private void RemoveInvalidRoleGroups(RoleGroupCollection roleGroups) { foreach (RoleGroupDefinition roleGroupDefinition in roleGroups) { DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.configurationUnit.OtherWellKnownObjects, roleGroupDefinition.RoleGroupGuid); if (null != dnwithBinary) { this.configurationUnit.OtherWellKnownObjects.Remove(dnwithBinary); this.configurationSession.Save(this.configurationUnit); base.LogWriteObject(this.configurationUnit); ADObjectId adobjectId = new ADObjectId(dnwithBinary.DistinguishedName); foreach (ExchangeRoleAssignment exchangeRoleAssignment in this.configurationSession.FindPaged <ExchangeRoleAssignment>(base.OrgContainerId.GetDescendantId(ExchangeRoleAssignment.RdnContainer), QueryScope.OneLevel, new ComparisonFilter(ComparisonOperator.Equal, ExchangeRoleAssignmentSchema.User, adobjectId), null, 0)) { this.configurationSession.Delete(exchangeRoleAssignment); base.LogWriteObject(exchangeRoleAssignment); } if (!adobjectId.IsDeleted) { ADRecipient adrecipient = this.orgDomainRecipientSession.Read(adobjectId); base.LogReadObject(adrecipient); this.orgDomainRecipientSession.Delete(adrecipient); base.LogWriteObject(adrecipient); } } } }
public static void SetAclOnAlternateProperty(ADObject obj, GenericAce[] aces, PropertyDefinition sdProperty) { using (WindowsIdentity current = WindowsIdentity.GetCurrent()) { SecurityIdentifier user = current.User; SecurityIdentifier group = user; DirectoryCommon.SetAclOnAlternateProperty(obj, aces, sdProperty, user, group); } }
public static void GrantWriteMembershipPermissionToEOA(ADObject obj, ADGroup eoa, IConfigurationSession configurationSession, Task.TaskVerboseLoggingDelegate logWarning) { Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(configurationSession, "member"); ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(eoa.Sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid, ActiveDirectorySecurityInheritance.All); DirectoryCommon.SetAces(logWarning, null, obj, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); List <Server> list = new List <Server>(); List <SecurityIdentifier> list2 = new List <SecurityIdentifier>(); Server server = null; try { server = ((ITopologyConfigurationSession)this.configurationSession).FindLocalServer(); } catch (LocalServerNotFoundException ex) { base.WriteError(new CouldNotFindExchangeServerDirectoryEntryException(ex.Fqdn), ErrorCategory.InvalidData, null); } base.LogReadObject(server); list.Add(server); ADComputer adcomputer = ((ITopologyConfigurationSession)this.domainConfigurationSession).FindLocalComputer(); if (adcomputer == null) { base.WriteError(new CouldNotFindLocalhostDirectoryEntryException(), ErrorCategory.InvalidData, null); } base.LogReadObject(adcomputer); list2.Add(adcomputer.Sid); if (list.Count > 0) { List <ActiveDirectoryAccessRule> list3 = list2.ConvertAll <ActiveDirectoryAccessRule>((SecurityIdentifier machineSid) => new ActiveDirectoryAccessRule(machineSid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); using (IEnumerator <string> enumerator = DirectoryCommon.ServerWriteAttrs.GetEnumerator()) { while (enumerator.MoveNext()) { string attr = enumerator.Current; list3.AddRange(list2.ConvertAll <ActiveDirectoryAccessRule>((SecurityIdentifier machineSid) => new ActiveDirectoryAccessRule(machineSid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, attr), ActiveDirectorySecurityInheritance.None))); } } foreach (Server obj in list) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, obj, list3.ToArray()); } SecurityIdentifier sid = this.exs.Sid; List <ActiveDirectoryAccessRule> list4 = new List <ActiveDirectoryAccessRule>(); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreTransportAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreConstrainedDelegationExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreReadAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreReadWriteAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); foreach (Server obj2 in list) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, obj2, list4.ToArray()); } TaskLogger.LogExit(); } }
private void SetDeletedObjectsSecurityDescriptor(SecurityIdentifier sid, ActiveDirectoryRights adr) { ADObjectId deletedObjectsContainer = this.configurationSession.DeletedObjectsContainer; if (base.ShouldProcess(deletedObjectsContainer.DistinguishedName, Strings.InfoProcessAction(sid.ToString()), null)) { ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(sid, adr, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IConfigurationSession)ADSession.RescopeSessionToTenantSubTree(this.configurationSession), deletedObjectsContainer, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } }
private static void SetAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, ADObject obj, bool remove, params ActiveDirectoryAccessRule[] aces) { if (obj == null) { throw new ArgumentNullException("obj"); } RawSecurityDescriptor rawSecurityDescriptor = obj.ReadSecurityDescriptor(); rawSecurityDescriptor = DirectoryCommon.ApplyAcesOnSd(verboseLogger, warningLogger, errorLogger, obj.Id, rawSecurityDescriptor, remove, aces); if (rawSecurityDescriptor != null) { obj.SaveSecurityDescriptor(rawSecurityDescriptor); } }
private static ActiveDirectoryAccessRule FindAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl, bool includeInherited, bool subsetInsteadOfSuperset) { AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, includeInherited, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (DirectoryCommon.AceMatches(ace, activeDirectoryAccessRule, subsetInsteadOfSuperset)) { return(activeDirectoryAccessRule); } } return(null); }
private void SetAceByObjectClass <T>(ADObjectId root, ActiveDirectoryAccessRule ace) where T : ADConfigurationObject, new() { T[] array = this.configurationSession.Find <T>(root, QueryScope.SubTree, null, null, 0); foreach (T t in array) { if (base.ShouldProcess(t.DistinguishedName, Strings.InfoProcessAction(ace.IdentityReference.ToString()), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, t, new ActiveDirectoryAccessRule[] { ace }); } } }
private void GrantWriteMembershipPermission(SecurityIdentifier sid, ADOrganizationalUnit container) { List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(); List <ActiveDirectoryAccessRule> list2 = new List <ActiveDirectoryAccessRule>(); Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "member"); Guid schemaClassGuid = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "group"); list2.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid)); list2.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.CreateChild, AccessControlType.Allow, schemaClassGuid, ActiveDirectorySecurityInheritance.All)); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.DeleteChild, AccessControlType.Allow, schemaClassGuid, ActiveDirectorySecurityInheritance.All)); list2.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.Delete, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid)); DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, null, container, list.ToArray()); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, container, list2.ToArray()); }
