Esempio n. 1
0
        internal static void SetAvailabilityAces(SecurityIdentifier exchangeServersSid, AvailabilityConfig availabilityConfig, Task.TaskVerboseLoggingDelegate verboseLogger)
        {
            Guid schemaGuid;

            using (ActiveDirectorySchema currentSchema = ActiveDirectorySchema.GetCurrentSchema())
            {
                using (ActiveDirectorySchemaClass activeDirectorySchemaClass = currentSchema.FindClass("msExchAvailabilityAddressSpace"))
                {
                    schemaGuid = activeDirectorySchemaClass.SchemaGuid;
                }
            }
            Guid schemaGuid2;

            using (ActiveDirectorySchema currentSchema2 = ActiveDirectorySchema.GetCurrentSchema())
            {
                using (ActiveDirectorySchemaProperty activeDirectorySchemaProperty = currentSchema2.FindProperty("msExchAvailabilityUserPassword"))
                {
                    schemaGuid2 = activeDirectorySchemaProperty.SchemaGuid;
                }
            }
            DirectoryCommon.SetAces(verboseLogger, null, availabilityConfig, new List <ActiveDirectoryAccessRule>
            {
                new ActiveDirectoryAccessRule(exchangeServersSid, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, schemaGuid2, ActiveDirectorySecurityInheritance.Descendents, schemaGuid)
            }.ToArray());
        }
Esempio n. 2
0
 protected override void ApplyModification(ActiveDirectoryAccessRule[] modifiedAces)
 {
     TaskLogger.LogEnter();
     DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.DataObject, modifiedAces);
     base.WriteResults(modifiedAces);
     TaskLogger.LogExit();
 }
Esempio n. 3
0
 private void GrantServerAdminRole()
 {
     try
     {
         ActiveDirectoryAccessRule[] acesToServerAdmin = PermissionTaskHelper.GetAcesToServerAdmin(this.ConfigurationSession, ((IADSecurityPrincipal)this.user).Sid);
         DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.server, acesToServerAdmin);
     }
     catch (SecurityDescriptorAccessDeniedException exception)
     {
         base.WriteError(exception, ErrorCategory.PermissionDenied, null);
     }
     this.WriteWarning(Strings.CouldNotFindLocalAdministratorGroup(this.server.Name, this.Identity.ToString()));
 }
Esempio n. 4
0
 protected override void InternalProcessRecord()
 {
     TaskLogger.LogEnter();
     try
     {
         ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.RgDelegatedSetupWkGuid);
         if (adgroup != null)
         {
             ADObjectId descendantId = this.configurationSession.GetOrgContainerId().GetDescendantId(new ADObjectId("CN=UM DialPlan Container", Guid.Empty));
             ActiveDirectoryAccessRule[] umdialPlanAcesToServerAdmin = this.GetUMDialPlanAcesToServerAdmin(this.configurationSession, adgroup.Sid);
             DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), this.configurationSession, descendantId, umdialPlanAcesToServerAdmin);
         }
     }
     catch (SecurityDescriptorAccessDeniedException exception)
     {
         base.WriteError(exception, ErrorCategory.PermissionDenied, null);
     }
     base.InternalProcessRecord();
     TaskLogger.LogExit();
 }
Esempio n. 5
0
        internal void SetOrganizationManagementACLs(ADObject obj)
        {
            ADSystemConfigurationSession.GetRootOrgContainerIdForLocalForest();
            ADSessionSettings  sessionSettings = ADSessionSettings.FromOrganizationIdWithoutRbacScopes(this.OrganizationId.ConfigurationUnit, this.OrganizationId, this.taskInstance.ExecutingUserOrganizationId, false);
            IRecipientSession  tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(false, ConsistencyMode.PartiallyConsistent, sessionSettings, 403, "SetOrganizationManagementACLs", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\SystemConfigurationTasks\\database\\PFTreeManagement.cs");
            ADObjectId         childId            = this.OrganizationId.OrganizationalUnit.GetChildId("Organization Management");
            ADGroup            adgroup            = (ADGroup)tenantOrRootOrgRecipientSession.Read(childId);
            SecurityIdentifier sid                = adgroup.Sid;
            List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>();

            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All));
            DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(this.taskInstance.WriteVerbose), null, obj, list.ToArray());
        }
        protected override void InternalProcessRecord()
        {
            TaskLogger.LogEnter();
            try
            {
                ADUser            dataObject       = this.DataObject;
                IRecipientSession recipientSession = (IRecipientSession)base.DataSession;
                recipientSession.Save(dataObject);
                ADUser aduser = (ADUser)base.DataSession.Read <ADUser>(dataObject.Identity);
                if (aduser == null)
                {
                    throw new LocalizedException(Strings.ErrorReadingUpdatedUserFromAD(dataObject.OriginatingServer, recipientSession.LastUsedDc));
                }
                aduser.UserAccountControl = UserAccountControlFlags.None;
                if (this.LogonEnabled)
                {
                    using (SecureString randomPassword = MailboxTaskUtilities.GetRandomPassword(this.Name, aduser.SamAccountName))
                    {
                        recipientSession.SetPassword(aduser, randomPassword);
                        goto IL_98;
                    }
                }
                aduser.UserAccountControl |= UserAccountControlFlags.AccountDisabled;
IL_98:
                aduser.UserAccountControl |= UserAccountControlFlags.NormalAccount;
                this.DataObject            = aduser;
                base.InternalProcessRecord();
            }
            catch (ADObjectAlreadyExistsException ex)
            {
                base.WriteVerbose(Strings.UserCreateFailed(this.Name, ex.Message.ToString()));
            }
            LocalizedString localizedString = LocalizedString.Empty;

            try
            {
                base.WriteVerbose(Strings.VerboseGrantingEoaFullAccessOnMailbox(this.DataObject.Identity.ToString()));
                ADGroup adgroup = base.RootOrgGlobalCatalogSession.ResolveWellKnownGuid <ADGroup>(WellKnownGuid.EoaWkGuid, base.GlobalConfigSession.ConfigurationNamingContext.ToDNString());
                if (adgroup == null)
                {
                    localizedString = Strings.ErrorGroupNotFound(WellKnownGuid.EoaWkGuid.ToString());
                }
                else
                {
                    DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IDirectorySession)base.DataSession, this.DataObject.Id, new ActiveDirectoryAccessRule[]
                    {
                        new ActiveDirectoryAccessRule(adgroup.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)
                    });
                }
            }
            catch (ADTransientException ex2)
            {
                localizedString = ex2.LocalizedString;
            }
            catch (ADOperationException ex3)
            {
                localizedString = ex3.LocalizedString;
            }
            catch (SecurityDescriptorAccessDeniedException ex4)
            {
                localizedString = ex4.LocalizedString;
            }
            if (LocalizedString.Empty != localizedString)
            {
                base.WriteError(new InvalidOperationException(Strings.ErrorGrantingEraFullAccessOnMailbox(this.DataObject.Identity.ToString(), localizedString)), ErrorCategory.InvalidOperation, this.DataObject.Identity);
            }
            TaskLogger.LogExit();
        }
Esempio n. 7
0
 protected override void ApplyModification(ADRawEntry modifiedObject, ActiveDirectoryAccessRule[] modifiedAces)
 {
     DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.TaskWarningLoggingDelegate(this.WriteWarning), new Task.ErrorLoggerDelegate(this.WriteErrorPerObject), base.GetWritableSession(modifiedObject.Id), modifiedObject.Id, modifiedAces);
 }