// Token: 0x0600045C RID: 1116 RVA: 0x0000F930 File Offset: 0x0000DB30 internal static void VerifyServerIsWithinScope(Database database, Task.ErrorLoggerDelegate errorHandler, ITopologyConfigurationSession adConfigSession) { ADObjectId[] array = database.IsExchange2009OrLater ? database.Servers : new ADObjectId[] { database.Server }; if (array == null || array.Length == 0) { errorHandler(new NoServersForDatabaseException(database.Name), ExchangeErrorCategory.Client, null); } bool flag = false; ADScopeException ex = null; foreach (ADObjectId adObjectId in array) { Server mailboxServer = MapiTaskHelper.GetMailboxServer(new ServerIdParameter(adObjectId), adConfigSession, errorHandler); if (adConfigSession.TryVerifyIsWithinScopes(mailboxServer, true, out ex)) { flag = true; break; } } if (!flag) { errorHandler(new IsOutofDatabaseScopeException(database.Name, ex.Message), ExchangeErrorCategory.Authorization, null); } }
internal static ADObjectId GetExecutingUserAndCheckGroupOwnership(Task task, IDirectorySession dataSession, IRecipientSession gcSession, ADGroup group, bool bypassSecurityGroupManagerCheck) { ADScopeException ex2 = null; ADObjectId adobjectId = null; bool flag = task.TryGetExecutingUserId(out adobjectId); LocalizedException ex = null; ExchangeErrorCategory errCategory = ExchangeErrorCategory.Client; object targetObj = null; bool flag2 = false; if (flag && adobjectId != null && !dataSession.TryVerifyIsWithinScopes(group, true, out ex2)) { task.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString())); RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, delegate(LocalizedException exception, ExchangeErrorCategory category, object target) { ex = exception; errCategory = category; targetObj = target; }, true, gcSession); flag2 = true; group.IsExecutingUserGroupOwner = (ex == null); } if (RecipientType.MailUniversalSecurityGroup == group.RecipientType && !bypassSecurityGroupManagerCheck) { if (!flag) { task.WriteError(new RecipientTaskException(Strings.ErrorExecutingUserOutOfTargetOrg(task.MyInvocation.MyCommand.Name)), ExchangeErrorCategory.Client, group.Identity.ToString()); } if (!flag2) { task.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString())); RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, new Task.ErrorLoggerDelegate(task.WriteError), true, gcSession); group.IsExecutingUserGroupOwner = true; } else if (ex != null) { task.WriteError(ex, errCategory, targetObj); } } group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner); return(adobjectId); }
private void CheckRbac() { ADScopeException ex = null; MultiValuedProperty <string> multiValuedProperty = (MultiValuedProperty <string>) this.DataObject[ADObjectSchema.ObjectClass]; if (multiValuedProperty.Contains("person") || multiValuedProperty.Contains("msExchDynamicDistributionList") || multiValuedProperty.Contains("group") || multiValuedProperty.Contains("publicFolder") || multiValuedProperty.Contains("msExchPublicMDB") || multiValuedProperty.Contains("msExchSystemMailbox") || multiValuedProperty.Contains(ADMicrosoftExchangeRecipient.MostDerivedClass) || multiValuedProperty.Contains("exchangeAdminService") || multiValuedProperty.Contains("computer")) { IRecipientSession tenantOrRootOrgRecipientSession = DirectorySessionFactory.Default.GetTenantOrRootOrgRecipientSession(base.DomainController, true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromCustomScopeSet(base.ScopeSet, this.DataObject.Id, base.CurrentOrganizationId, base.ExecutingUserOrganizationId, true), 581, "CheckRbac", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\SetADPermissionTaskBase.cs"); ADRecipient adrecipient = tenantOrRootOrgRecipientSession.Read(this.DataObject.Id); if (adrecipient == null) { base.WriteError(new ManagementObjectNotFoundException(Strings.ErrorObjectNotFound(this.Identity.ToString())), ErrorCategory.InvalidArgument, null); } if (!tenantOrRootOrgRecipientSession.TryVerifyIsWithinScopes(adrecipient, true, out