public static int CountAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl) { int num = 0; AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule ace2 = (ActiveDirectoryAccessRule)obj; if (DirectoryCommon.AceMatches(ace, ace2, false)) { num++; } } return(num); }
private static RawSecurityDescriptor ApplyAcesOnSd(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, ADObjectId id, RawSecurityDescriptor rsd, bool remove, params ActiveDirectoryAccessRule[] aces) { if (rsd == null) { throw new SecurityDescriptorAccessDeniedException(id.DistinguishedName); } ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(array, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); if (DirectoryCommon.ApplyAcesOnAcl(verboseLogger, warningLogger, errorLogger, id.DistinguishedName, activeDirectorySecurity, remove, aces)) { return(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0)); } return(null); }
private void RemoveGroupByWKGuid(Guid wkGuid) { ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(wkGuid); DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.exchangeConfigContainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary != null && this.exchangeConfigContainer.OtherWellKnownObjects.Remove(dnwithBinary)) { this.configurationSession.Save(this.exchangeConfigContainer); } dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.configContainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary != null && this.configContainer.OtherWellKnownObjects.Remove(dnwithBinary)) { this.configurationSession.Save(this.configContainer); } if (adgroup != null) { adgroup.Session.Delete(adgroup); } }
private static bool FindAces(ADObjectId id, RawSecurityDescriptor rsd, params ActiveDirectoryAccessRule[] aces) { if (rsd == null) { throw new SecurityDescriptorAccessDeniedException(id.DistinguishedName); } ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array = new byte[rsd.BinaryLength]; rsd.GetBinaryForm(array, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); foreach (ActiveDirectoryAccessRule ace in aces) { if (DirectoryCommon.FindAce(ace, activeDirectorySecurity) == null) { return(false); } } return(true); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); ADSystemAttendantMailbox adsystemAttendantMailbox = null; Server server = null; SecurityIdentifier sid = this.exs.Sid; SecurityIdentifier securityIdentifier = new SecurityIdentifier("SY"); try { server = ((ITopologyConfigurationSession)this.configurationSession).FindLocalServer(); } catch (LocalServerNotFoundException ex) { base.WriteError(new CouldNotFindExchangeServerDirectoryEntryException(ex.Fqdn), ErrorCategory.InvalidData, null); } if (server != null) { base.LogReadObject(server); this.recipientSession.DomainController = server.OriginatingServer; ADRecipient[] array = this.recipientSession.Find(server.Id.GetChildId("Microsoft System Attendant"), QueryScope.Base, null, null, 1); if (array.Length > 0) { adsystemAttendantMailbox = (array[0] as ADSystemAttendantMailbox); } } if (adsystemAttendantMailbox != null) { base.LogReadObject(adsystemAttendantMailbox); GenericAce[] aces = new GenericAce[] { new CommonAce(AceFlags.None, AceQualifier.AccessAllowed, 131073, securityIdentifier, false, null) }; DirectoryCommon.SetAclOnAlternateProperty(adsystemAttendantMailbox, aces, ADSystemAttendantMailboxSchema.ExchangeSecurityDescriptor); if (base.ShouldProcess(adsystemAttendantMailbox.DistinguishedName, Strings.InfoProcessAction(securityIdentifier.ToString()), null)) { this.recipientSession.Save(adsystemAttendantMailbox); } } TaskLogger.LogExit(); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); SecurityIdentifier identity = new SecurityIdentifier("AU"); List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(); list.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ListChildren, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); if (base.ShouldProcess(this.addressListsContainer.DistinguishedName, Strings.InfoProcessAction(this.addressListsContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.addressListsContainer, list.ToArray()); } if (base.ShouldProcess(this.offlineAddressListsContainer.DistinguishedName, Strings.InfoProcessAction(this.offlineAddressListsContainer.DistinguishedName), null)) { ActiveDirectoryAccessRule[] aces = new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.DownloadOABExtendedRightGuid, ActiveDirectorySecurityInheritance.All) }; DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.offlineAddressListsContainer, aces); } TaskLogger.LogExit(); }
protected override void InternalBeginProcessing() { TaskLogger.LogEnter(); base.InternalBeginProcessing(); if (string.IsNullOrEmpty(this.ServerName)) { this.server = ((ITopologyConfigurationSession)this.domainConfigurationSession).FindLocalComputer(); } else { ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromRootOrgScopeSet(), 99, "InternalBeginProcessing", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\DirectorySetup\\ManageExchangeServerGroupMember.cs"); topologyConfigurationSession.UseConfigNC = false; topologyConfigurationSession.UseGlobalCatalog = true; this.server = topologyConfigurationSession.FindComputerByHostName(this.ServerName); } if (this.server != null) { base.LogReadObject(this.server); this.serverDomain = this.domainConfigurationSession.Read <ADDomain>(this.server.Id.DomainId); if (this.serverDomain != null) { base.LogReadObject(this.serverDomain); this.meso = ((ITopologyConfigurationSession)this.domainConfigurationSession).FindMesoContainer(this.serverDomain); if (this.meso != null) { base.LogReadObject(this.meso); this.recipientSession.DomainController = this.meso.OriginatingServer; this.e12ds = DirectoryCommon.FindE12DomainServersGroup(this.recipientSession, this.meso); if (this.e12ds != null) { base.LogReadObject(this.e12ds); } } } } this.exs = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.ExSWkGuid); this.ets = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.EtsWkGuid); TaskLogger.LogExit(); }
private static void SetAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, IDirectorySession session, ADObjectId id, bool remove, params ActiveDirectoryAccessRule[] aces) { if (verboseLogger != null) { verboseLogger(Strings.InfoSetAces(id.DistinguishedName)); } if (session == null) { throw new ArgumentNullException("session"); } if (id == null) { throw new ArgumentNullException("id"); } RawSecurityDescriptor rawSecurityDescriptor = session.ReadSecurityDescriptor(id); rawSecurityDescriptor = DirectoryCommon.ApplyAcesOnSd(verboseLogger, warningLogger, errorLogger, id, rawSecurityDescriptor, remove, aces); if (rawSecurityDescriptor != null) { session.SaveSecurityDescriptor(id, rawSecurityDescriptor); } }
