private static bool CheckAceInheritanceRules(ActiveDirectoryAccessRule ace, string baseType)
{
//First case - the ACE is inherited
if (ace.IsInherited)
{
// Grab the guid for our object the ace is applied too
if (!_baseGuids.TryGetValue(baseType, out var baseGuid))
{
return(false);
}
var inheritedType = ace.InheritedObjectType.ToString();
//Compare the InheritedObjectType for the ACE to either the guid for all objects or our base object's GUID
return(inheritedType == AllGuid || inheritedType == baseGuid);
}
//Second case - the ACE is not inherited and applied directly to the object
//If the ACE is marked as InheritOnly, it doesn't apply to the object
if ((ace.PropagationFlags & PropagationFlags.InheritOnly) != 0)
{
return(false);
}
// The ACE is not inherited, and applies to the object
return(true);
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
base.HasObjectMatchingIdentity = true;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (!base.Owner.IsPresent)
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
int num = 0;
while (accessRules.Count > num)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference))
{
ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
adacePresentationObject.ResetChangeTracking(true);
base.WriteResult(adacePresentationObject);
}
num++;
}
}
else
{
IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString()));
}
TaskLogger.LogExit();
}
public static void PrintAce(ActiveDirectoryAccessRule rule)
{
Console.WriteLine("=====ACE=====");
Console.Write(" Identity: ");
Console.WriteLine(rule.IdentityReference.ToString());
Console.Write(" AccessControlType: ");
Console.WriteLine(rule.AccessControlType.ToString());
Console.Write(" ActiveDirectoryRights: ");
Console.WriteLine(
rule.ActiveDirectoryRights.ToString());
Console.Write(" InheritanceType: ");
Console.WriteLine(rule.InheritanceType.ToString());
Console.Write(" ObjectType: ");
if (rule.ObjectType == Guid.Empty)
{
Console.WriteLine("");
}
else
{
Console.WriteLine(rule.ObjectType.ToString());
}
Console.Write(" InheritedObjectType: ");
if (rule.InheritedObjectType == Guid.Empty)
{
Console.WriteLine("");
}
else
{
Console.WriteLine(
rule.InheritedObjectType.ToString());
}
Console.Write(" ObjectFlags: ");
Console.WriteLine(rule.ObjectFlags.ToString());
}
public static void PrintAce(ActiveDirectoryAccessRule rule, string forestDn)
{
//Adapted from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L3746
Regex rights = new Regex(@"(GenericAll)|(.*Write.*)|(.*Create.*)|(.*Delete.*)", RegexOptions.Compiled);
Regex replica = new Regex(@"(.*Replication.*)", RegexOptions.Compiled);
var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString();
if (int.Parse(sid.Split('-').Last()) > 1000)
{
if (rights.IsMatch(rule.ActiveDirectoryRights.ToString()))
{
Console.WriteLine(" IdentityReference: {0}", rule.IdentityReference.ToString());
Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString());
Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString());
Console.WriteLine();
}
else if ((rule.ActiveDirectoryRights.ToString() == "ExtendedRight" && rule.AccessControlType.ToString() == "Allow"))
{
Console.WriteLine(" IdentityReference: {0}", rule.IdentityReference.ToString());
Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString());
Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString());
//The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted
//Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
Console.WriteLine(" ObjectType: {0}", Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString()));
Console.WriteLine();
}
}
}
protected void ReplaceAddressListACEs(ADObjectId addressBookContainerRoot, SecurityIdentifier originalSid, SecurityIdentifier[] replacementSids)
{
