private static bool CheckAceInheritanceRules(ActiveDirectoryAccessRule ace, string baseType) { //First case - the ACE is inherited if (ace.IsInherited) { // Grab the guid for our object the ace is applied too if (!_baseGuids.TryGetValue(baseType, out var baseGuid)) { return(false); } var inheritedType = ace.InheritedObjectType.ToString(); //Compare the InheritedObjectType for the ACE to either the guid for all objects or our base object's GUID return(inheritedType == AllGuid || inheritedType == baseGuid); } //Second case - the ACE is not inherited and applied directly to the object //If the ACE is marked as InheritOnly, it doesn't apply to the object if ((ace.PropagationFlags & PropagationFlags.InheritOnly) != 0) { return(false); } // The ACE is not inherited, and applies to the object return(true); }
protected override void WriteResult(IConfigurable dataObject) { TaskLogger.LogEnter(); base.HasObjectMatchingIdentity = true; ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); if (!base.Owner.IsPresent) { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); int num = 0; while (accessRules.Count > num) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num]; if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference)) { ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id); adacePresentationObject.ResetChangeTracking(true); base.WriteResult(adacePresentationObject); } num++; } } else { IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount)); base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString())); } TaskLogger.LogExit(); }
public static void PrintAce(ActiveDirectoryAccessRule rule) { Console.WriteLine("=====ACE====="); Console.Write(" Identity: "); Console.WriteLine(rule.IdentityReference.ToString()); Console.Write(" AccessControlType: "); Console.WriteLine(rule.AccessControlType.ToString()); Console.Write(" ActiveDirectoryRights: "); Console.WriteLine( rule.ActiveDirectoryRights.ToString()); Console.Write(" InheritanceType: "); Console.WriteLine(rule.InheritanceType.ToString()); Console.Write(" ObjectType: "); if (rule.ObjectType == Guid.Empty) { Console.WriteLine(""); } else { Console.WriteLine(rule.ObjectType.ToString()); } Console.Write(" InheritedObjectType: "); if (rule.InheritedObjectType == Guid.Empty) { Console.WriteLine(""); } else { Console.WriteLine( rule.InheritedObjectType.ToString()); } Console.Write(" ObjectFlags: "); Console.WriteLine(rule.ObjectFlags.ToString()); }
public static void PrintAce(ActiveDirectoryAccessRule rule, string forestDn) { //Adapted from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L3746 Regex rights = new Regex(@"(GenericAll)|(.*Write.*)|(.*Create.*)|(.*Delete.*)", RegexOptions.Compiled); Regex replica = new Regex(@"(.*Replication.*)", RegexOptions.Compiled); var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString(); if (int.Parse(sid.Split('-').Last()) > 1000) { if (rights.IsMatch(rule.ActiveDirectoryRights.ToString())) { Console.WriteLine(" IdentityReference: {0}", rule.IdentityReference.ToString()); Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString()); Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString()); Console.WriteLine(); } else if ((rule.ActiveDirectoryRights.ToString() == "ExtendedRight" && rule.AccessControlType.ToString() == "Allow")) { Console.WriteLine(" IdentityReference: {0}", rule.IdentityReference.ToString()); Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString()); Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString()); //The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted //Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf Console.WriteLine(" ObjectType: {0}", Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString())); Console.WriteLine(); } } }
protected void ReplaceAddressListACEs(ADObjectId addressBookContainerRoot, SecurityIdentifier originalSid, SecurityIdentifier[] replacementSids) { AddressBookBase[] array = this.configurationSession.Find <AddressBookBase>(addressBookContainerRoot, QueryScope.SubTree, null, null, 0); foreach (AddressBookBase addressBookBase in array) { bool flag = false; RawSecurityDescriptor rawSecurityDescriptor = addressBookBase.ReadSecurityDescriptor(); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array3 = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array3, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array3); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.IdentityReference == originalSid) { flag = true; activeDirectorySecurity.RemoveAccessRuleSpecific(activeDirectoryAccessRule); foreach (SecurityIdentifier identity in replacementSids) { ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType); activeDirectorySecurity.AddAccessRule(rule); } } } if (flag && base.ShouldProcess(addressBookBase.DistinguishedName, Strings.InfoProcessAction(addressBookBase.DistinguishedName), null)) { addressBookBase.SaveSecurityDescriptor(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0)); } } }