public static void RemoveAccessRule(ActiveDirectorySecurity acl, ActiveDirectoryAccessRule ace) { if (!acl.RemoveAccessRule(ace)) { AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (DirectoryCommon.AceMatches(ace, activeDirectoryAccessRule, false)) { if ((~(ace.ActiveDirectoryRights != (ActiveDirectoryRights)0) & activeDirectoryAccessRule.ActiveDirectoryRights) == (ActiveDirectoryRights)0) { acl.RemoveAccessRuleSpecific(activeDirectoryAccessRule); } else { ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(activeDirectoryAccessRule.IdentityReference, ~ace.ActiveDirectoryRights & activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType); acl.RemoveAccessRuleSpecific(activeDirectoryAccessRule); acl.AddAccessRule(rule); } } } } }
private ADGroup CreateGroup(ADOrganizationalUnit usgContainer, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, bool createAsRoleGroup) { ADRecipient adrecipient = base.ResolveExchangeGroupGuid <ADRecipient>(wkGuid); DNWithBinary dnwithBinary = null; if (adrecipient != null) { base.LogReadObject(adrecipient); if (adrecipient.RecipientType != RecipientType.Group) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adrecipient.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null); } ADGroup adgroup = adrecipient as ADGroup; base.LogReadObject(adgroup); if ((adgroup.GroupType & groupType) != groupType) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null); } if (createAsRoleGroup && adgroup.RecipientTypeDetails != RecipientTypeDetails.RoleGroup) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, RecipientTypeDetails.RoleGroup.ToString()), ErrorCategory.NotSpecified, null); } base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName)); dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.exchangeConfigContainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary == null) { dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup.Id, wkGuid); } if (createAsRoleGroup) { InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.rootDomainRecipientSession); } return(adgroup); } ADContainer adcontainer = this.exchangeConfigContainer; dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary == null) { adcontainer = this.configContainer; dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid); } if (dnwithBinary != null) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), adcontainer.DistinguishedName), ErrorCategory.NotSpecified, null); } ADGroup adgroup2 = null; try { if (createAsRoleGroup) { adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupId, groupDescription, OrganizationId.ForestWideOrgId); } else { adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueChildSG(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupDescription, groupType, OrganizationId.ForestWideOrgId); } dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup2.Id, wkGuid); } finally { if (adgroup2 == null && dnwithBinary != null) { this.exchangeConfigContainer.OtherWellKnownObjects.Remove(dnwithBinary); this.domainConfigurationSession.Save(this.exchangeConfigContainer); base.LogWriteObject(this.exchangeConfigContainer); } else if (adgroup2 != null && dnwithBinary == null) { this.rootDomainRecipientSession.Delete(adgroup2); base.LogWriteObject(adgroup2); adgroup2 = null; } } return(adgroup2); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); RoleGroupCollection roleGroupCollection = InitializeExchangeUniversalGroups.RoleGroupsToCreate(); bool flag = false; foreach (RoleGroupDefinition roleGroupDefinition in roleGroupCollection) { roleGroupDefinition.ADGroup = base.ResolveExchangeGroupGuid <ADGroup>(roleGroupDefinition.RoleGroupGuid); if (roleGroupDefinition.ADGroup == null) { flag = true; } } ADGroup adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.ExSWkGuid); ADGroup adgroup2 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.E3iWkGuid); ADGroup adgroup3 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.EtsWkGuid); ADGroup adgroup4 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.EwpWkGuid); this.adSplitPermissionMode = false; if (this.ActiveDirectorySplitPermissions != null) { if (this.ActiveDirectorySplitPermissions.Value) { this.adSplitPermissionMode = true; } else { this.adSplitPermissionMode = false; } } else if (adgroup3 == null) { this.adSplitPermissionMode = false; } else if (adgroup4 == null) { this.adSplitPermissionMode = false; } else if (!adgroup4.Members.Contains(adgroup3.Id)) { this.adSplitPermissionMode = true; } else { this.adSplitPermissionMode = false; } ADOrganizationalUnit adorganizationalUnit = this.FindExchangeUSGContainer("Microsoft Exchange Protected Groups", this.domainConfigurationSession, this.rootDomain.Id); if (this.adSplitPermissionMode && adorganizationalUnit == null) { adorganizationalUnit = this.CreateExchangeUSGContainer("Microsoft Exchange Protected Groups", this.domainConfigurationSession, this.rootDomain.Id); if (adorganizationalUnit == null) { base.WriteError(new USGContainerNotFoundException("Microsoft Exchange Protected Groups", this.rootDomain.DistinguishedName), ErrorCategory.ObjectNotFound, null); } } ADOrganizationalUnit adorganizationalUnit2 = null; if (flag || adgroup == null || adgroup2 == null || adgroup3 == null || (!this.adSplitPermissionMode && adgroup4 == null)) { adorganizationalUnit2 = this.CreateExchangeUSGContainer("Microsoft Exchange Security Groups", this.domainConfigurationSession, this.rootDomain.Id); if (adorganizationalUnit2 == null) { base.WriteError(new USGContainerNotFoundException("Microsoft Exchange Security Groups", this.rootDomain.DistinguishedName), ErrorCategory.ObjectNotFound, null); } } else { adorganizationalUnit2 = this.FindExchangeUSGContainer("Microsoft Exchange Security Groups", this.domainConfigurationSession, this.rootDomain.Id); } this.CreateAndValidateRoleGroups(adorganizationalUnit2, roleGroupCollection); this.CreateGroup(adorganizationalUnit2, "Exchange Servers", 0, WellKnownGuid.ExSWkGuid, Strings.ExchangeServersUSGDescription); this.CreateGroup(adorganizationalUnit2, "Exchange Trusted Subsystem", 0, WellKnownGuid.EtsWkGuid, Strings.ExchangeTrustedSubsystemDescription); this.CreateGroup(adorganizationalUnit2, "Managed Availability Servers", 0, WellKnownGuid.MaSWkGuid, Strings.ManagedAvailabilityServersUSGDescription); if (this.adSplitPermissionMode) { this.CreateOrMoveEWPGroup(adgroup4, adorganizationalUnit); } else { this.CreateOrMoveEWPGroup(adgroup4, adorganizationalUnit2); if (adorganizationalUnit != null) { this.domainConfigurationSession.Delete(adorganizationalUnit); base.LogWriteObject(adorganizationalUnit); } } this.CreateGroup(adorganizationalUnit2, "ExchangeLegacyInterop", 