AddressBookBase[] array = this.configurationSession.Find <AddressBookBase>(addressBookContainerRoot, QueryScope.SubTree, null, null, 0);
foreach (AddressBookBase addressBookBase in array)
{
bool flag = false;
RawSecurityDescriptor rawSecurityDescriptor = addressBookBase.ReadSecurityDescriptor();
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
byte[] array3 = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array3, 0);
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array3);
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (activeDirectoryAccessRule.IdentityReference == originalSid)
{
flag = true;
activeDirectorySecurity.RemoveAccessRuleSpecific(activeDirectoryAccessRule);
foreach (SecurityIdentifier identity in replacementSids)
{
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType);
activeDirectorySecurity.AddAccessRule(rule);
}
}
}
if (flag && base.ShouldProcess(addressBookBase.DistinguishedName, Strings.InfoProcessAction(addressBookBase.DistinguishedName), null))
{
addressBookBase.SaveSecurityDescriptor(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0));
}
}
}
public static void PrintLAPSView(string objDn, ActiveDirectoryAccessRule rule, string forestDn)
{
//https://adsecurity.org/?p=3164
Regex rights = new Regex(@"(.*Read.*)", RegexOptions.Compiled);
var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString();
if (int.Parse(sid.Split('-').Last()) > 1000)
{
//Sometimes the identity reference cannot be resolved
string IR = "";
try
{
IR = rule.IdentityReference.ToString();
}
catch { }
//FALSE for resolving Schema attribute instead of extended rights
string objType = Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString(), false);
if (rights.IsMatch(rule.ActiveDirectoryRights.ToString()) &&
objType == "ms-Mcs-AdmPwd")
{
Console.WriteLine(" - Object DN: {0}", objDn);
Console.WriteLine();
Console.WriteLine(" ObjectType: {0}", objType);
Console.WriteLine(" ObjectFlags: {0}", rule.ObjectFlags);
Console.WriteLine(" IdentityReference: {0}", IR);
Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString());
Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString());
Console.WriteLine();
}
}
}
public static void PrintAce(ActiveDirectoryAccessRule rule, string forestDn)
{
//Adapted from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L3746
Regex rights = new Regex(@"(GenericAll)|(.*Write.*)|(.*Create.*)|(.*Delete.*)", RegexOptions.Compiled);
//Regex replica = new Regex(@"(.*Replication.*)", RegexOptions.Compiled);
string[] dcsync = { "DS-Replication-Get-Changes", "DS-Replication-Get-Changes-All", "DS-Replication-Get-Changes-In-Filtered-Set" };
var sid = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString();
if (int.Parse(sid.Split('-').Last()) > 1000)
{
//Sometimes the identity reference cannot be resolved
string IR = "";
try
{
IR = rule.IdentityReference.ToString();
}
catch { }
if (rights.IsMatch(rule.ActiveDirectoryRights.ToString()))
{
Console.WriteLine(" IdentityReference: {0}", IR);
Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString());
Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString());
Console.WriteLine();
}
else if (rule.ActiveDirectoryRights.ToString() == "ExtendedRight" && rule.AccessControlType.ToString() == "Allow")
{
Console.WriteLine(" IdentityReference: {0}", IR);
Console.WriteLine(" IdentitySID: {0}", rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString());
Console.WriteLine(" ActiveDirectoryRights: {0}", rule.ActiveDirectoryRights.ToString());
//The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted
//Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
string objType = Functions.ResolveRightsGuids(forestDn, rule.ObjectType.ToString());
Console.WriteLine(" ObjectType: {0}", objType);
if (dcsync.Contains(objType))
{
if (dcsyncCounter.ContainsKey(IR))