public static void PrintLAPSView(string objDn, ActiveDirectoryAccessRule rule, string forestDn) { //https://adsecurity.org/?p=3164 Regex rights = new Regex(@"(.*Read.*)", RegexOptions.Compiled); var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString(); if (int.Parse(sid.Split('-').Last()) > 1000) { //Sometimes the identity reference cannot be resolved string IR = ""; try { IR = rule.IdentityReference.ToString(); } catch { } //FALSE for resolving Schema attribute instead of extended rights string objType = Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString(), false); if (rights.IsMatch(rule.ActiveDirectoryRights.ToString()) && objType == "ms-Mcs-AdmPwd") { Console.WriteLine(" - Object DN: {0}", objDn); Console.WriteLine(); Console.WriteLine(" ObjectType: {0}", objType); Console.WriteLine(" ObjectFlags: {0}", rule.ObjectFlags); Console.WriteLine(" IdentityReference: {0}", IR); Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString()); Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString()); Console.WriteLine(); } } }
public static void PrintAce(ActiveDirectoryAccessRule rule, string forestDn) { //Adapted from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L3746 Regex rights = new Regex(@"(GenericAll)|(.*Write.*)|(.*Create.*)|(.*Delete.*)", RegexOptions.Compiled); //Regex replica = new Regex(@"(.*Replication.*)", RegexOptions.Compiled); string[] dcsync = { "DS-Replication-Get-Changes", "DS-Replication-Get-Changes-All", "DS-Replication-Get-Changes-In-Filtered-Set" }; var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString(); if (int.Parse(sid.Split('-').Last()) > 1000) { //Sometimes the identity reference cannot be resolved string IR = ""; try { IR = rule.IdentityReference.ToString(); } catch { } if (rights.IsMatch(rule.ActiveDirectoryRights.ToString())) { Console.WriteLine(" IdentityReference: {0}", IR); Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString()); Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString()); Console.WriteLine(); } else if (rule.ActiveDirectoryRights.ToString() == "ExtendedRight" && rule.AccessControlType.ToString() == "Allow") { Console.WriteLine(" IdentityReference: {0}", IR); Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString()); Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString()); //The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted //Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf string objType = Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString()); Console.WriteLine(" ObjectType: {0}", objType); if (dcsync.Contains(objType)) { if (dcsyncCounter.ContainsKey(IR)) { dcsyncCounter[IR] += 1; } else { dcsyncCounter.Add(IR, 1); } } Console.WriteLine(); } } }
internal ADCertificateTemplateAccessRule(ActiveDirectoryAccessRule AccessRule) { Identity = AccessRule.IdentityReference.ToString(); ActiveDirectoryRights Rights = AccessRule.ActiveDirectoryRights; if (Rights.HasFlag(ActiveDirectoryRights.GenericRead) || Rights.HasFlag(ActiveDirectoryRights.GenericExecute)) { Read = true; } if (Rights.HasFlag(ActiveDirectoryRights.WriteDacl)) { Write = true; } if (Rights.HasFlag(ActiveDirectoryRights.GenericAll)) { FullControl = true; } if (Rights.HasFlag(ActiveDirectoryRights.ExtendedRight)) { switch (AccessRule.ObjectType.ToString()) { case ExtendedRightGuid.Enroll: Enroll = true; break; case ExtendedRightGuid.AutoEnroll: AutoEnroll = true; break; } } }
public ADAcePresentationObject(ActiveDirectoryAccessRule ace, ADObjectId identity) : base(ace, identity) { this.AccessRights = new ActiveDirectoryRights[] { ace.ActiveDirectoryRights }; base.ResetChangeTracking(); }
public static void AddPropertyAccess(string objectPath, IdentityReference identity, string propertyGuid) { var obj = new DirectoryEntry(objectPath); var rule = new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, new Guid(propertyGuid), ActiveDirectorySecurityInheritance.All); obj.ObjectSecurity.AddAccessRule(rule); obj.CommitChanges(); }
public static void AddPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission, ActiveDirectorySecurityInheritance inheritance = ActiveDirectorySecurityInheritance.All) { var obj = new DirectoryEntry(objectPath); var rule = new ActiveDirectoryAccessRule(identity, permission, AccessControlType.Allow, inheritance); obj.ObjectSecurity.AddAccessRule(rule); obj.CommitChanges(); }