0, WellKnownGuid.E3iWkGuid, Strings.ExchangeInteropUSGDescription); if (adgroup == null) { adgroup = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.ExSWkGuid); if (adgroup == null) { base.WriteError(new ExSGroupNotFoundException(WellKnownGuid.ExSWkGuid), ErrorCategory.InvalidData, null); } } base.LogReadObject(adgroup); ADGroup adgroup5 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.MaSWkGuid); if (adgroup5 == null) { base.WriteError(new MaSGroupNotFoundException(WellKnownGuid.MaSWkGuid), ErrorCategory.InvalidData, null); } base.LogReadObject(adgroup5); InitializeExchangeUniversalGroups.AddMember(adgroup, this.rootDomainRecipientSession, adgroup5, new WriteVerboseDelegate(base.WriteVerbose)); if (adgroup2 == null) { adgroup2 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.E3iWkGuid); if (adgroup2 == null) { base.WriteError(new E2k3InteropGroupNotFoundException(WellKnownGuid.E3iWkGuid), ErrorCategory.InvalidData, null); } } base.LogReadObject(adgroup2); bool etsExisted = adgroup3 != null; if (adgroup3 == null) { adgroup3 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.EtsWkGuid); if (adgroup3 == null) { base.WriteError(new ExTrustedSubsystemGroupNotFoundException(WellKnownGuid.EtsWkGuid), ErrorCategory.InvalidData, null); } } base.LogReadObject(adgroup3); bool ewpExisted = adgroup4 != null; if (adgroup4 == null) { adgroup4 = base.ResolveExchangeGroupGuid <ADGroup>(WellKnownGuid.EwpWkGuid); if (adgroup4 == null) { base.WriteError(new ExWindowsPermissionsGroupNotFoundException(WellKnownGuid.EwpWkGuid), ErrorCategory.InvalidData, null); } } base.LogReadObject(adgroup4); this.GrantWriteMembershipPermission(adgroup3.Sid, adorganizationalUnit2); this.FixExchangeTrustedSubsystemGroupMembership(adgroup3, adgroup4, adgroup, roleGroupCollection.GetADGroupByGuid(WellKnownGuid.EmaWkGuid), etsExisted, ewpExisted); WindowsPrincipal windowsPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); string name = windowsPrincipal.Identity.Name; string[] array = name.Split(new char[] { '\\' }, 2); ADCrossRef[] domainPartitions = ADForest.GetLocalForest(base.DomainController).GetDomainPartitions(); if (domainPartitions == null || domainPartitions.Length == 0) { base.WriteError(new DomainsNotFoundException(), ErrorCategory.InvalidData, null); } List <SecurityIdentifier> list = new List <SecurityIdentifier>(); foreach (ADCrossRef adcrossRef in domainPartitions) { Exception ex = null; try { this.domainConfigurationSession.DomainController = null; ADDomain addomain = this.domainConfigurationSession.Read <ADDomain>(adcrossRef.NCName); base.LogReadObject(addomain); SecurityIdentifier item = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, addomain.Sid); list.Add(item); } catch (ADExternalException ex2) { ex = ex2; } catch (ADTransientException ex3) { ex = ex3; } if (ex != null) { this.WriteWarning(Strings.DomainNotReachableWarning(adcrossRef.DnsRoot[0])); } } this.domainConfigurationSession.DomainController = null; ADGroup adgroupByGuid = roleGroupCollection.GetADGroupByGuid(WellKnownGuid.EoaWkGuid); ADGroup adgroupByGuid2 = roleGroupCollection.GetADGroupByGuid(WellKnownGuid.EpaWkGuid); ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(adgroupByGuid.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All); List <ActiveDirectoryAccessRule> list2 = new List <ActiveDirectoryAccessRule>(); list2.Add(activeDirectoryAccessRule); Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "member"); foreach (SecurityIdentifier identity in list) { list2.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid, ActiveDirectorySecurityInheritance.All)); } DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, adgroup, list2.ToArray()); try { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, adgroupByGuid, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } catch (ADOperationException ex4) { this.WriteWarning(Strings.UnableToGrantFullControlOnEOA(adgroupByGuid.Id.ToString(), adgroupByGuid.Id.ToString(), ex4.Message)); } if (adgroupByGuid2 != null) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, adgroupByGuid2, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } if (adorganizationalUnit2 != null) { base.WriteVerbose(Strings.InfoSetAces(adorganizationalUnit2.Id.DistinguishedName)); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, adorganizationalUnit2, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, adgroup2, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); bool useGlobalCatalog = this.recipientSession.UseGlobalCatalog; this.recipientSession.UseGlobalCatalog = true; try { ADRecipient adrecipient = (ADRecipient)this.recipientSession.FindByAccountName <ADRecipient>(array[0], array[1]); if (adrecipient != null) { TaskLogger.Trace("Adding user {0} ({1}), to group {2}.", new object[] { name, adrecipient.DistinguishedName, adgroupByGuid.DistinguishedName }); InitializeExchangeUniversalGroups.AddMember(adrecipient, this.rootDomainRecipientSession, adgroupByGuid, new WriteVerboseDelegate(base.WriteVerbose)); } else { TaskLogger.Trace("Didn't find user {0})", new object[] { name }); } } catch (ADOperationException ex5) { base.WriteVerbose(new LocalizedString(ex5.Message)); } this.recipientSession.UseGlobalCatalog = useGlobalCatalog; TaskLogger.LogExit(); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); QueryFilter filter = null; if (base.Fields.IsModified("AdministrativeGroup")) { filter = new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.Name, this.AdministrativeGroup); } IEnumerable <AdministrativeGroup> enumerable = this.configurationSession.FindPaged <AdministrativeGroup>(null, QueryScope.SubTree, filter, null, 0); IEnumerator <AdministrativeGroup> enumerator = enumerable.GetEnumerator(); if (enumerator == null || !enumerator.MoveNext()) { if (base.Fields.IsModified("AdministrativeGroup")) { base.WriteError(new AdminGroupNotFoundException(this.AdministrativeGroup), ErrorCategory.ObjectNotFound, null); } else { base.WriteError(new AdminGroupsNotFoundException(), ErrorCategory.ObjectNotFound, null); } } SecurityIdentifier sid = this.exs.Sid; SecurityIdentifier securityIdentifier = new SecurityIdentifier("AU"); SecurityIdentifier identity = new SecurityIdentifier("SY"); Guid schemaClassGuid = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchExchangeServer"); List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(); list.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.RecipientUpdateExtendedRightGuid, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid)); list.