{
dcsyncCounter[IR] += 1;
}
else
{
dcsyncCounter.Add(IR, 1);
}
}
Console.WriteLine();
}
}
}
internal ADCertificateTemplateAccessRule(ActiveDirectoryAccessRule AccessRule)
{
Identity = AccessRule.IdentityReference.ToString();
ActiveDirectoryRights Rights = AccessRule.ActiveDirectoryRights;
if (Rights.HasFlag(ActiveDirectoryRights.GenericRead) || Rights.HasFlag(ActiveDirectoryRights.GenericExecute))
{
Read = true;
}
if (Rights.HasFlag(ActiveDirectoryRights.WriteDacl))
{
Write = true;
}
if (Rights.HasFlag(ActiveDirectoryRights.GenericAll))
{
FullControl = true;
}
if (Rights.HasFlag(ActiveDirectoryRights.ExtendedRight))
{
switch (AccessRule.ObjectType.ToString())
{
case ExtendedRightGuid.Enroll:
Enroll = true;
break;
case ExtendedRightGuid.AutoEnroll:
AutoEnroll = true;
break;
}
}
}
public ADAcePresentationObject(ActiveDirectoryAccessRule ace, ADObjectId identity) : base(ace, identity)
{
this.AccessRights = new ActiveDirectoryRights[]
{
ace.ActiveDirectoryRights
};
base.ResetChangeTracking();
}
public static void AddPropertyAccess(string objectPath, IdentityReference identity, string propertyGuid)
{
var obj = new DirectoryEntry(objectPath);
var rule = new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.ReadProperty, AccessControlType.Allow, new Guid(propertyGuid), ActiveDirectorySecurityInheritance.All);
obj.ObjectSecurity.AddAccessRule(rule);
obj.CommitChanges();
}
public static void AddPermission(string objectPath, IdentityReference identity, ActiveDirectoryRights permission, ActiveDirectorySecurityInheritance inheritance = ActiveDirectorySecurityInheritance.All)
{
var obj = new DirectoryEntry(objectPath);
var rule = new ActiveDirectoryAccessRule(identity, permission, AccessControlType.Allow, inheritance);
obj.ObjectSecurity.AddAccessRule(rule);
obj.CommitChanges();
}
private static bool AceMatches(ActiveDirectoryAccessRule ace1, ActiveDirectoryAccessRule ace2, bool subsetInsteadOfSuperset)
{
if (subsetInsteadOfSuperset)
{
return(ace1.IdentityReference == ace2.IdentityReference && ace1.AccessControlType == ace2.AccessControlType && (ace1.ActiveDirectoryRights & ace2.ActiveDirectoryRights) != (ActiveDirectoryRights)0 && (ace1.InheritanceFlags & ace2.InheritanceFlags) == ace2.InheritanceFlags && (ace1.ObjectFlags & ace2.ObjectFlags) == ace1.ObjectFlags && DirectoryCommon.InheritsToAtLeastAsMany(ace2.InheritanceType, ace1.InheritanceType) && DirectoryCommon.ObjectTypeMatches(ace1.ObjectFlags, ace1.ObjectType, ace1.InheritedObjectType, ace2.ObjectFlags, ace2.ObjectType, ace2.InheritedObjectType));
}
return(ace1.IdentityReference == ace2.IdentityReference && ace1.AccessControlType == ace2.AccessControlType && (ace1.ActiveDirectoryRights & ace2.ActiveDirectoryRights) == ace1.ActiveDirectoryRights && (ace1.InheritanceFlags & ace2.InheritanceFlags) == ace1.InheritanceFlags && (ace1.ObjectFlags & ace2.ObjectFlags) == ace1.ObjectFlags && DirectoryCommon.InheritsToAtLeastAsMany(ace1.InheritanceType, ace2.InheritanceType) && DirectoryCommon.ObjectTypeMatches(ace1.ObjectFlags, ace1.ObjectType, ace1.InheritedObjectType, ace2.ObjectFlags, ace2.ObjectType, ace2.InheritedObjectType));
}
/// <summary>
/// Sets the ace to write to members for this group
/// </summary>
/// <param name="UserName"></param>
public void SetUpdateMembersPriviledge(string UserName)
{
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(new System.Security.Principal.NTAccount("kor" + "\\" + UserName),
ActiveDirectoryRights.WriteProperty,
System.Security.AccessControl.AccessControlType.Allow,
new Guid(Tools.ADACEObjectTypes.ADS_OBJECT_WRITE_MEMBERS));
DirectoryEntry.ObjectSecurity.AddAccessRule(rule);
}
public AcePresentationObject(ActiveDirectoryAccessRule ace, ObjectId identity) : this()
{
this.realAce = ace;
this.Identity = identity;
