protected override void InternalValidate() { TaskLogger.LogEnter(); base.InternalValidate(); MailboxTaskHelper.ValidateGroupManagedBy(base.TenantGlobalCatalogSession, this.DataObject, this.managedByRecipients, new DataAccessHelper.CategorizedGetDataObjectDelegate(base.GetDataObject <ADRecipient>), new Task.ErrorLoggerDelegate(base.WriteError)); if (this.DataObject.IsModified(ADMailboxRecipientSchema.SamAccountName)) { RecipientTaskHelper.IsSamAccountNameUnique(this.DataObject, this.DataObject.SamAccountName, new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError), ExchangeErrorCategory.Client); } if (base.ParameterSetName == "Universal") { if ((this.DataObject.GroupType & GroupTypeFlags.Universal) == GroupTypeFlags.Universal) { base.WriteError(new RecipientTaskException(Strings.ErrorIsUniversalGroupAlready(this.DataObject.Name)), ErrorCategory.InvalidArgument, this.DataObject.Identity); } else { if ((this.DataObject.GroupType & GroupTypeFlags.BuiltinLocal) == GroupTypeFlags.BuiltinLocal || SetGroup.IsBuiltInObject(this.DataObject)) { base.WriteError(new RecipientTaskException(Strings.ErrorCannotConvertBuiltInGroup(this.DataObject.Name)), ErrorCategory.InvalidArgument, this.DataObject.Identity); } GroupTypeFlags groupTypeFlags = (GroupTypeFlags)7; this.DataObject.GroupType = ((this.DataObject.GroupType & ~groupTypeFlags) | GroupTypeFlags.Universal); base.DesiredRecipientType = this.DataObject.RecipientType; } } if (this.DataObject.IsChanged(ADGroupSchema.Members) || base.ParameterSetName == "Universal") { MailboxTaskHelper.ValidateAddedMembers(base.TenantGlobalCatalogSession, this.DataObject, new Task.ErrorLoggerDelegate(base.WriteError), new DataAccessHelper.CategorizedGetDataObjectDelegate(base.GetDataObject <ADRecipient>)); } TaskLogger.LogExit(); }
private static CompositeFilter GenerateTargetFilterForSecurityGroup(GroupTypeFlags flag) { return(new AndFilter(new QueryFilter[] { new ComparisonFilter(ComparisonOperator.Equal, ADObjectSchema.ObjectCategory, ADGroup.MostDerivedClass), new BitMaskOrFilter(ADGroupSchema.GroupType, (ulong)int.MinValue), new BitMaskAndFilter(ADGroupSchema.GroupType, (ulong)flag) })); }
internal static void SecurityEnabledSetter(object value, IPropertyBag propertyBag) { GroupTypeFlags groupTypeFlags = (GroupTypeFlags)propertyBag[SyncGroupSchema.GroupType]; if ((bool)value) { propertyBag[SyncGroupSchema.GroupType] = (groupTypeFlags | GroupTypeFlags.SecurityEnabled); return; } propertyBag[SyncGroupSchema.GroupType] = (groupTypeFlags & (GroupTypeFlags)2147483647); }
public static bool ValidateFlags(GroupTypeFlags groupTypeFlags) { GroupTypeFlags tmpFlags = groupTypeFlags; if (tmpFlags.HasFlag(GroupTypeFlags.GROUP_TYPE_BUILTIN_LOCAL_GROUP)) { tmpFlags = ~GroupTypeFlags.GROUP_TYPE_BUILTIN_LOCAL_GROUP & tmpFlags; } if (tmpFlags.HasFlag(GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED)) { tmpFlags = ~GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED & tmpFlags; } return(tmpFlags == GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP || tmpFlags == GroupTypeFlags.GROUP_TYPE_APP_BASIC_GROUP || tmpFlags == GroupTypeFlags.GROUP_TYPE_APP_QUERY_GROUP || tmpFlags == GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP || tmpFlags == GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP); }
private ADGroup CreateGroup(OrganizationId orgId, ADObjectId usgContainerId, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, List <ADObjectId> manageBy) { ADGroup adgroup = null; DNWithBinary dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.configurationUnit.OtherWellKnownObjects, wkGuid); if (null != dnwithBinary) { ADObjectId adobjectId = new ADObjectId(dnwithBinary.DistinguishedName); if (adobjectId.IsDeleted) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null); } ADRecipient adrecipient = this.orgDomainRecipientSession.Read(adobjectId); if (adrecipient == null) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), orgId.ConfigurationUnit.DistinguishedName), ErrorCategory.InvalidData, null); } base.LogReadObject(adrecipient); if (adrecipient.RecipientType != RecipientType.Group) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), orgId.ConfigurationUnit.ToString(), adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.InvalidData, null); } adgroup = (adrecipient as ADGroup); InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.orgDomainRecipientSession); if ((adgroup.GroupType & groupType) != groupType) { base.WriteVerbose(Strings.InfoChangingGroupType(adgroup.Id.DistinguishedName, groupType.ToString())); adgroup.GroupType = groupType; adgroup.RecipientTypeDetails = RecipientTypeDetails.RoleGroup; this.orgDomainRecipientSession.Save(adgroup); base.LogWriteObject(adgroup); } else { base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName)); } return(adgroup); } ADGroup adgroup2 = null; try { string groupSam = groupName + "{" + Guid.NewGuid().ToString("N") + "}"; adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.orgDomainRecipientSession, orgId.OrganizationalUnit.DomainId, usgContainerId, groupName, groupId, groupDescription, groupSam, manageBy, orgId); dnwithBinary = this.CreateWKGuid(adgroup2.Id, wkGuid); } finally { if (adgroup2 == null && dnwithBinary != null) { this.configurationUnit.OtherWellKnownObjects.Remove(dnwithBinary); this.configurationSession.Save(this.configurationUnit); base.LogWriteObject(this.configurationUnit); } else if (adgroup2 != null && dnwithBinary == null) { this.orgDomainRecipientSession.Delete(adgroup2); base.LogWriteObject(adgroup2); adgroup2 = null; } } return(adgroup2); }
// Token: 0x06001986 RID: 6534 RVA: 0x0006C30D File Offset: 0x0006A50D internal ADGroup(IRecipientSession session, string commonName, ADObjectId containerId, GroupTypeFlags groupType) { this.m_Session = session; base.SetId(containerId.GetChildId(commonName)); base.SetObjectClass(this.MostDerivedObjectClass); this.GroupType = groupType; }
private ADGroup CreateGroup(IRecipientSession session, ADObjectId containerId, string groupName, LocalizedString groupDescription, GroupTypeFlags groupType) { ADGroup adgroup = new ADGroup(session, groupName, containerId, groupType); MultiValuedProperty <string> multiValuedProperty = new MultiValuedProperty <string>(); multiValuedProperty.Add(groupDescription); adgroup[ADRecipientSchema.Description] = multiValuedProperty; adgroup.SamAccountName = groupName; SetupTaskBase.Save(adgroup, session); base.WriteVerbose(Strings.InfoCreatedGroup(adgroup.DistinguishedName)); return(adgroup); }
private ADGroup CreateDomainLocalSecurityGroup(ADContainer container, string groupName, LocalizedString groupDescription) { GroupTypeFlags groupType = GroupTypeFlags.DomainLocal | GroupTypeFlags.SecurityEnabled; return(this.CreateGroup(this.rootDomainRecipientSession, container.Id, groupName, groupDescription, groupType)); }
/// <summary> /// TestCase29 method validates the requirements under /// WellKnownSecurityDomainPrincipal Scenario. /// </summary> public void ValidateWellKnownSecurityDomainPrincipal() { DirectoryEntry dirEntry = new DirectoryEntry(); DirectoryEntry childEntry = new DirectoryEntry(); DirectoryEntry rootEntry = new DirectoryEntry(); string currDomain = adAdapter.rootDomainDN; string configNC = "CN=Configuration," + currDomain; string schemaNC = "CN=Schema," + configNC; bool isObjectSid = true; SecurityIdentifier sid; PropertyValueCollection rid, ridUser; byte[] objectSid; string expectedValue = String.Empty; string actualValue = String.Empty; if (!adAdapter.GetObjectByDN("CN=Users," + currDomain, out dirEntry)) { DataSchemaSite.Assume.IsTrue(false, "CN=Users," + currDomain + " Object is not found in server"); } // Get the object of Root Domain NC. if (!adAdapter.GetObjectByDN(currDomain, out rootEntry)) { DataSchemaSite.Assume.IsTrue(false, currDomain + " Object is not found in server"); } //Get the objectSid value of the object of root domain NC. objectSid = (byte[])rootEntry.Properties["objectSid"].Value; sid = new SecurityIdentifier(objectSid, 0); expectedValue = sid.ToString(); int length = expectedValue.Length; DirectoryEntries rolesChilds = dirEntry.Children; //For each child, foreach (DirectoryEntry child in rolesChilds) { //Get the sid of the child object. objectSid = (byte[])child.Properties["objectSid"].Value; sid = new SecurityIdentifier(objectSid, 0); //Get the rid of this object. string temp = sid.ToString(); temp = temp.Substring(temp.LastIndexOf('-')); //Add rid with expected value. expectedValue = expectedValue + temp; //Get the actual value. actualValue = sid.ToString(); //Compare. if (actualValue.Equals(expectedValue)) { isObjectSid = true; } else { isObjectSid = false; break; } //Reset the expected value. expectedValue = expectedValue.Substring(0, length); } //MS-ADTS-Schema_R811 DataSchemaSite.CaptureRequirementIfIsTrue( isObjectSid, 811, @"The objectSid attribute of Well-Known Domain-Relative Security Principals must be a SID consisting of the objectSid of the domain NC root followed by the RID specified for each child."); //MS-ADTS-Schema_R812 childEntry = dirEntry.Children.Find("CN=Administrator"); rid = childEntry.Properties["primaryGroupID"]; childEntry = dirEntry.Children.Find("CN=Domain Users"); childEntry.RefreshCache(new string[] { "primaryGroupToken" }); ridUser = childEntry.Properties["primaryGroupToken"]; DataSchemaSite.CaptureRequirementIfAreEqual <int>( (int)ridUser.Value, (int)rid.Value, 812, @"The primaryGroupID attribute of class user Well-Known Domain-Relative Security Principals must be RID, which refers to another Well-Known domain relative security principal, by RID"); //The method to call common requirements for AD/DS and LDS. LDSAndDSCommonCall(dirEntry); if (!adAdapter.GetObjectByDN(currDomain, out childEntry)) { DataSchemaSite.Assume.IsTrue(false, currDomain + " Object is not found in server"); } PropertyValueCollection nTMixedDomain = childEntry.Properties["nTMixedDomain"]; //If nTMixedDomain value is 0 that is not mixed else mixed domain if ((int)nTMixedDomain.Value == 0) { //MS-ADTS-Schema_R843 childEntry = dirEntry.Children.Find("CN=Schema Admins"); PropertyValueCollection groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 843, @"If the forest root domain is not mixed :The groupType attribute of Schema Admins Well-Known Domain-Relative Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP | GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000008."); if (serverOS >= OSVersion.WinSvr2008) { //MS-ADTS-Schema_R832 childEntry = dirEntry.Children.Find("CN=Enterprise Admins"); groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 832, @"If the forest root domain is not mixed :The groupType attribute of Enterprise Administrators Well-Known Domain-Relative Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP | GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000008."); } } else { //MS-ADTS-Schema_R842, MS-ADTS-Schema_R831 childEntry = dirEntry.Children.Find("CN=Schema Admins"); PropertyValueCollection groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 842, @"If the forest root domain is not mixed :The groupType attribute of Schema Admins Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002."); if (serverOS == OSVersion.WinSvr2008) { //MS-ADTS-Schema_R831 childEntry = dirEntry.Children.Find("CN=Enterprise Admins"); groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 831, @"If the forest root domain is not mixed :The groupType attribute of Enterprise Administrators Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002."); } } }
/// <summary> /// This method validates the requirements under /// WellKnownSecurityDomainPrincipal for both AD/DS and LDS Scenario's. /// The common requirements are logged here. /// </summary> public void LDSAndDSCommonCall(DirectoryEntry directEntry) { GroupTypeFlags gType; //Holding Directory entries. DirectoryEntry dirEntry = new DirectoryEntry(); DirectoryEntry childEntry = new DirectoryEntry(); dirEntry = directEntry; //MS-ADTS-Schema_R810 DirectoryEntries rolesChilds = dirEntry.Children; bool isParentRoles = true; foreach (DirectoryEntry child in rolesChilds) { if (!child.Parent.Name.ToString().Equals("CN=Users")) { isParentRoles = false; } } DataSchemaSite.CaptureRequirementIfIsTrue( isParentRoles, 810, "For the Well-Known Domain-Relative Security Principals the Parent must be Users container"); //MS-ADTS-Schema_R813 childEntry = dirEntry.Children.Find("CN=Administrator"); PropertyValueCollection objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"user"), 813, "The objectClass attribute of Administrator