private void RemoveUnwantedDkmContainerAccessRules(string dkmContainerName, IEnumerable <SecurityIdentifier> principalsToHaveKeyReadWritePermissionsAdded, IEnumerable <SecurityIdentifier> principalsToHaveFullControlPermissionsAdded, string rootDomainDN)
{
DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://CN={0},{1},{2},{3}", new object[]
{
dkmContainerName,
"CN=Distributed KeyMan",
"CN=Microsoft,CN=Program Data",
rootDomainDN
}));
if (!directoryEntry.ObjectSecurity.AreAccessRulesCanonical)
{
InitializeDkmDatacenter.CanonicalizeAcl(directoryEntry.ObjectSecurity);
}
AuthorizationRuleCollection accessRules = directoryEntry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
AuthorizationRule authorizationRule = (AuthorizationRule)obj;
if (!(authorizationRule.IdentityReference == InitializeDkmDatacenter.DomainAdminsSid) && !InitializeDkmDatacenter.IsIdentityInCollection(authorizationRule.IdentityReference, principalsToHaveKeyReadWritePermissionsAdded) && !InitializeDkmDatacenter.IsIdentityInCollection(authorizationRule.IdentityReference, principalsToHaveFullControlPermissionsAdded))
{
this.WriteWarning(Strings.RemovingAceFromDkmContainerAcl(dkmContainerName, InitializeDkmDatacenter.AccountNameFromSid(authorizationRule.IdentityReference.ToString())));
directoryEntry.ObjectSecurity.PurgeAccessRules(authorizationRule.IdentityReference);
}
}
directoryEntry.ObjectSecurity.SetSecurityDescriptorBinaryForm(directoryEntry.ObjectSecurity.GetSecurityDescriptorBinaryForm());
directoryEntry.CommitChanges();
directoryEntry.Close();
}
protected override void InternalProcessRecord()
{
TaskLogger.LogEnter();
this.InternalBeginProcessing();
string text = this.rootDomain.Id.ToDNString();
foreach (Tuple <string, List <SecurityIdentifier>, List <SecurityIdentifier> > tuple in InitializeDkmDatacenter.DkmContainersToCreate)
{
try
{
DkmProxy dkmProxy = null;
try
{
this.CreateDkmContainer(tuple.Item1, string.Format("{0},{1}", "CN=Microsoft,CN=Program Data", text), out dkmProxy);
}
catch (ObjectAlreadyExistsException)
{
this.WriteWarning(Strings.DkmContainerAlreadyExists(tuple.Item1));
}
if (dkmProxy != null)
{
this.RemoveUnwantedDkmContainerAccessRules(tuple.Item1, tuple.Item2, tuple.Item3, text);
InitializeDkmDatacenter.SetDkmContainerAccessRules(dkmProxy, tuple.Item2, tuple.Item3);
}
}
catch (Exception ex)
{
this.WriteWarning(Strings.DkmProvisioningException(tuple.Item1, ex));
ExManagementApplicationLogger.LogEvent(ManagementEventLogConstants.Tuple_DkmProvisioningException, new string[]
{
ex.ToString()
});
throw;
}
}
ExManagementApplicationLogger.LogEvent(ManagementEventLogConstants.Tuple_DkmProvisioningSuccessful, new string[0]);
TaskLogger.LogExit();
}