this.InheritanceType = ace.InheritanceType;
this.IsInherited = ace.IsInherited;
this.PopulateCalculatedProperties();
base.ResetChangeTracking();
}
internal static List <ADRecipient> GetUsersGrantedSendAsPermission(ADRecipient mailbox, IRecipientSession galSession)
{
TraceWrapper.SearchLibraryTracer.TraceDebug <ADRecipient>(0, "Reading users who have SendAs rights for: {0}", mailbox);
RawSecurityDescriptor rawSecurityDescriptor = galSession.ReadSecurityDescriptor(mailbox.Id);
if (rawSecurityDescriptor == null)
{
TraceWrapper.SearchLibraryTracer.TraceDebug(0, "Null security-descriptor returned for mailbox", new object[0]);
return(null);
}
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
if (accessRules == null)
{
TraceWrapper.SearchLibraryTracer.TraceDebug(0, "No rules on ACL for this mailbox", new object[0]);
return(null);
}
List <ADRecipient> list = null;
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (activeDirectoryAccessRule.AccessControlType == AccessControlType.Allow && object.Equals(activeDirectoryAccessRule.ObjectType, WellKnownGuid.SendAsExtendedRightGuid))
{
IdentityReference identityReference = activeDirectoryAccessRule.IdentityReference;
string value = identityReference.Value;
try
{
ADRecipient adrecipient = galSession.FindBySid(new SecurityIdentifier(value));
if (adrecipient == null)
{
TraceWrapper.SearchLibraryTracer.TraceError <string>(0, "User not found for SID: {0}", value);
}
else
{
if (list == null)
{
list = new List <ADRecipient>();
}
list.Add(adrecipient);
TraceWrapper.SearchLibraryTracer.TraceDebug <string, string>(0, "Added {0} to list of users who have Send-As permission for {1}.", adrecipient.DisplayName, mailbox.DisplayName);
}
}
catch (NonUniqueRecipientException arg)
{
TraceWrapper.SearchLibraryTracer.TraceError <string, string, NonUniqueRecipientException>(0, "Caught NonUniqueRecipientException when attempting to look up user with SID {0} while reading list of users granted Send-As permission to {1}: {2}", value, mailbox.Name, arg);
}
}
}
return(list);
}
public static void GrantWriteMembershipPermissionToEOA(ADObject obj, ADGroup eoa, IConfigurationSession configurationSession, Task.TaskVerboseLoggingDelegate logWarning)
{
Guid schemaPropertyGuid = DirectoryCommon.GetSchemaPropertyGuid(configurationSession, "member");
ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(eoa.Sid, ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, schemaPropertyGuid, ActiveDirectorySecurityInheritance.All);
DirectoryCommon.SetAces(logWarning, null, obj, new ActiveDirectoryAccessRule[]
{
activeDirectoryAccessRule
});
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
this.HasObjectMatchingIdentity = true;
ADUser aduser = (ADUser)dataObject;
if (aduser.Database == null || aduser.ExchangeGuid == Guid.Empty)
{
base.Validate(aduser);
}
else
{
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor((ADUser)dataObject, PermissionTaskHelper.GetReadOnlySession(base.DomainController), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError));
if (!this.Owner.IsPresent)
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
int num = 0;
while (accessRules.Count > num)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
if (this.SecurityPrincipal == null || this.SecurityPrincipal.Sid == activeDirectoryAccessRule.IdentityReference || this.SecurityPrincipal.SidHistory.Contains(activeDirectoryAccessRule.IdentityReference as SecurityIdentifier))
{
MailboxAcePresentationObject mailboxAcePresentationObject = new MailboxAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null)
{
SecurityIdentifier securityIdentifier = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
ADRecipient adrecipient = null;
try
{
adrecipient = base.TenantGlobalCatalogSession.FindBySid(securityIdentifier);