Well-Known Domain-Relative Security Principals must be user"); //MS-ADTS-Schema_R814 childEntry = dirEntry.Children.Find("CN=Guest"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"user"), 814, "The objectClass attribute of Guest Well-Known Domain-Relative Security Principals must be user"); //MS-ADTS-Schema_R815 childEntry.RefreshCache(new string[] { "primaryGroupID" }); string primary = childEntry.Properties["primaryGroupID"].Value.ToString(); DataSchemaSite.CaptureRequirementIfAreEqual <string>( "514", primary, 815, @"The primaryGroupID attribute of Guest Well-Known Domain-Relative Security Principals must be 514 (Domain Guests)"); //MS-ADTS-Schema_R816 childEntry = dirEntry.Children.Find("CN=krbtgt"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"user"), 816, @"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative Security Principals must be user"); //MS-ADTS-Schema_R817 childEntry.RefreshCache(new string[] { "primaryGroupID" }); primary = childEntry.Properties["primaryGroupID"].Value.ToString(); DataSchemaSite.CaptureRequirementIfAreEqual <string>( "513", primary, 817, @"The primaryGroupID attribute of Key Distribution Center Service Account Well-Known Domain-Relative Security Principals must be 513 (Domain Users)"); //MS-ADTS-Schema_R818 childEntry = dirEntry.Children.Find("CN=Cert Publishers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 818, @"The objectClass attribute of Key Distribution Center Service Account Well-Known Domain-Relative Security Principals must be user"); //MS-ADTS-Schema_R819 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 819, @"The groupType attribute of Cert Publishers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000004"); //MS-ADTS-Schema_R820 childEntry = dirEntry.Children.Find("CN=Domain Admins"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 820, @"The objectClass attribute of Domain Administrators Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R821 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 821, @"The groupType attribute of Domain Administrators, Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002"); //MS-ADTS-Schema_R822 childEntry = dirEntry.Children.Find("CN=Domain Computers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 822, @"The objectClass attribute of Domain Computers Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R823 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 823, @"The groupType attribute of Domain Computers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002"); //MS-ADTS-Schema_R824 childEntry = dirEntry.Children.Find("CN=Domain Controllers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 824, @"The objectClass attribute of Domain Controllers, Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R825 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 825, @"The groupType attribute of Domain Controllers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002"); //MS-ADTS-Schema_R826 childEntry = dirEntry.Children.Find("CN=Domain Guests"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 826, @"The objectClass attribute of Domain Guests Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R827 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 827, @"The groupType attribute of Domain Guests Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002"); //MS-ADTS-Schema_R828 childEntry = dirEntry.Children.Find("CN=Domain Users"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 828, "The objectClass attribute of Domain Users Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R829 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 829, @"The groupType attribute of Domain Users Well-Known Domain-Relative Security Principals must be either of GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED"); //MS-ADTS-Schema_R833 childEntry = dirEntry.Children.Find("CN=Group Policy Creator Owners"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 833, @"The objectClass attribute of Group Policy Creator Owners Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R834 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 834, @"The groupType attribute of Group Policy Creator