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.RecipientUpdateExtendedRightGuid, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid)); GenericAce[] aces = new GenericAce[] { new ObjectAce(AceFlags.None, AceQualifier.AccessAllowed, 256, securityIdentifier, ObjectAceFlags.ObjectAceTypePresent, WellKnownGuid.CreatePublicFolderExtendedRightGuid, Guid.Empty, false, null) }; do { AdministrativeGroup administrativeGroup = enumerator.Current; base.LogReadObject(administrativeGroup); if (base.ShouldProcess(administrativeGroup.DistinguishedName, Strings.InfoProcessAction(this.eoa.Sid.ToString()), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, administrativeGroup, list.ToArray()); } DirectoryCommon.SetAclOnAlternateProperty(administrativeGroup, aces, AdministrativeGroupSchema.PublicFolderDefaultAdminAcl); if (base.ShouldProcess(administrativeGroup.DistinguishedName, Strings.InfoProcessAction(securityIdentifier.ToString()), null)) { this.configurationSession.Save(administrativeGroup); } PublicFolderTree[] array = this.configurationSession.Find <PublicFolderTree>(administrativeGroup.Id, QueryScope.SubTree, new ComparisonFilter(ComparisonOperator.Equal, PublicFolderTreeSchema.PublicFolderTreeType, PublicFolderTreeType.Mapi), null, 0); if (array.Length == 0) { base.WriteVerbose(Strings.InfoCouldNotFindMAPITLHInAdminGroup(administrativeGroup.AdminDisplayName)); } else { PublicFolderTree publicFolderTree = array[0]; base.LogReadObject(publicFolderTree); DirectoryCommon.SetAclOnAlternateProperty(publicFolderTree, aces, AdministrativeGroupSchema.PublicFolderDefaultAdminAcl); if (base.ShouldProcess(publicFolderTree.DistinguishedName, Strings.InfoProcessAction(securityIdentifier.ToString()), null)) { this.configurationSession.Save(publicFolderTree); } } ActiveDirectoryAccessRule ace = new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All); this.SetAceByObjectClass <ServersContainer>(administrativeGroup.Id, ace); }while (enumerator.MoveNext()); TaskLogger.LogExit(); }
public static void SetAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, IDirectorySession session, ADObjectId id, params ActiveDirectoryAccessRule[] aces) { DirectoryCommon.SetAces(verboseLogger, warningLogger, null, session, id, false, aces); }
public static bool FindAces(IDirectorySession session, ADObjectId id, params ActiveDirectoryAccessRule[] aces) { return(DirectoryCommon.FindAces(id, session.ReadSecurityDescriptor(id), aces)); }
public static void SetAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, IDirectorySession session, ADObjectId id, params ActiveDirectoryAccessRule[] aces) { verboseLogger(Strings.InfoSetAces(id.DistinguishedName)); DirectoryCommon.SetAces(verboseLogger, warningLogger, errorLogger, session, id, false, aces); }
public static ActiveDirectoryAccessRule FindAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl) { return(DirectoryCommon.FindAce(ace, acl, false, false)); }
public static bool FindAces(ADObject obj, params ActiveDirectoryAccessRule[] aces) { return(DirectoryCommon.FindAces(obj.Id, obj.ReadSecurityDescriptor(), aces)); }
private ADGroup CreateGroup(OrganizationId orgId, ADObjectId usgContainerId, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, List <ADObjectId> manageBy) { ADGroup adgroup = null; DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.configurationUnit.OtherWellKnownObjects, wkGuid); if (null != dnwithBinary) { ADObjectId adobjectId = new ADObjectId(dnwithBinary.DistinguishedName); if (adobjectId.IsDeleted) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null); } ADRecipient adrecipient = this.orgDomainRecipientSession.Read(adobjectId); if (adrecipient == null) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null); } base.LogReadObject(adrecipient); if (adrecipient.RecipientType != RecipientType.Group) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), orgId.ConfigurationUnit.ToString(), adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.InvalidData, null); } adgroup = (adrecipient as ADGroup); InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.orgDomainRecipientSession); if ((adgroup.GroupType & groupType) != groupType) { base.WriteVerbose(Strings.InfoChangingGroupType(adgroup.Id.DistinguishedName, groupType.ToString())); adgroup.GroupType = groupType; adgroup.RecipientTypeDetails = RecipientTypeDetails.RoleGroup; this.orgDomainRecipientSession.Save(adgroup); base.LogWriteObject(adgroup); } else { base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName)); } return(adgroup); } ADGroup adgroup2 = null; try { string groupSam = groupName + "{" + Guid.NewGuid().ToString("N") + "}"; adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.orgDomainRecipientSession, orgId.OrganizationalUnit.DomainId, usgContainerId, groupName, groupId, groupDescription, groupSam, manageBy, orgId); dnwithBinary = this.CreateWKGuid(adgroup2.Id, wkGuid); } finally { if (adgroup2 == null && dnwithBinary != null) { this.configurationUnit.OtherWellKnownObjects.Remove(dnwithBinary); this.configurationSession.Save(this.configurationUnit); base.LogWriteObject(this.configurationUnit); } else if (adgroup2 != null && dnwithBinary == null) { this.orgDomainRecipientSession.Delete(adgroup2); base.LogWriteObject(adgroup2); adgroup2 = null; } } return(adgroup2); }
protected override void InternalProcessRecord() { TaskLogger.LogEnter(); IConfigurationSession session = (IConfigurationSession)ADSession.RescopeSessionToTenantSubTree(this.configurationSession); int count = DirectoryCommon.MailboxWriteAttrs.Count; SecurityIdentifier sid = this.exs.Sid; SecurityIdentifier sid2 = this.ets.Sid; this.configurationSession.GetOrgContainer(); SecurityIdentifier[] array = new SecurityIdentifier[] { this.eoa.Sid, this.ets.Sid }; SecurityIdentifier identity = new SecurityIdentifier("WD"); SecurityIdentifier identity2 = new SecurityIdentifier("AN"); SecurityIdentifier securityIdentifier = new SecurityIdentifier("AU"); SecurityIdentifier securityIdentifier2 = new SecurityIdentifier("NS"); SecurityIdentifier identity3 = new SecurityIdentifier("SY"); SecurityIdentifier identity4 = new SecurityIdentifier(WellKnownSidType.AccountEnterpriseAdminsSid, this.rootDomain.Sid); SecurityIdentifier identity5 = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, this.rootDomain.Sid); SecurityIdentifier identity6 = new SecurityIdentifier(WellKnownSidType.AccountSchemaAdminsSid, this.rootDomain.Sid); List <ActiveDirectoryAccessRule> list = new List <ActiveDirectoryAccessRule>(2); list.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.DsReplicationSynchronize, ActiveDirectorySecurityInheritance.None)); string distinguishedName = this.configurationSession.ConfigurationNamingContext.DistinguishedName; if (base.ShouldProcess(distinguishedName, Strings.InfoProcessAction(distinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, session, this.configurationSession.ConfigurationNamingContext, list.ToArray()); } Guid schemaClassGuid = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchSmtpReceiveConnector"); ADObjectId deletedObjectsContainer = this.configurationSession.DeletedObjectsContainer; base.WriteVerbose(Strings.InfoTakeOwnership(deletedObjectsContainer.DistinguishedName)); DirectoryCommon.TakeOwnership(deletedObjectsContainer, null, session); List <ActiveDirectoryAccessRule> list2 = new List <ActiveDirectoryAccessRule>(100); list2.