}
catch
{
}
if (adrecipient != null)
{
string friendlyName = (!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name;
mailboxAcePresentationObject.User = new SecurityPrincipalIdParameter(securityIdentifier, friendlyName);
}
}
mailboxAcePresentationObject.ResetChangeTracking(true);
base.WriteResult(mailboxAcePresentationObject);
}
num++;
}
}
else
{
IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
OwnerPresentationObject dataObject2 = new OwnerPresentationObject(((ADUser)dataObject).Id, owner.ToString());
base.WriteResult(dataObject2);
}
}
TaskLogger.LogExit();
}
public void UserChangePasswordRule(DirectoryEntry de, Boolean canChangePwd)
{
Guid changePasswordGuid = new Guid("{ab721a53-1e2f-11d0-9819-00aa0040529b}");
IdentityReference selfSddl = new SecurityIdentifier(WellKnownSidType.SelfSid, null); // or ("S-1-1-0");
IdentityReference everyoneSddl = new SecurityIdentifier(WellKnownSidType.WorldSid, null); // or ("S-1-5-10");
ActiveDirectoryAccessRule selfAccRule = new ActiveDirectoryAccessRule(selfSddl, ActiveDirectoryRights.ExtendedRight, canChangePwd ? AccessControlType.Allow : AccessControlType.Deny, changePasswordGuid);
ActiveDirectoryAccessRule everyoneAccRule = new ActiveDirectoryAccessRule(everyoneSddl, ActiveDirectoryRights.ExtendedRight, canChangePwd ? AccessControlType.Allow : AccessControlType.Deny, changePasswordGuid);
de.ObjectSecurity.AddAccessRule(selfAccRule);
de.ObjectSecurity.AddAccessRule(everyoneAccRule);
}
public RecipientPermission(ActiveDirectoryAccessRule ace, ADObjectId identity, string trustee, RecipientAccessRight accessRight) : this()
{
if (ace == null)
{
throw new ArgumentNullException("ace");
}
this.Identity = identity;
this.Trustee = trustee;
this.AccessControlType = ace.AccessControlType;
this.AccessRights = new MultiValuedProperty <RecipientAccessRight>(accessRight);
this.IsInherited = ace.IsInherited;
this.InheritanceType = ace.InheritanceType;
}
private void SetDeletedObjectsSecurityDescriptor(SecurityIdentifier sid, ActiveDirectoryRights adr)
{
ADObjectId deletedObjectsContainer = this.configurationSession.DeletedObjectsContainer;
if (base.ShouldProcess(deletedObjectsContainer.DistinguishedName, Strings.InfoProcessAction(sid.ToString()), null))
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(sid, adr, AccessControlType.Allow, ActiveDirectorySecurityInheritance.All);
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, (IConfigurationSession)ADSession.RescopeSessionToTenantSubTree(this.configurationSession), deletedObjectsContainer, new ActiveDirectoryAccessRule[]
{
activeDirectoryAccessRule
});
}
}
internal override void AdjustADSecurity(string objPath, string securityGroupPath, bool isAddressBook)
{
ExchangeLog.LogStart("AdjustADSecurity");
ExchangeLog.DebugInfo(" Active Direcory object: {0}", objPath);
ExchangeLog.DebugInfo(" Security Group: {0}", securityGroupPath);
if (isAddressBook)
{
ExchangeLog.DebugInfo(" Updating Security");
//"Download Address Book" security permission for offline address book
Guid openAddressBookGuid = new Guid("{bd919c7c-2d79-4950-bc9c-e16fd99285e8}");
DirectoryEntry groupEntry = GetADObject(securityGroupPath);
byte[] byteSid = (byte[])GetADObjectProperty(groupEntry, "objectSid");
DirectoryEntry objEntry = GetADObject(objPath);
ActiveDirectorySecurity security = objEntry.ObjectSecurity;
// Create a SecurityIdentifier object for security group.
SecurityIdentifier groupSid = new SecurityIdentifier(byteSid, 0);
// Create an access rule to allow users in Security Group to open address book.
ActiveDirectoryAccessRule allowOpenAddressBook =
new ActiveDirectoryAccessRule(
groupSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow,
openAddressBookGuid);
// Create an access rule to allow users in Security Group to read object.
