private void RemoveUnwantedDkmContainerAccessRules(string dkmContainerName, IEnumerable <SecurityIdentifier> principalsToHaveKeyReadWritePermissionsAdded, IEnumerable <SecurityIdentifier> principalsToHaveFullControlPermissionsAdded, string rootDomainDN) { DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://CN={0},{1},{2},{3}", new object[] { dkmContainerName, "CN=Distributed KeyMan", "CN=Microsoft,CN=Program Data", rootDomainDN })); if (!directoryEntry.ObjectSecurity.AreAccessRulesCanonical) { InitializeDkmDatacenter.CanonicalizeAcl(directoryEntry.ObjectSecurity); } AuthorizationRuleCollection accessRules = directoryEntry.ObjectSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { AuthorizationRule authorizationRule = (AuthorizationRule)obj; if (!(authorizationRule.IdentityReference == InitializeDkmDatacenter.DomainAdminsSid) && !InitializeDkmDatacenter.IsIdentityInCollection(authorizationRule.IdentityReference, principalsToHaveKeyReadWritePermissionsAdded) && !InitializeDkmDatacenter.IsIdentityInCollection(authorizationRule.IdentityReference, principalsToHaveFullControlPermissionsAdded)) { this.WriteWarning(Strings.RemovingAceFromDkmContainerAcl(dkmContainerName, InitializeDkmDatacenter.AccountNameFromSid(authorizationRule.IdentityReference.ToString()))); directoryEntry.ObjectSecurity.PurgeAccessRules(authorizationRule.IdentityReference); } } directoryEntry.ObjectSecurity.SetSecurityDescriptorBinaryForm(directoryEntry.ObjectSecurity.GetSecurityDescriptorBinaryForm()); directoryEntry.CommitChanges(); directoryEntry.Close(); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); this.InternalBeginProcessing(); string text = this.rootDomain.Id.ToDNString(); foreach (Tuple <string, List <SecurityIdentifier>, List <SecurityIdentifier> > tuple in InitializeDkmDatacenter.DkmContainersToCreate) { try { DkmProxy dkmProxy = null; try { this.CreateDkmContainer(tuple.Item1, string.Format("{0},{1}", "CN=Microsoft,CN=Program Data", text), out dkmProxy); } catch (ObjectAlreadyExistsException) { this.WriteWarning(Strings.DkmContainerAlreadyExists(tuple.Item1)); } if (dkmProxy != null) { this.RemoveUnwantedDkmContainerAccessRules(tuple.Item1, tuple.Item2, tuple.Item3, text); InitializeDkmDatacenter.SetDkmContainerAccessRules(dkmProxy, tuple.Item2, tuple.Item3); } } catch (Exception ex) { this.WriteWarning(Strings.DkmProvisioningException(tuple.Item1, ex)); ExManagementApplicationLogger.LogEvent(ManagementEventLogConstants.Tuple_DkmProvisioningException, new string[] { ex.ToString() }); throw; } } ExManagementApplicationLogger.LogEvent(ManagementEventLogConstants.Tuple_DkmProvisioningSuccessful, new string[0]); TaskLogger.LogExit(); }