgroup = (adrecipient as ADGroup);
InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.orgDomainRecipientSession);
if ((adgroup.GroupType & groupType) != groupType)
{
base.WriteVerbose(Strings.InfoChangingGroupType(adgroup.Id.DistinguishedName, groupType.ToString()));
adgroup.GroupType = groupType;
adgroup.RecipientTypeDetails = RecipientTypeDetails.RoleGroup;
this.orgDomainRecipientSession.Save(adgroup);
base.LogWriteObject(adgroup);
}
else
{
base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName));
}
return(adgroup);
}
ADGroup adgroup2 = null;
try
{
string groupSam = groupName + "{" + Guid.NewGuid().ToString("N") + "}";
adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.orgDomainRecipientSession, orgId.OrganizationalUnit.DomainId, usgContainerId, groupName, groupId, groupDescription, groupSam, manageBy, orgId);
dnwithBinary = this.CreateWKGuid(adgroup2.Id, wkGuid);
}
finally
{
if (adgroup2 == null && dnwithBinary != null)
{
this.configurationUnit.OtherWellKnownObjects.Remove(dnwithBinary);
this.configurationSession.Save(this.configurationUnit);
base.LogWriteObject(this.configurationUnit);
}
else if (adgroup2 != null && dnwithBinary == null)
{
this.orgDomainRecipientSession.Delete(adgroup2);
base.LogWriteObject(adgroup2);
adgroup2 = null;
}
}
return(adgroup2);
}
// Token: 0x06001986 RID: 6534 RVA: 0x0006C30D File Offset: 0x0006A50D
internal ADGroup(IRecipientSession session, string commonName, ADObjectId containerId, GroupTypeFlags groupType)
{
this.m_Session = session;
base.SetId(containerId.GetChildId(commonName));
base.SetObjectClass(this.MostDerivedObjectClass);
this.GroupType = groupType;
}
private ADGroup CreateGroup(IRecipientSession session, ADObjectId containerId, string groupName, LocalizedString groupDescription, GroupTypeFlags groupType)
{
ADGroup adgroup = new ADGroup(session, groupName, containerId, groupType);
MultiValuedProperty <string> multiValuedProperty = new MultiValuedProperty <string>();
multiValuedProperty.Add(groupDescription);
adgroup[ADRecipientSchema.Description] = multiValuedProperty;
adgroup.SamAccountName = groupName;
SetupTaskBase.Save(adgroup, session);
base.WriteVerbose(Strings.InfoCreatedGroup(adgroup.DistinguishedName));
return(adgroup);
}
private ADGroup CreateDomainLocalSecurityGroup(ADContainer container, string groupName, LocalizedString groupDescription)
{
GroupTypeFlags groupType = GroupTypeFlags.DomainLocal | GroupTypeFlags.SecurityEnabled;
return(this.CreateGroup(this.rootDomainRecipientSession, container.Id, groupName, groupDescription, groupType));
}
/// <summary>
/// TestCase29 method validates the requirements under
/// WellKnownSecurityDomainPrincipal Scenario.
/// </summary>
public void ValidateWellKnownSecurityDomainPrincipal()
{
DirectoryEntry dirEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
DirectoryEntry rootEntry = new DirectoryEntry();
string currDomain = adAdapter.rootDomainDN;
string configNC = "CN=Configuration," + currDomain;
string schemaNC = "CN=Schema," + configNC;
bool isObjectSid = true;
SecurityIdentifier sid;
PropertyValueCollection rid, ridUser;
byte[] objectSid;
string expectedValue = String.Empty;
string actualValue = String.Empty;
if (!adAdapter.GetObjectByDN("CN=Users," + currDomain, out dirEntry))
{
DataSchemaSite.Assume.IsTrue(false, "CN=Users," + currDomain + " Object is not found in server");
}
// Get the object of Root Domain NC.
if (!adAdapter.GetObjectByDN(currDomain, out rootEntry))
{
DataSchemaSite.Assume.IsTrue(false, currDomain + " Object is not found in server");
}
//Get the objectSid value of the object of root domain NC.
objectSid = (byte[])rootEntry.Properties["objectSid"].Value;
sid = new SecurityIdentifier(objectSid, 0);
expectedValue = sid.ToString();
int length = expectedValue.Length;
DirectoryEntries rolesChilds = dirEntry.Children;
//For each child,
foreach (DirectoryEntry child in rolesChilds)
{
//Get the sid of the child object.
objectSid = (byte[])child.Properties["objectSid"].Value;
sid = new SecurityIdentifier(objectSid, 0);
//Get the rid of this object.
string temp = sid.ToString();
temp = temp.Substring(temp.LastIndexOf('-'));
//Add rid with expected value.