private static bool AceMatches(ActiveDirectoryAccessRule ace1, ActiveDirectoryAccessRule ace2, bool subsetInsteadOfSuperset) { if (subsetInsteadOfSuperset) { return(ace1.IdentityReference == ace2.IdentityReference && ace1.AccessControlType == ace2.AccessControlType && (ace1.ActiveDirectoryRights & ace2.ActiveDirectoryRights) != (ActiveDirectoryRights)0 && (ace1.InheritanceFlags & ace2.InheritanceFlags) == ace2.InheritanceFlags && (ace1.ObjectFlags & ace2.ObjectFlags) == ace1.ObjectFlags && DirectoryCommon.InheritsToAtLeastAsMany(ace2.InheritanceType, ace1.InheritanceType) && DirectoryCommon.ObjectTypeMatches(ace1.ObjectFlags, ace1.ObjectType, ace1.InheritedObjectType, ace2.ObjectFlags, ace2.ObjectType, ace2.InheritedObjectType)); } return(ace1.IdentityReference == ace2.IdentityReference && ace1.AccessControlType == ace2.AccessControlType && (ace1.ActiveDirectoryRights & ace2.ActiveDirectoryRights) == ace1.ActiveDirectoryRights && (ace1.InheritanceFlags & ace2.InheritanceFlags) == ace1.InheritanceFlags && (ace1.ObjectFlags & ace2.ObjectFlags) == ace1.ObjectFlags && DirectoryCommon.InheritsToAtLeastAsMany(ace1.InheritanceType, ace2.InheritanceType) && DirectoryCommon.ObjectTypeMatches(ace1.ObjectFlags, ace1.ObjectType, ace1.InheritedObjectType, ace2.ObjectFlags, ace2.ObjectType, ace2.InheritedObjectType)); }
/// <summary> /// Sets the ace to write to members for this group /// </summary> /// <param name="UserName"></param> public void SetUpdateMembersPriviledge(string UserName) { ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new System.Security.Principal.NTAccount("kor" + "\\" + UserName), ActiveDirectoryRights.WriteProperty, System.Security.AccessControl.AccessControlType.Allow, new Guid(Tools.ADACEObjectTypes.ADS_OBJECT_WRITE_MEMBERS)); DirectoryEntry.ObjectSecurity.AddAccessRule(rule); }
public AcePresentationObject(ActiveDirectoryAccessRule ace, ObjectId identity) : this() { this.realAce = ace; this.Identity = identity; this.InheritanceType = ace.InheritanceType; this.IsInherited = ace.IsInherited; this.PopulateCalculatedProperties(); base.ResetChangeTracking(); }
internal static List <ADRecipient> GetUsersGrantedSendAsPermission(ADRecipient mailbox, IRecipientSession galSession) { TraceWrapper.SearchLibraryTracer.TraceDebug <ADRecipient>(0, "Reading users who have SendAs rights for: {0}", mailbox); RawSecurityDescriptor rawSecurityDescriptor = galSession.ReadSecurityDescriptor(mailbox.Id); if (rawSecurityDescriptor == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "Null security-descriptor returned for mailbox", new object[0]); return(null); } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); if (accessRules == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "No rules on ACL for this mailbox", new object[0]); return(null); } List <ADRecipient> list = null; foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.AccessControlType == AccessControlType.Allow && object.Equals(activeDirectoryAccessRule.ObjectType, WellKnownGuid.SendAsExtendedRightGuid)) { IdentityReference identityReference = activeDirectoryAccessRule.IdentityReference; string value = identityReference.Value; try { ADRecipient adrecipient = galSession.FindBySid(new SecurityIdentifier(value)); if (adrecipient == null) { TraceWrapper.SearchLibraryTracer.TraceError <string>(0, "User not found for SID: {0}", value); } else { if (list == null) { list = new List <ADRecipient>(); } list.Add(adrecipient); TraceWrapper.SearchLibraryTracer.TraceDebug <string, string>(0, "Added {0} to list of users who have Send-As permission for {1}.", adrecipient.DisplayName, mailbox.DisplayName); } } catch (NonUniqueRecipientException arg) { TraceWrapper.SearchLibraryTracer.TraceError <string, string, NonUniqueRecipientException>(0, "Caught NonUniqueRecipientException when attempting to look up user with SID {0} while reading list of users granted Send-As permission to {1}: {2}", value, mailbox.Name, arg); } } } return(list); }
public static void GrantWriteMembershipPermissionToEOA(ADObject obj, ADGroup eoa, IConfigurationSession configurationSession, Task.TaskVerboseLoggingDelegate logWarning) { Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(configurationSession, "member"); ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(eoa.Sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid, ActiveDirectorySecurityInheritance.All); DirectoryCommon.SetAces(logWarning, null, obj, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); }