ActiveDirectoryAccessRule allowRead =
new ActiveDirectoryAccessRule(
groupSid,
ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
// Remove existing rules if exist
security.RemoveAccessRuleSpecific(allowOpenAddressBook);
security.RemoveAccessRuleSpecific(allowRead);
// Add a new access rule to allow users in Security Group to open address book.
security.AddAccessRule(allowOpenAddressBook);
// Add a new access rule to allow users in Security Group to read object.
security.AddAccessRule(allowRead);
// Commit the changes.
objEntry.CommitChanges();
}
ExchangeLog.LogEnd("AdjustADSecurity");
}
/// <summary>
/// SetAccessRights method sets the particular access right for a particular user on a particualr AD Container/Object
/// </summary>
/// <param name="DN">The distinguished name of the Container/Object.</param>
/// <param name="user">The name of the user to whom the permissions to be set</param>
/// <param name="domain">The name of the domain to which user is belongs to</param>
/// <param name="accessRight">The name of the access right to be set</param>
/// <param name="controlType">Allow/Deny particular ActiveDirecotyRights</param>
/// <returns></returns>
public bool SetACLs(string DN, string user, string domain, ActiveDirectoryRights accessRight, AccessControlType controlType)
{
using (DirectoryEntry entry = new DirectoryEntry("LDAP://" + DN, ConfigStore.AdminName, ConfigStore.AdminPassword, AuthenticationTypes.Secure))
{
ActiveDirectorySecurity sd = entry.ObjectSecurity;
NTAccount accountName = new NTAccount(domain, user);
IdentityReference acctSID = accountName.Translate(typeof(SecurityIdentifier));
ActiveDirectoryAccessRule myRule = new ActiveDirectoryAccessRule(new SecurityIdentifier(acctSID.Value), accessRight, controlType);
sd.AddAccessRule(myRule);
entry.ObjectSecurity.AddAccessRule(myRule);
entry.CommitChanges();
return(true);
}
}
private static ActiveDirectoryAccessRule FindAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl, bool includeInherited, bool subsetInsteadOfSuperset)
{
AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, includeInherited, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (DirectoryCommon.AceMatches(ace, activeDirectoryAccessRule, subsetInsteadOfSuperset))
{
return(activeDirectoryAccessRule);
}
}
return(null);
}
private void SetAceByObjectClass <T>(ADObjectId root, ActiveDirectoryAccessRule ace) where T : ADConfigurationObject, new()
{
T[] array = this.configurationSession.Find <T>(root, QueryScope.SubTree, null, null, 0);
foreach (T t in array)
{
if (base.ShouldProcess(t.DistinguishedName, Strings.InfoProcessAction(ace.IdentityReference.ToString()), null))
{
DirectoryCommon.SetAces(new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), null, t, new ActiveDirectoryAccessRule[]
{
ace
});
}
}
}
internal static RecipientAccessRight?GetRecipientAccessRight(ActiveDirectoryAccessRule ace)
{
if ((ace.ActiveDirectoryRights & ActiveDirectoryRights.ExtendedRight) == ActiveDirectoryRights.ExtendedRight)
{
foreach (RecipientAccessRight recipientAccessRight in RecipientPermissionHelper.RecipientAccessRightGuidMap.Keys)
{
if (ace.ObjectType == RecipientPermissionHelper.RecipientAccessRightGuidMap[recipientAccessRight])
{
return(new RecipientAccessRight?(recipientAccessRight));
}
}
}
return(null);
}
public static int CountAce(ActiveDirectoryAccessRule ace, ActiveDirectorySecurity acl)
{
int num = 0;
AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule ace2 = (ActiveDirectoryAccessRule)obj;
if (DirectoryCommon.AceMatches(ace, ace2, false))
{
num++;
}
}
return(num);
}
public static void RemoveOUSecurityfromUser(string ouPath, string domain, string Username, ActiveDirectoryRights rights, AccessControlType type, ActiveDirectorySecurityInheritance inheritance)
{
DirectoryEntry ou = GetADObject(ouPath);
NTAccount ADUser = new NTAccount(domain, Username);
ActiveDirectoryAccessRule ruleRead = new ActiveDirectoryAccessRule(
ADUser,
rights,
type,
inheritance
);
ou.ObjectSecurity.RemoveAccessRule(ruleRead);
ou.CommitChanges();
ou.Close();
}
/// <summary>
/// Set the security rights on a computer object to allow users in the JoinToComputer group to join to computer objects.