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list2.Add(new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, ActiveDirectorySecurityInheritance.None)); list2.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list2.Add(new ActiveDirectoryAccessRule(sid2, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.DeleteTree | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list2.Add(new ActiveDirectoryAccessRule(this.ets.Sid, ActiveDirectoryRights.WriteDacl, AccessControlType.Allow, schemaClassGuid, ActiveDirectorySecurityInheritance.All)); list2.Add(new ActiveDirectoryAccessRule(this.ets.Sid, ActiveDirectoryRights.GenericAll, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); if (this.epa != null) { list2.Add(new ActiveDirectoryAccessRule(this.epa.Sid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); } if (this.delegatedSetupRG != null) { list2.Add(new ActiveDirectoryAccessRule(this.delegatedSetupRG.Sid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); } if (base.ShouldProcess(this.meServicesContainer.DistinguishedName, Strings.InfoProcessAction(this.meServicesContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, session, this.meServicesContainer.Id, list2.ToArray()); if (this.confUnitsContainer != null && !this.confUnitsContainer.Id.IsDescendantOf(this.configurationSession.ConfigurationNamingContext)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.confUnitsContainer, list2.ToArray()); } } Guid schemaClassGuid2 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchPrivateMDB"); Guid schemaClassGuid3 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchPublicMDB"); DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchAvailabilityConfig"); Guid schemaClassGuid4 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchAvailabilityAddressSpace"); Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchAvailabilityUserPassword"); Guid schemaClassGuid5 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "siteAddressing"); Guid schemaClassGuid6 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "site"); Guid schemaClassGuid7 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "siteLink"); Guid schemaClassGuid8 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchEdgeSyncServiceConfig"); Guid schemaClassGuid9 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchEdgeSyncMservConnector"); Guid schemaClassGuid10 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchEdgeSyncEhfConnector"); Guid schemaPropertyGuid2 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "siteFolderServer"); Guid schemaPropertyGuid3 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "siteFolderGUID"); Guid schemaPropertyGuid4 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchDatabaseCreated"); Guid schemaPropertyGuid5 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchPatchMDB"); Guid schemaPropertyGuid6 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchEDBOffline"); Guid schemaPropertyGuid7 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchTransportSiteFlags"); Guid schemaPropertyGuid8 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchPartnerId"); Guid schemaPropertyGuid9 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchCost"); Guid schemaPropertyGuid10 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchVersion"); Guid schemaPropertyGuid11 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchLastAppliedRecipientFilter"); Guid schemaPropertyGuid12 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchRecipientFilterFlags"); Guid schemaPropertyGuid13 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "legacyExchangeDN"); Guid schemaPropertyGuid14 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchOwningServer"); Guid schemaPropertyGuid15 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchMinorPartnerId"); Guid schemaPropertyGuid16 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, "msExchResponsibleForSites"); List <ActiveDirectoryAccessRule> list3 = new List <ActiveDirectoryAccessRule>(); list3.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); List <ActiveDirectoryAccessRule> list4 = new List <ActiveDirectoryAccessRule>(); List <ActiveDirectoryAccessRule> list5 = new List <ActiveDirectoryAccessRule>(); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreTransportAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreConstrainedDelegationExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadWriteAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.EpiImpersonationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity4, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.TokenSerializationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreTransportAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreConstrainedDelegationExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadWriteAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list5.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreTransportAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.EpiImpersonationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity5, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.TokenSerializationRightGuid, ActiveDirectorySecurityInheritance.All)); list5.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreConstrainedDelegationExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list5.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list5.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.StoreReadWriteAccessExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity3, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ReadProperty, AccessControlType.Deny, schemaPropertyGuid, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid4)); list4.Add(new ActiveDirectoryAccessRule(securityIdentifier2, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.None)); list4.