protected override void WriteResult(IConfigurable dataObject) { TaskLogger.LogEnter(); this.HasObjectMatchingIdentity = true; ADUser aduser = (ADUser)dataObject; if (aduser.Database == null || aduser.ExchangeGuid == Guid.Empty) { base.Validate(aduser); } else { ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor((ADUser)dataObject, PermissionTaskHelper.GetReadOnlySession(base.DomainController), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError)); if (!this.Owner.IsPresent) { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); int num = 0; while (accessRules.Count > num) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num]; if (this.SecurityPrincipal == null || this.SecurityPrincipal.Sid == activeDirectoryAccessRule.IdentityReference || this.SecurityPrincipal.SidHistory.Contains(activeDirectoryAccessRule.IdentityReference as SecurityIdentifier)) { MailboxAcePresentationObject mailboxAcePresentationObject = new MailboxAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id); if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null) { SecurityIdentifier securityIdentifier = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference; ADRecipient adrecipient = null; try { adrecipient = base.TenantGlobalCatalogSession.FindBySid(securityIdentifier); } catch { } if (adrecipient != null) { string friendlyName = (!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name; mailboxAcePresentationObject.User = new SecurityPrincipalIdParameter(securityIdentifier, friendlyName); } } mailboxAcePresentationObject.ResetChangeTracking(true); base.WriteResult(mailboxAcePresentationObject); } num++; } } else { IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount)); OwnerPresentationObject dataObject2 = new OwnerPresentationObject(((ADUser)dataObject).Id, owner.ToString()); base.WriteResult(dataObject2); } } TaskLogger.LogExit(); }
public void UserChangePasswordRule(DirectoryEntry de, Boolean canChangePwd) { Guid changePasswordGuid = new Guid("{ab721a53-1e2f-11d0-9819-00aa0040529b}"); IdentityReference selfSddl = new SecurityIdentifier(WellKnownSidType.SelfSid, null); // or ("S-1-1-0"); IdentityReference everyoneSddl = new SecurityIdentifier(WellKnownSidType.WorldSid, null); // or ("S-1-5-10"); ActiveDirectoryAccessRule selfAccRule = new ActiveDirectoryAccessRule(selfSddl, ActiveDirectoryRights.ExtendedRight, canChangePwd ? AccessControlType.Allow : AccessControlType.Deny, changePasswordGuid); ActiveDirectoryAccessRule everyoneAccRule = new ActiveDirectoryAccessRule(everyoneSddl, ActiveDirectoryRights.ExtendedRight, canChangePwd ? AccessControlType.Allow : AccessControlType.Deny, changePasswordGuid); de.ObjectSecurity.AddAccessRule(selfAccRule); de.ObjectSecurity.AddAccessRule(everyoneAccRule); }
public RecipientPermission(ActiveDirectoryAccessRule ace, ADObjectId identity, string trustee, RecipientAccessRight accessRight) : this() { if (ace == null) { throw new ArgumentNullException("ace"); } this.Identity = identity; this.Trustee = trustee; this.AccessControlType = ace.AccessControlType; this.AccessRights = new MultiValuedProperty <RecipientAccessRight>(accessRight); this.IsInherited = ace.IsInherited; this.InheritanceType = ace.InheritanceType; }
private void SetDeletedObjectsSecurityDescriptor(SecurityIdentifier sid, ActiveDirectoryRights adr) { ADObjectId deletedObjectsContainer = this.configurationSession.DeletedObjectsContainer; if (base.ShouldProcess(deletedObjectsContainer.DistinguishedName, Strings.InfoProcessAction(sid.ToString()), null)) { ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(sid, adr, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All); DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IConfigurationSession)ADSession.RescopeSessionToTenantSubTree(this.configurationSession), deletedObjectsContainer, new ActiveDirectoryAccessRule[] { activeDirectoryAccessRule }); } }
internal override void AdjustADSecurity(string objPath, string securityGroupPath, bool isAddressBook) { ExchangeLog.LogStart("AdjustADSecurity"); ExchangeLog.DebugInfo(" Active Direcory object: {0}", objPath); ExchangeLog.DebugInfo(" Security Group: {0}", securityGroupPath); if (isAddressBook) { ExchangeLog.DebugInfo(" Updating Security"); //"Download Address Book" security permission for offline address book Guid openAddressBookGuid = new Guid("{bd919c7c-2d79-4950-bc9c-e16fd99285e8}"); DirectoryEntry groupEntry = GetADObject(securityGroupPath); byte[] byteSid = (byte[])GetADObjectProperty(groupEntry, "objectSid"); DirectoryEntry objEntry = GetADObject(objPath); ActiveDirectorySecurity security = objEntry.ObjectSecurity; // Create a SecurityIdentifier object for security group. SecurityIdentifier groupSid = new SecurityIdentifier(byteSid, 0); // Create an access rule to allow users in Security Group to open address book. ActiveDirectoryAccessRule allowOpenAddressBook = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, openAddressBookGuid); // Create an access rule to allow users in Security Group to read object. ActiveDirectoryAccessRule allowRead = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow); // Remove existing rules if exist security.RemoveAccessRuleSpecific(allowOpenAddressBook); security.RemoveAccessRuleSpecific(allowRead); // Add a new access rule to allow users in Security Group to open address book. security.AddAccessRule(allowOpenAddressBook); // Add a new access rule to allow users in Security Group to read object. security.AddAccessRule(allowRead); // Commit the changes. objEntry.CommitChanges(); } ExchangeLog.LogEnd("AdjustADSecurity"); }
/// <summary> /// SetAccessRights method sets the particular access right for a particular user on a particualr AD Container/Object /// </summary> /// <param name="DN">The distinguished name of the Container/Object.</param> /// <param name="user">The name of the user to whom the permissions to be set</param> /// <param name="domain">The name of the domain to which user is belongs to</param> /// <param name="accessRight">The name of the access right to be set</param> /// <param name="controlType">Allow/Deny particular ActiveDirecotyRights</param> /// <returns></returns> public bool SetACLs(string DN, string user, string domain, ActiveDirectoryRights accessRight, AccessControlType controlType) { using (DirectoryEntry entry = new DirectoryEntry("LDAP://" + DN, ConfigStore.AdminName, ConfigStore.AdminPassword, AuthenticationTypes.Secure)) { ActiveDirectorySecurity sd = entry.ObjectSecurity; NTAccount accountName = new NTAccount(domain, user); IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier)); ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), accessRight, controlType); sd.AddAccessRule(myRule); entry.ObjectSecurity.AddAccessRule(myRule); entry.CommitChanges(); return(true); } }
private static ActiveDirectoryAccessRule FindAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl, bool includeInherited, bool subsetInsteadOfSuperset) { AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, includeInherited, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (DirectoryCommon.AceMatches(ace, activeDirectoryAccessRule, subsetInsteadOfSuperset)) { return(activeDirectoryAccessRule); } } return(null); }
private void SetAceByObjectClass <T>(ADObjectId root, ActiveDirectoryAccessRule ace) where T : ADConfigurationObject, new() { T[] array = this.configurationSession.Find <T>(root, QueryScope.SubTree, null, null, 0); foreach (T t in array) { if (base.ShouldProcess(t.DistinguishedName, Strings.InfoProcessAction(ace.IdentityReference.ToString()), null)) { DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, t, new ActiveDirectoryAccessRule[] { ace }); } } }
internal static RecipientAccessRight?GetRecipientAccessRight(ActiveDirectoryAccessRule ace) { if ((ace.ActiveDirectoryRights & ActiveDirectoryRights.ExtendedRight) == ActiveDirectoryRights.ExtendedRight) { foreach (RecipientAccessRight recipientAccessRight in RecipientPermissionHelper.RecipientAccessRightGuidMap.Keys) { if (ace.ObjectType == RecipientPermissionHelper.RecipientAccessRightGuidMap[recipientAccessRight]) { return(new RecipientAccessRight?(recipientAccessRight)); } } } return(null); }
public static int CountAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl) { int num = 0; AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule ace2 = (ActiveDirectoryAccessRule)obj; if (DirectoryCommon.AceMatches(ace, ace2, false)) { num++; } } return(num); }
public static void RemoveOUSecurityfromUser(string ouPath, string domain, string Username, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance) { DirectoryEntry ou = GetADObject(ouPath); NTAccount ADUser = new NTAccount(domain, Username); ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule( ADUser, rights, type, inheritance ); ou.ObjectSecurity.RemoveAccessRule(ruleRead); ou.CommitChanges(); ou.Close(); }
