public void AddAccessRule(ActiveDirectoryAccessRule rule) { if (!this.DaclRetrieved()) { throw new InvalidOperationException(Res.GetString("CannotModifyDacl")); } base.AddAccessRule(rule); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { if (!this.DaclRetrieved()) { throw new InvalidOperationException(Res.GetString("CannotModifyDacl")); } return(base.RemoveAccessRule(rule)); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(SR.CannotModifyDacl); } return(base.RemoveAccessRule(rule)); }
public void SetAccessRule(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(SR.CannotModifyDacl); } base.SetAccessRule(rule); }
public void ResetAccessRule(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(Res.GetString(Res.CannotModifyDacl)); } base.ResetAccessRule(rule); }
public void RemoveAccessRuleSpecific(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(SR.CannotModifyDacl); } base.RemoveAccessRuleSpecific(rule); }
public void RemoveAccess(IdentityReference identity, AccessControlType type) { if (!this.DaclRetrieved()) { throw new InvalidOperationException(Res.GetString("CannotModifyDacl")); } ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.GenericRead, type, ActiveDirectorySecurityInheritance.None); base.RemoveAccessRuleAll(rule); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { if (this.DaclRetrieved()) { return(base.RemoveAccessRule(rule)); } else { throw new InvalidOperationException("CannotModifyDacl"); } }
public void AddAccessRule(ActiveDirectoryAccessRule rule) { if (this.DaclRetrieved()) { base.AddAccessRule(rule); return; } else { throw new InvalidOperationException("CannotModifyDacl"); } }
public void RemoveAccess(IdentityReference identity, AccessControlType type) { if (!DaclRetrieved()) { throw new InvalidOperationException(SR.CannotModifyDacl); } // // Create a new rule // ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule( identity, ActiveDirectoryRights.GenericRead, // will be ignored type, ActiveDirectorySecurityInheritance.None); base.RemoveAccessRuleAll(rule); }
public void ResetAccessRule(ActiveDirectoryAccessRule rule) { throw new NotImplementedException(); }
public void RemoveAccessRuleSpecific(ActiveDirectoryAccessRule rule) { throw new NotImplementedException(); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { throw new NotImplementedException(); }
protected override void ProcessRecord() { //OU can be passed as name or as dn var OUs = DirectoryUtils.GetOU(Identity); if (OUs.Count > 1) { foreach (ObjectInfo ou in OUs) { WriteObject(ou); } throw new AmbiguousResultException("More than one object found, search using distinguishedName instead"); } if (OUs.Count == 0) { throw new NotFoundException("Object not found"); } ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl); //apply permissions only to computer objects Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, "computer", SchemaObjectType.Class); Guid timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); Guid pwdGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.SchemaNamingContext, Constants.PasswordAttributeName, SchemaObjectType.Attribute); //System.DirectoryServices.PropertyAccessRule rule; System.DirectoryServices.ActiveDirectoryAccessRule rule; foreach (string principalName in AllowedPrincipals) { System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName); // read ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // read ms-Mcs-AdmPwd on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, pwdGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // control access on ms-Mcs-AdmPwd on computer objects rule = new System.DirectoryServices.ActiveDirectoryAccessRule(principal, ActiveDirectoryRights.ExtendedRight, System.Security.AccessControl.AccessControlType.Allow, pwdGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); } DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl); WriteObject(OUs[0]); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(Res.GetString(Res.CannotModifyDacl)); } return base.RemoveAccessRule(rule); }
public void SetAccessRule(ActiveDirectoryAccessRule rule) { if (!DaclRetrieved()) { throw new InvalidOperationException(Res.GetString(Res.CannotModifyDacl)); } base.SetAccessRule(rule); }
public void AddAccessRule(ActiveDirectoryAccessRule rule) { Contract.Requires(rule != null); }
public void RemoveAccess(IdentityReference identity, AccessControlType type) { if (!DaclRetrieved()) { throw new InvalidOperationException(Res.GetString(Res.CannotModifyDacl)); } // // Create a new rule // ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule( identity, ActiveDirectoryRights.GenericRead, // will be ignored type, ActiveDirectorySecurityInheritance.None); base.RemoveAccessRuleAll(rule); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { if (this.DaclRetrieved()) { return base.RemoveAccessRule(rule); } else { throw new InvalidOperationException("CannotModifyDacl"); } }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { Contract.Requires(rule != null); return(default(bool)); }