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid2)); list4.Add(new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid3)); list4.Add(new ActiveDirectoryAccessRule(identity2, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity2, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity2, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid2)); list4.Add(new ActiveDirectoryAccessRule(identity2, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid3)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, WellKnownGuid.PublicInfoPropSetGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, WellKnownGuid.PersonalInfoPropSetGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, WellKnownGuid.ExchangeInfoPropSetGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid5)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid3, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid2, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity6, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.EpiImpersonationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity6, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.TokenSerializationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.SendAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.ReceiveAsExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.TokenSerializationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Deny, WellKnownGuid.EpiImpersonationRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); if (this.epa != null) { list4.Add(new ActiveDirectoryAccessRule(this.epa.Sid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); } list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid4, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid6, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid5, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid13, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid14, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(this.mas.Sid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); List <SecurityIdentifier> list6 = new List <SecurityIdentifier>(); list6.Add(this.eoa.Sid); if (this.epa != null) { list6.Add(this.epa.Sid); } foreach (SecurityIdentifier identity7 in list6) { list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.GenericRead, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.MailEnablePublicFolderGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreatePublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.CreateTopLevelPublicFolderExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderAdminACLExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderDeletedItemRetentionExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderExpiryExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderQuotasExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.ModifyPublicFolderReplicaListExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreAdminExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreCreateNamedPropertiesExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); list4.Add(new ActiveDirectoryAccessRule(identity7, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.StoreVisibleExtendedRightGuid, ActiveDirectorySecurityInheritance.All)); } for (int i = 0; i < count; i++) { Guid schemaPropertyGuid17 = DirectoryCommon.GetSchemaPropertyGuid(this.configurationSession, DirectoryCommon.MailboxWriteAttrs[i]); list4.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid17, ActiveDirectorySecurityInheritance.All)); } if (base.ShouldProcess(this.autodiscoverContainer.DistinguishedName, Strings.InfoProcessAction(this.autodiscoverContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.autodiscoverContainer, list3.ToArray()); } if (base.ShouldProcess(this.orgContainer.DistinguishedName, Strings.InfoProcessAction(this.orgContainer.DistinguishedName), null)) { DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, null, this.orgContainer, list5.ToArray()); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.orgContainer, list4.ToArray()); } if (this.confUnitsContainer != null && base.ShouldProcess(this.confUnitsContainer.DistinguishedName, Strings.InfoProcessAction(this.confUnitsContainer.DistinguishedName), null)) { DirectoryCommon.RemoveAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, null, this.confUnitsContainer, list5.ToArray()); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.confUnitsContainer, list4.ToArray()); } ActiveDirectoryAccessRule[] aces = new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All) }; if (base.ShouldProcess(this.addressingContainer.DistinguishedName, Strings.InfoProcessAction(this.addressingContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.addressingContainer, aces); } List <ActiveDirectoryAccessRule> list7 = new List <ActiveDirectoryAccessRule>(); if (this.isMultiTenancy) { list7.Add(new ActiveDirectoryAccessRule(this.eoa.Sid, ActiveDirectoryRights.ListChildren, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); list7.Add(new ActiveDirectoryAccessRule(this.era.Sid, ActiveDirectoryRights.ListChildren, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); } else { list7.Add(new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ListChildren, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All)); } foreach (SecurityIdentifier identity8 in list6) { list7.Add(new ActiveDirectoryAccessRule(identity8, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid11, ActiveDirectorySecurityInheritance.All)); list7.Add(new ActiveDirectoryAccessRule(identity8, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid12, ActiveDirectorySecurityInheritance.All)); } if (base.ShouldProcess(this.addressListsContainer.DistinguishedName, Strings.InfoProcessAction(this.addressListsContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.addressListsContainer, list7.ToArray()); } if (this.isMultiTenancy) { base.ReplaceAddressListACEs(this.addressListsContainer.Id, securityIdentifier, new SecurityIdentifier[] { this.eoa.Sid, this.era.Sid }); } if (base.ShouldProcess(this.offlineAddressListsContainer.DistinguishedName, Strings.InfoProcessAction(this.offlineAddressListsContainer.DistinguishedName), null)) { ActiveDirectoryAccessRule[] aces2 = new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.DownloadOABExtendedRightGuid, ActiveDirectorySecurityInheritance.All) }; DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.offlineAddressListsContainer, aces2); } List <ActiveDirectoryAccessRule> list8 = new List <ActiveDirectoryAccessRule>(); foreach (SecurityIdentifier identity9 in list6) { list8.Add(new ActiveDirectoryAccessRule(identity9, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid11, ActiveDirectorySecurityInheritance.All)); list8.Add(new ActiveDirectoryAccessRule(identity9, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid12, ActiveDirectorySecurityInheritance.All)); } if (base.ShouldProcess(this.recipPoliciesContainer.DistinguishedName, Strings.InfoProcessAction(this.recipPoliciesContainer.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.recipPoliciesContainer, list8.ToArray()); } List <ActiveDirectoryAccessRule> list9 = new List <ActiveDirectoryAccessRule>(); Guid schemaClassGuid11 = DirectoryCommon.GetSchemaClassGuid(this.configurationSession, "msExchExchangeServer"); foreach (SecurityIdentifier identity10 in list6) { list9.Add(new ActiveDirectoryAccessRule(identity10, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, WellKnownGuid.RecipientUpdateExtendedRightGuid, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid11)); } if (base.ShouldProcess(this.administrativeGroup.Id.DistinguishedName, Strings.InfoProcessAction(this.administrativeGroup.Id.