expectedValue = expectedValue + temp;
//Get the actual value.
actualValue = sid.ToString();
//Compare.
if (actualValue.Equals(expectedValue))
{
isObjectSid = true;
}
else
{
isObjectSid = false;
break;
}
//Reset the expected value.
expectedValue = expectedValue.Substring(0, length);
}
//MS-ADTS-Schema_R811
DataSchemaSite.CaptureRequirementIfIsTrue(
isObjectSid,
811,
@"The objectSid attribute of Well-Known Domain-Relative Security Principals must be a SID
consisting of the objectSid of the domain NC root followed by the RID specified for each child.");
//MS-ADTS-Schema_R812
childEntry = dirEntry.Children.Find("CN=Administrator");
rid = childEntry.Properties["primaryGroupID"];
childEntry = dirEntry.Children.Find("CN=Domain Users");
childEntry.RefreshCache(new string[] { "primaryGroupToken" });
ridUser = childEntry.Properties["primaryGroupToken"];
DataSchemaSite.CaptureRequirementIfAreEqual <int>(
(int)ridUser.Value,
(int)rid.Value,
812,
@"The primaryGroupID attribute of class user Well-Known Domain-Relative Security Principals must be
RID, which refers to another Well-Known domain relative security principal, by RID");
//The method to call common requirements for AD/DS and LDS.
LDSAndDSCommonCall(dirEntry);
if (!adAdapter.GetObjectByDN(currDomain, out childEntry))
{
DataSchemaSite.Assume.IsTrue(false, currDomain + " Object is not found in server");
}
PropertyValueCollection nTMixedDomain = childEntry.Properties["nTMixedDomain"];
//If nTMixedDomain value is 0 that is not mixed else mixed domain
if ((int)nTMixedDomain.Value == 0)
{
//MS-ADTS-Schema_R843
childEntry = dirEntry.Children.Find("CN=Schema Admins");
PropertyValueCollection groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
843,
@"If the forest root domain is not mixed :The groupType attribute of Schema Admins Well-Known
Domain-Relative Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP | GROUP_TYPE_SECURITY_ENABLED}
This means that in groupType field the two above bits are set, which means that the groupType
is 0x80000008.");
if (serverOS >= OSVersion.WinSvr2008)
{
//MS-ADTS-Schema_R832
childEntry = dirEntry.Children.Find("CN=Enterprise Admins");
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
832,
@"If the forest root domain is not mixed :The groupType attribute of Enterprise Administrators
Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_UNIVERSAL_GROUP | GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000008.");
}
}
else
{
//MS-ADTS-Schema_R842, MS-ADTS-Schema_R831
childEntry = dirEntry.Children.Find("CN=Schema Admins");
PropertyValueCollection groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
842,
@"If the forest root domain is not mixed :The groupType attribute of Schema Admins Well-Known
Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}
This means that in groupType field the two above bits are set, which means that the groupType
is 0x80000002.");
if (serverOS == OSVersion.WinSvr2008)
{
//MS-ADTS-Schema_R831
childEntry = dirEntry.Children.Find("CN=Enterprise Admins");
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
831,
@"If the forest root domain is not mixed :The groupType attribute of Enterprise
Administrators Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP |
GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set,
which means that the groupType is 0x80000002.");
}
}
}
/// <summary>
/// This method validates the requirements under
/// WellKnownSecurityDomainPrincipal for both AD/DS and LDS Scenario's.
/// The common requirements are logged here.
/// </summary>
public void LDSAndDSCommonCall(DirectoryEntry directEntry)
{
GroupTypeFlags gType;
//Holding Directory entries.