/// <summary> /// Set the security rights on a computer object to allow users in the JoinToComputer group to join to computer objects. /// </summary> /// <param name="compName">The computer object name to set permissions on</param> /// <param name="ouContainer">The container where the computer object resides.</param> private void SetSecurityRights(string compName, string ouContainer) { string qString = "(&(name=" + compName + ")(objectClass=computer))"; ExecuteResult result = this.ExecuteSearch(qString, false, ouContainer); //TODO: add group to security var computer = result.singleResult.GetDirectoryEntry(); ActiveDirectorySecurity sdc = computer.ObjectSecurity; NTAccount Account = new NTAccount("capstone", "JoinToComputer"); SecurityIdentifier sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier)); Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2"); Guid computerSchemaGuid = new Guid("bf967a86-0de6-11d0-a285-00aa003049e2"); Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); // ‘Reset password’ Guid dnsHostNameGuid = new Guid("72e39547-7b18-11d1-adef-00c04fd8d5cd"); // ‘Validated write to DNS host name’ Guid rwAccountRestrictions = new Guid("4c164200-20c0-11d0-a768-00aa006e0529"); // ‘Read and write account restrictions’ Guid wServicePrincipalName = new Guid("f3a64788-5306-11d1-a9c5-0000f80367c1"); // ‘Validated write to service principal name’ ActiveDirectoryAccessRule acctRestrictionsRW = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, rwAccountRestrictions, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(acctRestrictionsRW); ActiveDirectoryAccessRule dnsHostNameEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, dnsHostNameGuid, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(dnsHostNameEdit); ActiveDirectoryAccessRule valSPN = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, wServicePrincipalName, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(valSPN); ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(Account, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid); sdc.AddAccessRule(erarResetPwd); /* may require the below line * * Guid userAccountControlGuid = GUID('bf967a68-0de6-11d0-a285-00aa003049e2'); * ActiveDirectoryAccessRule userAccountControlEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, userAccountControlGuid, ActiveDirectorySecurityInheritance.None); * sdc.AddAccessRule(userAccountControlEdit); * * */ //commit and cleanup computer.CommitChanges(); computer.Close(); computer.Dispose(); }
protected override void WriteResult(IConfigurable dataObject) { TaskLogger.LogEnter(); IDirectorySession directorySession = (IDirectorySession)base.DataSession; if (TaskHelper.ShouldUnderscopeDataSessionToOrganization(directorySession, (ADObject)dataObject)) { directorySession = TaskHelper.UnderscopeSessionToOrganization(directorySession, ((ADObject)dataObject).OrganizationId, true); } ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, directorySession, new Task.TaskErrorLoggingDelegate(base.WriteError)); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (this.Trustee == null || this.trusteeSid == activeDirectoryAccessRule.IdentityReference) { RecipientAccessRight?recipientAccessRight = this.FilterByRecipientAccessRights(activeDirectoryAccessRule, this.AccessRights); if (recipientAccessRight != null) { string text = string.Empty; if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null) { try { SecurityIdentifier sId = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference; ADRecipient adrecipient = base.TenantGlobalCatalogSession.FindBySid(sId); if (adrecipient != null) { text = ((!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name); } } catch { } } if (string.IsNullOrEmpty(text)) { text = RecipientPermissionTaskHelper.GetFriendlyNameOfSecurityIdentifier((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, base.TenantGlobalCatalogSession, new Task.TaskErrorLoggingDelegate(base.WriteError), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose)); } RecipientPermission dataObject2 = new RecipientPermission(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id, text, recipientAccessRight.Value); base.WriteResult(dataObject2); } } } TaskLogger.LogExit(); }
internal static SecurityIdentifier[] GetServerAdmins(Server server, IDirectorySession session, Task.TaskErrorLoggingDelegate logError) { List <SecurityIdentifier> list = new List <SecurityIdentifier>(); ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(server, session, logError); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll) { SecurityIdentifier item = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference; list.Add(item); } } return(list.ToArray()); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) {}
public void RemoveAccessRuleSpecific(ActiveDirectoryAccessRule rule) {}
// Methods public void AddAccessRule(ActiveDirectoryAccessRule rule) {}
public void ResetAccessRule(ActiveDirectoryAccessRule rule) {}