ex)) { base.WriteError(new TaskInvalidOperationException(Strings.ErrorCannotChangeObjectOutOfWriteScope(adrecipient.Identity.ToString(), (ex == null) ? string.Empty : ex.Message), ex), ExchangeErrorCategory.Client, adrecipient.Identity); return; } } else { ADObject adobject = null; bool flag = false; IConfigurationSession tenantOrTopologyConfigurationSession = DirectorySessionFactory.Default.GetTenantOrTopologyConfigurationSession(base.DomainController, true, ConsistencyMode.PartiallyConsistent, ADSessionSettings.FromCustomScopeSet(base.ScopeSet, this.DataObject.Id, base.CurrentOrganizationId, base.ExecutingUserOrganizationId, true), 620, "CheckRbac", "f:\\15.00.1497\\sources\\dev\\Management\\src\\Management\\RecipientTasks\\permission\\SetADPermissionTaskBase.cs"); if (multiValuedProperty.Contains("msExchOabVirtualDirectory")) { adobject = tenantOrTopologyConfigurationSession.Read <ADOabVirtualDirectory>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("ServiceConnectionPoint")) { adobject = tenantOrTopologyConfigurationSession.Read <ADServiceConnectionPoint>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("RpcClientAccess")) { adobject = tenantOrTopologyConfigurationSession.Read <ExchangeRpcClientAccess>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchProtocolCfgHTTPContainer")) { adobject = tenantOrTopologyConfigurationSession.Read <HttpContainer>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchProtocolCfgIMAPContainer")) { adobject = tenantOrTopologyConfigurationSession.Read <Imap4Container>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchInformationStore")) { adobject = tenantOrTopologyConfigurationSession.Read <InformationStore>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("mTA")) { adobject = tenantOrTopologyConfigurationSession.Read <MicrosoftMTAConfiguration>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchProtocolCfgPOPContainer")) { adobject = tenantOrTopologyConfigurationSession.Read <Pop3Container>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("protocolCfgSharedServer")) { adobject = tenantOrTopologyConfigurationSession.Read <ProtocolsContainer>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchSmtpReceiveConnector")) { adobject = tenantOrTopologyConfigurationSession.Read <ReceiveConnector>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchExchangeServer")) { adobject = tenantOrTopologyConfigurationSession.Read <Server>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchProtocolCfgSMTPContainer")) { adobject = tenantOrTopologyConfigurationSession.Read <SmtpContainer>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("protocolCfgSMTPServer")) { adobject = tenantOrTopologyConfigurationSession.Read <SmtpVirtualServerConfiguration>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchMDB")) { adobject = tenantOrTopologyConfigurationSession.Read <Database>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("msExchPrivateMDB")) { adobject = tenantOrTopologyConfigurationSession.Read <MailboxDatabase>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains(ADOrganizationalUnit.MostDerivedClass)) { tenantOrTopologyConfigurationSession.UseConfigNC = false; adobject = tenantOrTopologyConfigurationSession.Read <ADOrganizationalUnit>(this.DataObject.Id); flag = true; } else if (multiValuedProperty.Contains("domain")) { tenantOrTopologyConfigurationSession.UseConfigNC = false; adobject = tenantOrTopologyConfigurationSession.Read <ADDomain>(this.DataObject.Id); flag = true; } if (flag) { if (adobject == null) { base.WriteError(new ManagementObjectNotFoundException(Strings.ErrorObjectNotFound(this.Identity.ToString())), ErrorCategory.InvalidArgument, null); } if (!tenantOrTopologyConfigurationSession.TryVerifyIsWithinScopes(adobject, true, out ex)) { base.WriteError(new TaskInvalidOperationException(Strings.ErrorCannotChangeObjectOutOfWriteScope(adobject.Identity.ToString(), (ex == null) ? string.Empty : ex.Message), ex), ExchangeErrorCategory.Client, adobject.Identity); } } } }