/// </summary>
/// <param name="compName">The computer object name to set permissions on</param>
/// <param name="ouContainer">The container where the computer object resides.</param>
private void SetSecurityRights(string compName, string ouContainer)
{
string qString = "(&(name=" + compName + ")(objectClass=computer))";
ExecuteResult result = this.ExecuteSearch(qString, false, ouContainer);
//TODO: add group to security
var computer = result.singleResult.GetDirectoryEntry();
ActiveDirectorySecurity sdc = computer.ObjectSecurity;
NTAccount Account = new NTAccount("capstone", "JoinToComputer");
SecurityIdentifier sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier));
Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2");
Guid computerSchemaGuid = new Guid("bf967a86-0de6-11d0-a285-00aa003049e2");
Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); // ‘Reset password’
Guid dnsHostNameGuid = new Guid("72e39547-7b18-11d1-adef-00c04fd8d5cd"); // ‘Validated write to DNS host name’
Guid rwAccountRestrictions = new Guid("4c164200-20c0-11d0-a768-00aa006e0529"); // ‘Read and write account restrictions’
Guid wServicePrincipalName = new Guid("f3a64788-5306-11d1-a9c5-0000f80367c1"); // ‘Validated write to service principal name’
ActiveDirectoryAccessRule acctRestrictionsRW = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, rwAccountRestrictions, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(acctRestrictionsRW);
ActiveDirectoryAccessRule dnsHostNameEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, dnsHostNameGuid, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(dnsHostNameEdit);
ActiveDirectoryAccessRule valSPN = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, wServicePrincipalName, ActiveDirectorySecurityInheritance.None);
sdc.AddAccessRule(valSPN);
ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(Account, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid);
sdc.AddAccessRule(erarResetPwd);
/* may require the below line
*
* Guid userAccountControlGuid = GUID('bf967a68-0de6-11d0-a285-00aa003049e2');
* ActiveDirectoryAccessRule userAccountControlEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, userAccountControlGuid, ActiveDirectorySecurityInheritance.None);
* sdc.AddAccessRule(userAccountControlEdit);
*
* */
//commit and cleanup
computer.CommitChanges();
computer.Close();
computer.Dispose();
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
IDirectorySession directorySession = (IDirectorySession)base.DataSession;
if (TaskHelper.ShouldUnderscopeDataSessionToOrganization(directorySession, (ADObject)dataObject))
{
directorySession = TaskHelper.UnderscopeSessionToOrganization(directorySession, ((ADObject)dataObject).OrganizationId, true);
}
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, directorySession, new Task.TaskErrorLoggingDelegate(base.WriteError));
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (this.Trustee == null || this.trusteeSid == activeDirectoryAccessRule.IdentityReference)
{
RecipientAccessRight?recipientAccessRight = this.FilterByRecipientAccessRights(activeDirectoryAccessRule, this.AccessRights);
if (recipientAccessRight != null)
{
string text = string.Empty;
if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null)
{
try
{
SecurityIdentifier sId = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
ADRecipient adrecipient = base.TenantGlobalCatalogSession.FindBySid(sId);
if (adrecipient != null)
{
text = ((!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name);
}
}
catch
{
}
}
if (string.IsNullOrEmpty(text))
{
text = RecipientPermissionTaskHelper.GetFriendlyNameOfSecurityIdentifier((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, base.TenantGlobalCatalogSession, new Task.TaskErrorLoggingDelegate(base.WriteError), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose));
}
RecipientPermission dataObject2 = new RecipientPermission(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id, text, recipientAccessRight.Value);
base.WriteResult(dataObject2);
}
}
}
TaskLogger.LogExit();
}
internal static SecurityIdentifier[] GetServerAdmins(Server server, IDirectorySession session, Task.TaskErrorLoggingDelegate logError)
{
List <SecurityIdentifier> list = new List <SecurityIdentifier>();
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(server, session, logError);
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (activeDirectoryAccessRule.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll)
{
SecurityIdentifier item = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
list.Add(item);
}
}
return(list.ToArray());
}
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) {}
public void RemoveAccessRuleSpecific(ActiveDirectoryAccessRule rule) {}
// Methods
public void AddAccessRule(ActiveDirectoryAccessRule rule) {}
public void ResetAccessRule(ActiveDirectoryAccessRule rule) {}