DirectoryEntry dirEntry = new DirectoryEntry();
DirectoryEntry childEntry = new DirectoryEntry();
dirEntry = directEntry;
//MS-ADTS-Schema_R810
DirectoryEntries rolesChilds = dirEntry.Children;
bool isParentRoles = true;
foreach (DirectoryEntry child in rolesChilds)
{
if (!child.Parent.Name.ToString().Equals("CN=Users"))
{
isParentRoles = false;
}
}
DataSchemaSite.CaptureRequirementIfIsTrue(
isParentRoles,
810,
"For the Well-Known Domain-Relative Security Principals the Parent must be Users container");
//MS-ADTS-Schema_R813
childEntry = dirEntry.Children.Find("CN=Administrator");
PropertyValueCollection objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
813,
"The objectClass attribute of Administrator Well-Known Domain-Relative Security Principals must be user");
//MS-ADTS-Schema_R814
childEntry = dirEntry.Children.Find("CN=Guest");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
814,
"The objectClass attribute of Guest Well-Known Domain-Relative Security Principals must be user");
//MS-ADTS-Schema_R815
childEntry.RefreshCache(new string[] { "primaryGroupID" });
string primary = childEntry.Properties["primaryGroupID"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"514",
primary,
815,
@"The primaryGroupID attribute of Guest Well-Known Domain-Relative Security Principals must
be 514 (Domain Guests)");
//MS-ADTS-Schema_R816
childEntry = dirEntry.Children.Find("CN=krbtgt");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"user"),
816,
@"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be user");
//MS-ADTS-Schema_R817
childEntry.RefreshCache(new string[] { "primaryGroupID" });
primary = childEntry.Properties["primaryGroupID"].Value.ToString();
DataSchemaSite.CaptureRequirementIfAreEqual <string>(
"513",
primary,
817,
@"The primaryGroupID attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be 513 (Domain Users)");
//MS-ADTS-Schema_R818
childEntry = dirEntry.Children.Find("CN=Cert Publishers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
818,
@"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative
Security Principals must be user");
//MS-ADTS-Schema_R819
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
819,
@"The groupType attribute of Cert Publishers Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two
above bits are set, which means that the groupType is 0x80000004");
//MS-ADTS-Schema_R820
childEntry = dirEntry.Children.Find("CN=Domain Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
820,
@"The objectClass attribute of Domain Administrators Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R821
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
821,
@"The groupType attribute of Domain Administrators, Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R822
childEntry = dirEntry.Children.Find("CN=Domain Computers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
822,
@"The objectClass attribute of Domain Computers Well-Known Domain-Relative Security
Principals must be group");
//MS-ADTS-Schema_R823
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
823,
@"The groupType attribute of Domain Computers Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the
two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R824
childEntry = dirEntry.Children.Find("CN=Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
824,
@"The objectClass attribute of Domain Controllers, Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R825
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
825,
@"The groupType attribute of Domain Controllers Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R826
childEntry = dirEntry.Children.Find("CN=Domain Guests");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
826,
@"The objectClass attribute of Domain Guests Well-Known Domain-Relative Security Principals must
be group");
//MS-ADTS-Schema_R827
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
827,
@"The groupType attribute of Domain Guests Well-Known Domain-Relative Security Principals is
{GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R828
childEntry = dirEntry.Children.Find("CN=Domain Users");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
828,
"The objectClass attribute of Domain Users Well-Known Domain-Relative Security Principals must be group");
//MS-ADTS-Schema_R829
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
829,
@"The groupType attribute of Domain Users Well-Known Domain-Relative Security Principals must
be either of GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED");
//MS-ADTS-Schema_R833
childEntry = dirEntry.Children.Find("CN=Group Policy Creator Owners");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
833,
@"The objectClass attribute of Group Policy Creator Owners Well-Known Domain-Relative Security
Principals must be group");
//MS-ADTS-Schema_R834
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
834,
@"The groupType attribute of Group Policy Creator Owners Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two
above bits are set, which means that the groupType is 0x80000002");
//MS-ADTS-Schema_R835
childEntry = dirEntry.Children.Find("CN=RAS and IAS Servers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
835,
@"The objectClass attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals
must be group");
//MS-ADTS-Schema_R836
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
836,
@"The groupType attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals
is {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field
the two above bits are set, which means that the groupType is 0x80000004");
//MS-ADTS-Schema_R841
childEntry = dirEntry.Children.Find("CN=Schema Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
841,
@"The objectClass attribute of Schema Admins Well-Known Domain-Relative Security Principals
must be group");
if (serverOS >= OSVersion.WinSvr2008)
{
//MS-ADTS-Schema_R830
childEntry = dirEntry.Children.Find("CN=Enterprise Admins");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
830,
@"The objectClass attribute of Enterprise Administrators Well-Known Domain-Relative Security
Principals must be group.");
//MS-ADTS-Schema_R837
childEntry = dirEntry.Children.Find("CN=Read-only Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
837,