Owners Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002"); //MS-ADTS-Schema_R835 childEntry = dirEntry.Children.Find("CN=RAS and IAS Servers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 835, @"The objectClass attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R836 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 836, @"The groupType attribute of RAS and IAS Servers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}.This means that in groupType field the two above bits are set, which means that the groupType is 0x80000004"); //MS-ADTS-Schema_R841 childEntry = dirEntry.Children.Find("CN=Schema Admins"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 841, @"The objectClass attribute of Schema Admins Well-Known Domain-Relative Security Principals must be group"); if (serverOS >= OSVersion.WinSvr2008) { //MS-ADTS-Schema_R830 childEntry = dirEntry.Children.Find("CN=Enterprise Admins"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 830, @"The objectClass attribute of Enterprise Administrators Well-Known Domain-Relative Security Principals must be group."); //MS-ADTS-Schema_R837 childEntry = dirEntry.Children.Find("CN=Read-only Domain Controllers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 837, @"The objectClass attribute of Read-Only Domain Controllers Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R838 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_ACCOUNT_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 838, @"The groupType attribute of Read-Only Domain Controllers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_ACCOUNT_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000002."); //MS-ADTS-Schema_R839 childEntry = dirEntry.Children.Find("CN=Enterprise Read-only Domain Controllers"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.CaptureRequirementIfIsTrue( objectClass.Contains((object)"group"), 839, @"The objectClass attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_R840 groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.CaptureRequirementIfAreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_UNIVERSAL_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, 840, @"The groupType attribute of Enterprise Read-Only Domain Controllers Well-Known Domain-Relative Security Principals is {GROUP_TYPE_UNIVERSAL_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000008."); //MS-ADTS-Schema_Allowed RODC Password Replication Group childEntry = dirEntry.Children.Find("CN=Allowed RODC Password Replication Group"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.Assert.IsTrue( objectClass.Contains((object)"group"), @"The objectClass attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_Allowed RODC Password Replication Group groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.Assert.AreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, @"The groupType attribute of Allowed RODC Password Replication Group Well-Known Domain-Relative Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000004."); //MS-ADTS-Schema_Denied RODC Password Replication Group childEntry = dirEntry.Children.Find("CN=Denied RODC Password Replication Group"); objectClass = childEntry.Properties["objectClass"]; DataSchemaSite.Assert.IsTrue( objectClass.Contains((object)"group"), @"The objectClass attribute of Denied RODC Password Replication Group Well-Known Domain-Relative Security Principals must be group"); //MS-ADTS-Schema_Denied RODC Password Replication Group groupType = childEntry.Properties["groupType"]; gType = (GroupTypeFlags)Convert.ToInt32(groupType.Value); DataSchemaSite.Assert.AreEqual <GroupTypeFlags>( GroupTypeFlags.GROUP_TYPE_RESOURCE_GROUP | GroupTypeFlags.GROUP_TYPE_SECURITY_ENABLED, gType, @"The groupType attribute of Denied RODC Password Replication Group Well-Known Domain-Relative Security Principals is {GROUP_TYPE_RESOURCE_GROUP|GROUP_TYPE_SECURITY_ENABLED} This means that in groupType field the two above bits are set, which means that the groupType is 0x80000004."); } }