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.administrativeGroup, list9.ToArray()); } List <ActiveDirectoryAccessRule> list10 = new List <ActiveDirectoryAccessRule>(); for (int j = 0; j < array.Length; j++) { list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid7, ActiveDirectorySecurityInheritance.All, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid10, ActiveDirectorySecurityInheritance.All, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid8, ActiveDirectorySecurityInheritance.All, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid15, ActiveDirectorySecurityInheritance.All, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid16, ActiveDirectorySecurityInheritance.All, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid9, ActiveDirectorySecurityInheritance.All, schemaClassGuid7)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid10, ActiveDirectorySecurityInheritance.All, schemaClassGuid7)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree, AccessControlType.Allow, schemaClassGuid8, ActiveDirectorySecurityInheritance.Children, schemaClassGuid6)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid8)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree, AccessControlType.Allow, schemaClassGuid9, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid8)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid9)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.DeleteTree, AccessControlType.Allow, schemaClassGuid10, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid8)); list10.Add(new ActiveDirectoryAccessRule(array[j], ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid10)); } list10.Add(new ActiveDirectoryAccessRule(identity3, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid8)); list10.Add(new ActiveDirectoryAccessRule(identity3, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid9)); list10.Add(new ActiveDirectoryAccessRule(identity3, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid10)); list10.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid8)); list10.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid9)); list10.Add(new ActiveDirectoryAccessRule(sid, ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Descendents, schemaClassGuid10)); if (base.ShouldProcess(this.sitesContainer.Id.DistinguishedName, Strings.InfoProcessAction(this.sitesContainer.Id.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, session, this.sitesContainer.Id, list10.ToArray()); } this.SetDeletedObjectsSecurityDescriptor(sid, ActiveDirectoryRights.ListChildren); this.SetDeletedObjectsSecurityDescriptor(sid2, ActiveDirectoryRights.GenericRead); this.SetDeletedObjectsSecurityDescriptor(this.eoa.Sid, ActiveDirectoryRights.ReadControl | ActiveDirectoryRights.WriteDacl | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.ListObject); this.SetDeletedObjectsSecurityDescriptor(securityIdentifier2, ActiveDirectoryRights.ListChildren); ActiveDirectoryAccessRule[] aces3 = new ActiveDirectoryAccessRule[] { new ActiveDirectoryAccessRule(securityIdentifier, ActiveDirectoryRights.ListChildren, AccessControlType.Allow) }; if (base.ShouldProcess(this.arraysContainer.Id.DistinguishedName, Strings.InfoProcessAction(this.arraysContainer.Id.DistinguishedName), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, this.arraysContainer, aces3); } TaskLogger.LogExit(); }
public static void RemoveAces(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, IDirectorySession session, ADObjectId id, params ActiveDirectoryAccessRule[] aces) { DirectoryCommon.SetAces(verboseLogger, warningLogger, errorLogger, session, id, true, aces); }
internal static bool ApplyAcesOnAcl(Task.TaskVerboseLoggingDelegate verboseLogger, Task.TaskWarningLoggingDelegate warningLogger, Task.ErrorLoggerDelegate errorLogger, string objectIdentityString, ActiveDirectorySecurity acl, bool remove, params ActiveDirectoryAccessRule[] aces) { bool result = false; if (!acl.AreAccessRulesCanonical) { LocalizedString message = Strings.InfoAclNotCanonical(objectIdentityString); if (errorLogger != null) { errorLogger(new TaskInvalidOperationException(message), ExchangeErrorCategory.ServerOperation, null); } else if (warningLogger != null) { warningLogger(message); } else if (verboseLogger != null) { verboseLogger(message); } return(false); } int i = 0; while (i < aces.Length) { ActiveDirectoryAccessRule activeDirectoryAccessRule = aces[i]; bool flag = false; ActiveDirectoryAccessRule activeDirectoryAccessRule2 = DirectoryCommon.FindAce(activeDirectoryAccessRule, acl, true, remove); if (null != activeDirectoryAccessRule2 != remove && (activeDirectoryAccessRule2 == null || !activeDirectoryAccessRule2.IsInherited)) { goto IL_13D; } if (!remove || !activeDirectoryAccessRule2.IsInherited) { if (verboseLogger != null) { if (remove) { verboseLogger(Strings.InfoRemovingAce(objectIdentityString, DirectoryCommon.AceToString(activeDirectoryAccessRule))); } else { verboseLogger(Strings.InfoAddingAce(objectIdentityString, DirectoryCommon.AceToString(activeDirectoryAccessRule))); } } if (remove) { DirectoryCommon.RemoveAccessRule(acl, activeDirectoryAccessRule); } else { acl.AddAccessRule(activeDirectoryAccessRule); } flag = (result = true); goto IL_13D; } LocalizedString message2 = Strings.ErrorWillNotPerformOnInheritedAce(activeDirectoryAccessRule2.ActiveDirectoryRights.ToString(), activeDirectoryAccessRule2.AccessControlType.ToString(), objectIdentityString); if (errorLogger != null) { errorLogger(new TaskInvalidOperationException(message2), ExchangeErrorCategory.ServerOperation, null); } else if (warningLogger != null) { warningLogger(message2); } else if (verboseLogger != null) { verboseLogger(message2); } IL_1DB: i++; continue; IL_13D: if ((flag && DirectoryCommon.FindAce(activeDirectoryAccessRule, acl, false, remove) == null == remove) || (verboseLogger == null && warningLogger == null && errorLogger == null)) { goto IL_1DB; } LocalizedString message3; if (remove) { if (activeDirectoryAccessRule.ObjectFlags == ObjectAceFlags.ObjectAceTypePresent) { string attr = string.Format("{0} (ObjectType: {1})", activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.ObjectType); message3 = Strings.InfoAttributeAceNotPresent(objectIdentityString, attr); } else { message3 = Strings.InfoAceNotPresent(objectIdentityString, SecurityPrincipalIdParameter.GetFriendlyUserName(activeDirectoryAccessRule.IdentityReference, verboseLogger)); } } else { message3 = Strings.InfoAceAlreadyPresent(objectIdentityString, SecurityPrincipalIdParameter.GetFriendlyUserName(activeDirectoryAccessRule.IdentityReference, verboseLogger)); } if (warningLogger != null) { warningLogger(message3); goto IL_1DB; } if (verboseLogger != null) { verboseLogger(message3); goto IL_1DB; } goto IL_1DB; } return(result); }