@"The objectClass attribute of Read-Only Domain Controllers Well-Known
Domain-Relative Security Principals must be group");
//MS-ADTS-Schema_R838
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
838,
@"The groupType attribute of Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_ACCOUNT_GROUP|GROUP_TYPE_SECURITY_ENABLED}
This means that in groupType field the two above bits are set, which means that the
groupType is 0x80000002.");
//MS-ADTS-Schema_R839
childEntry = dirEntry.Children.Find("CN=Enterprise Read-only Domain Controllers");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.CaptureRequirementIfIsTrue(
objectClass.Contains((object)"group"),
839,
@"The objectClass attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_R840
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
840,
@"The groupType attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000008.");
//MS-ADTS-Schema_Allowed RODC Password Replication Group
childEntry = dirEntry.Children.Find("CN=Allowed RODC Password Replication Group");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.Assert.IsTrue(
objectClass.Contains((object)"group"),
@"The objectClass attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_Allowed RODC Password Replication Group
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.Assert.AreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
@"The groupType attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000004.");
//MS-ADTS-Schema_Denied RODC Password Replication Group
childEntry = dirEntry.Children.Find("CN=Denied RODC Password Replication Group");
objectClass = childEntry.Properties["objectClass"];
DataSchemaSite.Assert.IsTrue(
objectClass.Contains((object)"group"),
@"The objectClass attribute of Denied RODC Password Replication Group Well-Known Domain-Relative
Security Principals must be group");
//MS-ADTS-Schema_Denied RODC Password Replication Group
groupType = childEntry.Properties["groupType"];
gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value);
DataSchemaSite.Assert.AreEqual <GroupTypeFlags>(
GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED,
gType,
@"The groupType attribute of Denied RODC Password Replication Group Well-Known Domain-Relative
Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in
groupType field the two above bits are set, which means that the groupType is 0x80000004.");
}
}
internal static ADGroup CreateUniqueChildSG(IRecipientSession session, ADObjectId dom, ADObjectId containerId, string groupNameOrig, string groupDescription, string groupSam, GroupTypeFlags groupType, OrganizationId orgId)
{
string commonName = InitializeExchangeUniversalGroups.FindUniqueCN(session, containerId, groupNameOrig);
ADGroup adgroup = new ADGroup(session, commonName, containerId, groupType);
MultiValuedProperty <string> multiValuedProperty = new MultiValuedProperty <string>();
multiValuedProperty.Add(groupDescription);
adgroup[ADRecipientSchema.Description] = multiValuedProperty;
adgroup.SamAccountName = groupSam;
adgroup.OrganizationId = orgId;
InitializeExchangeUniversalGroups.SaveGroup(session, containerId, adgroup);
TaskLogger.Trace(Strings.InfoCreatedGroup(adgroup.DistinguishedName));
return(adgroup);
}
internal static ADGroup CreateUniqueChildSG(IRecipientSession session, ADObjectId dom, ADObjectId containerId, string groupNameOrig, string groupDescription, GroupTypeFlags groupType, OrganizationId orgId)
{
string groupSam = InitializeExchangeUniversalGroups.FindUniqueSamAccountName(session, dom, groupNameOrig);
return(InitializeExchangeUniversalGroups.CreateUniqueChildSG(session, dom, containerId, groupNameOrig, groupDescription, groupSam, groupType, orgId));
}
private ADGroup CreateGroup(ADOrganizationalUnit usgContainer, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, bool createAsRoleGroup)
{
ADRecipient adrecipient = base.ResolveExchangeGroupGuid <ADRecipient>(wkGuid);
DNWithBinary dnwithBinary = null;
if (adrecipient != null)
{
base.LogReadObject(adrecipient);
if (adrecipient.RecipientType != RecipientType.Group)
{
base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adrecipient.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null);
}
ADGroup adgroup = adrecipient as ADGroup;
base.LogReadObject(adgroup);
if ((adgroup.GroupType & groupType) != groupType)
{
base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null);
}
if (createAsRoleGroup && adgroup.RecipientTypeDetails != RecipientTypeDetails.RoleGroup)
{
base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, RecipientTypeDetails.RoleGroup.ToString()), ErrorCategory.NotSpecified, null);
}
base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName));
dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.exchangeConfigContainer.OtherWellKnownObjects, wkGuid);
if (dnwithBinary == null)
{
dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup.Id, wkGuid);
}
if (createAsRoleGroup)
{
InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.rootDomainRecipientSession);
}
return(adgroup);
}
ADContainer adcontainer = this.exchangeConfigContainer;
dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid);
if (dnwithBinary == null)
{
adcontainer = this.configContainer;
dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid);
}
if (dnwithBinary != null)
{
base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), adcontainer.DistinguishedName), ErrorCategory.NotSpecified, null);
}
ADGroup adgroup2 = null;
try
{
if (createAsRoleGroup)
{
adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupId, groupDescription, OrganizationId.ForestWideOrgId);
}
else
{
adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueChildSG(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupDescription, groupType, OrganizationId.ForestWideOrgId);
}
dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup2.Id, wkGuid);
}
finally
{
if (adgroup2 == null && dnwithBinary != null)
{
this.exchangeConfigContainer.OtherWellKnownObjects.Remove(dnwithBinary);
this.domainConfigurationSession.Save(this.exchangeConfigContainer);
base.LogWriteObject(this.exchangeConfigContainer);
}
else if (adgroup2 != null && dnwithBinary == null)
{
this.rootDomainRecipientSession.Delete(adgroup2);
base.LogWriteObject(adgroup2);
adgroup2 = null;
}
}
return(adgroup2);
}