internal static ADGroup CreateUniqueChildSG(IRecipientSession session, ADObjectId dom, ADObjectId containerId, string groupNameOrig, string groupDescription, string groupSam, GroupTypeFlags groupType, OrganizationId orgId) { string commonName = InitializeExchangeUniversalGroups.FindUniqueCN(session, containerId, groupNameOrig); ADGroup adgroup = new ADGroup(session, commonName, containerId, groupType); MultiValuedProperty <string> multiValuedProperty = new MultiValuedProperty <string>(); multiValuedProperty.Add(groupDescription); adgroup[ADRecipientSchema.Description] = multiValuedProperty; adgroup.SamAccountName = groupSam; adgroup.OrganizationId = orgId; InitializeExchangeUniversalGroups.SaveGroup(session, containerId, adgroup); TaskLogger.Trace(Strings.InfoCreatedGroup(adgroup.DistinguishedName)); return(adgroup); }
internal static ADGroup CreateUniqueChildSG(IRecipientSession session, ADObjectId dom, ADObjectId containerId, string groupNameOrig, string groupDescription, GroupTypeFlags groupType, OrganizationId orgId) { string groupSam = InitializeExchangeUniversalGroups.FindUniqueSamAccountName(session, dom, groupNameOrig); return(InitializeExchangeUniversalGroups.CreateUniqueChildSG(session, dom, containerId, groupNameOrig, groupDescription, groupSam, groupType, orgId)); }
private ADGroup CreateGroup(ADOrganizationalUnit usgContainer, string groupName, int groupId, Guid wkGuid, string groupDescription, GroupTypeFlags groupType, bool createAsRoleGroup) { ADRecipient adrecipient = base.ResolveExchangeGroupGuid <ADRecipient>(wkGuid); DNWithBinary dnwithBinary = null; if (adrecipient != null) { base.LogReadObject(adrecipient); if (adrecipient.RecipientType != RecipientType.Group) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adrecipient.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null); } ADGroup adgroup = adrecipient as ADGroup; base.LogReadObject(adgroup); if ((adgroup.GroupType & groupType) != groupType) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, groupType.ToString()), ErrorCategory.NotSpecified, null); } if (createAsRoleGroup && adgroup.RecipientTypeDetails != RecipientTypeDetails.RoleGroup) { base.WriteError(new InvalidWKObjectTargetException(wkGuid.ToString(), "CN=Microsoft Exchange,CN=Services," + this.configurationSession.ConfigurationNamingContext.DistinguishedName, adgroup.Id.DistinguishedName, RecipientTypeDetails.RoleGroup.ToString()), ErrorCategory.NotSpecified, null); } base.WriteVerbose(Strings.InfoGroupAlreadyPresent(adgroup.Id.DistinguishedName)); dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(this.exchangeConfigContainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary == null) { dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup.Id, wkGuid); } if (createAsRoleGroup) { InitializeExchangeUniversalGroups.UpgradeRoleGroupLocalization(adgroup, groupId, groupDescription, this.rootDomainRecipientSession); } return(adgroup); } ADContainer adcontainer = this.exchangeConfigContainer; dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid); if (dnwithBinary == null) { adcontainer = this.configContainer; dnwithBinary = DirectoryCommon.FindWellKnownObjectEntry(adcontainer.OtherWellKnownObjects, wkGuid); } if (dnwithBinary != null) { base.WriteError(new InvalidWKObjectException(dnwithBinary.ToString(), adcontainer.DistinguishedName), ErrorCategory.NotSpecified, null); } ADGroup adgroup2 = null; try { if (createAsRoleGroup) { adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueRoleGroup(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupId, groupDescription, OrganizationId.ForestWideOrgId); } else { adgroup2 = InitializeExchangeUniversalGroups.CreateUniqueChildSG(this.rootDomainRecipientSession, this.rootDomain.Id, usgContainer.Id, groupName, groupDescription, groupType, OrganizationId.ForestWideOrgId); } dnwithBinary = this.CreateWKGuid(this.exchangeConfigContainer, adgroup2.Id, wkGuid); } finally { if (adgroup2 == null && dnwithBinary != null) { this.exchangeConfigContainer.OtherWellKnownObjects.Remove(dnwithBinary); this.domainConfigurationSession.Save(this.exchangeConfigContainer); base.LogWriteObject(this.exchangeConfigContainer); } else if (adgroup2 != null && dnwithBinary == null) { this.rootDomainRecipientSession.Delete(adgroup2); base.LogWriteObject(adgroup2); adgroup2 = null; } } return(adgroup2); }