internal override void AdjustADSecurity(string objPath, string securityGroupPath, bool isAddressBook) { ExchangeLog.LogStart("AdjustADSecurity"); ExchangeLog.DebugInfo(" Active Direcory object: {0}", objPath); ExchangeLog.DebugInfo(" Security Group: {0}", securityGroupPath); if (isAddressBook) { ExchangeLog.DebugInfo(" Updating Security"); //"Download Address Book" security permission for offline address book Guid openAddressBookGuid = new Guid("{bd919c7c-2d79-4950-bc9c-e16fd99285e8}"); DirectoryEntry groupEntry = GetADObject(securityGroupPath); byte[] byteSid = (byte[])GetADObjectProperty(groupEntry, "objectSid"); DirectoryEntry objEntry = GetADObject(objPath); ActiveDirectorySecurity security = objEntry.ObjectSecurity; // Create a SecurityIdentifier object for security group. SecurityIdentifier groupSid = new SecurityIdentifier(byteSid, 0); // Create an access rule to allow users in Security Group to open address book. ActiveDirectoryAccessRule allowOpenAddressBook = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, openAddressBookGuid); // Create an access rule to allow users in Security Group to read object. ActiveDirectoryAccessRule allowRead = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow); // Remove existing rules if exist security.RemoveAccessRuleSpecific(allowOpenAddressBook); security.RemoveAccessRuleSpecific(allowRead); // Add a new access rule to allow users in Security Group to open address book. security.AddAccessRule(allowOpenAddressBook); // Add a new access rule to allow users in Security Group to read object. security.AddAccessRule(allowRead); // Commit the changes. objEntry.CommitChanges(); } ExchangeLog.LogEnd("AdjustADSecurity"); }
public void ResetAccessRule (ActiveDirectoryAccessRule rule) { throw new NotImplementedException (); }
/// <summary> /// Set the security rights on a computer object to allow users in the JoinToComputer group to join to computer objects. /// </summary> /// <param name="compName">The computer object name to set permissions on</param> /// <param name="ouContainer">The container where the computer object resides.</param> private void SetSecurityRights(string compName, string ouContainer) { string qString = "(&(name=" + compName + ")(objectClass=computer))"; ExecuteResult result = this.ExecuteSearch(qString, false, ouContainer); //TODO: add group to security var computer = result.singleResult.GetDirectoryEntry(); ActiveDirectorySecurity sdc = computer.ObjectSecurity; NTAccount Account = new NTAccount("capstone", "JoinToComputer"); SecurityIdentifier sid = (SecurityIdentifier)Account.Translate(typeof(SecurityIdentifier)); Guid userSchemaGuid = new Guid("BF967ABA-0DE6-11D0-A285-00AA003049E2"); Guid computerSchemaGuid = new Guid("bf967a86-0de6-11d0-a285-00aa003049e2"); Guid UserForceChangePassword = new Guid("00299570-246d-11d0-a768-00aa006e0529"); // ‘Reset password’ Guid dnsHostNameGuid = new Guid("72e39547-7b18-11d1-adef-00c04fd8d5cd"); // ‘Validated write to DNS host name’ Guid rwAccountRestrictions = new Guid("4c164200-20c0-11d0-a768-00aa006e0529"); // ‘Read and write account restrictions’ Guid wServicePrincipalName = new Guid("f3a64788-5306-11d1-a9c5-0000f80367c1"); // ‘Validated write to service principal name’ ActiveDirectoryAccessRule acctRestrictionsRW = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, rwAccountRestrictions, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(acctRestrictionsRW); ActiveDirectoryAccessRule dnsHostNameEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, dnsHostNameGuid, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(dnsHostNameEdit); ActiveDirectoryAccessRule valSPN = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.Self, AccessControlType.Allow, wServicePrincipalName, ActiveDirectorySecurityInheritance.None); sdc.AddAccessRule(valSPN); ExtendedRightAccessRule erarResetPwd = new ExtendedRightAccessRule(Account, AccessControlType.Allow, UserForceChangePassword, ActiveDirectorySecurityInheritance.None, userSchemaGuid); sdc.AddAccessRule(erarResetPwd); /* may require the below line * * Guid userAccountControlGuid = GUID('bf967a68-0de6-11d0-a285-00aa003049e2'); * ActiveDirectoryAccessRule userAccountControlEdit = new ActiveDirectoryAccessRule(Account, ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty, AccessControlType.Allow, userAccountControlGuid, ActiveDirectorySecurityInheritance.None); * sdc.AddAccessRule(userAccountControlEdit); * * */ //commit and cleanup computer.CommitChanges(); computer.Close(); computer.Dispose(); }
public void AddAccessRule(ActiveDirectoryAccessRule adar) { throw new NotImplementedException("ActiveDirectorySecurity.AddAccessRule"); }
public void RemoveAccess(IdentityReference identity, AccessControlType type) { if (this.DaclRetrieved()) { ActiveDirectoryAccessRule activeDirectoryAccessRule = new ActiveDirectoryAccessRule(identity, ActiveDirectoryRights.GenericRead, type, ActiveDirectorySecurityInheritance.None); base.RemoveAccessRuleAll(activeDirectoryAccessRule); return; } else { throw new InvalidOperationException("CannotModifyDacl"); } }
public void RemoveAccessRuleSpecific(ActiveDirectoryAccessRule rule) { Contract.Requires(rule != null); }
/// <summary> /// Add read rights to the OU /// </summary> /// <param name="oupath"></param> /// <param name="groupName"></param> public void AddReadRights(string oupath, string groupName) { using (DirectoryEntry de = new DirectoryEntry("LDAP://" + this.domainController + "/" + oupath, this.username, this.password)) { using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, this.domainController, this.username, this.password)) { try { GroupPrincipal gp = GroupPrincipal.FindByIdentity(pc, IdentityType.Name, groupName.Replace(" ", string.Empty)); if (gp == null) throw new Exception("Unable to find the group or user specified."); else { ActiveDirectoryAccessRule ar = new ActiveDirectoryAccessRule(gp.Sid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow); de.ObjectSecurity.AddAccessRule(ar); de.CommitChanges(); } } catch (Exception ex) { throw; } } } }
public bool RemoveAccessRule (ActiveDirectoryAccessRule rule) { throw new NotImplementedException (); }
public void RemoveAccessRuleSpecific (ActiveDirectoryAccessRule rule) { throw new NotImplementedException (); }
public bool RemoveAccessRule(ActiveDirectoryAccessRule rule) { Contract.Requires(rule != null); return default(bool); }