protected override IConfigurable PrepareDataObject() { TaskLogger.LogEnter(); ADGroup group = (ADGroup)base.PrepareDataObject(); this.flagCloseGroupMemberJoinForNoArbitrationMbx = false; this.flagCloseGroupMemberDepartForNoArbitrationMbx = false; this.UpdateRecipientDisplayType(group); ADObjectId adobjectId; bool flag = base.TryGetExecutingUserId(out adobjectId); if (!this.IgnoreNamingPolicy.IsPresent && (base.UserSpecifiedParameters.IsChanged(ADObjectSchema.Name.Name) || base.UserSpecifiedParameters.IsChanged(MailEnabledRecipientSchema.DisplayName.Name))) { Organization organization; if (group.OrganizationId.ConfigurationUnit == null && group.OrganizationId.OrganizationalUnit == null) { organization = this.ConfigurationSession.GetOrgContainer(); } else { organization = this.ConfigurationSession.Read <ExchangeConfigurationUnit>(group.OrganizationId.ConfigurationUnit); } if (flag) { IRecipientSession recipientSession = RecipientTaskHelper.CreatePartitionOrRootOrgScopedGcSession(null, adobjectId); ADUser user = (ADUser)recipientSession.Read(adobjectId); if (base.UserSpecifiedParameters.IsChanged(ADObjectSchema.Name.Name)) { group.Name = DistributionGroupTaskHelper.GetGroupNameWithNamingPolicy(organization, user, group, group.Name, ADObjectSchema.Name, new Task.ErrorLoggerDelegate(base.WriteError)); } if (base.UserSpecifiedParameters.IsChanged(MailEnabledRecipientSchema.DisplayName.Name)) { group.DisplayName = DistributionGroupTaskHelper.GetGroupNameWithNamingPolicy(organization, user, group, group.DisplayName, ADRecipientSchema.DisplayName, new Task.ErrorLoggerDelegate(base.WriteError)); } } } bool flag2 = false; ADScopeException ex = null; if (flag && adobjectId != null && !((IDirectorySession)base.DataSession).TryVerifyIsWithinScopes(group, true, out ex)) { group.IsExecutingUserGroupOwner = true; flag2 = true; base.WriteVerbose(Strings.VerboseDGOwnershipDeepSearch(adobjectId.ToString(), group.Identity.ToString())); RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, delegate(LocalizedException exception, ExchangeErrorCategory category, object taget) { group.IsExecutingUserGroupOwner = false; }, true, base.TenantGlobalCatalogSession); group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner); } if (group.RecipientDisplayType == RecipientDisplayType.SecurityDistributionGroup && !flag2 && !this.BypassSecurityGroupManagerCheck && (base.Fields.IsChanged(DistributionGroupSchema.ManagedBy) || base.Fields.IsChanged(MailEnabledRecipientSchema.GrantSendOnBehalfTo) || base.Fields.IsChanged(ADObjectSchema.Name) || base.Fields.IsChanged(DistributionGroupSchema.SamAccountName))) { if (!flag) { base.WriteError(new RecipientTaskException(Strings.ErrorExecutingUserOutOfTargetOrg(base.MyInvocation.MyCommand.Name)), ExchangeErrorCategory.Client, group.Identity.ToString()); } RecipientTaskHelper.ValidateUserIsGroupManager(adobjectId, group, new Task.ErrorLoggerDelegate(base.WriteError), true, base.TenantGlobalCatalogSession); group.IsExecutingUserGroupOwner = true; group.propertyBag.ResetChangeTracking(ADGroupSchema.IsExecutingUserGroupOwner); } base.SetMultiReferenceParameter <GeneralRecipientIdParameter>(DistributionGroupSchema.ManagedBy, this.ManagedBy, group, new GetRecipientDelegate <GeneralRecipientIdParameter>(this.GetRecipient)); if (base.Fields.IsModified(ADGroupSchema.MemberJoinRestriction)) { group.MemberJoinRestriction = this.MemberJoinRestriction; } if (base.Fields.IsModified(ADGroupSchema.MemberDepartRestriction)) { group.MemberDepartRestriction = this.MemberDepartRestriction; } if (base.Fields.IsModified(ADRecipientSchema.ArbitrationMailbox)) { if (base.ArbitrationMailbox == null) { base.WriteError(new RecipientTaskException(Strings.ErrorNullParameter(ADRecipientSchema.ArbitrationMailbox.Name)), ExchangeErrorCategory.Client, group.Identity); } ADObjectId arbitrationMailbox = group.ArbitrationMailbox; } if (!group.ExchangeVersion.IsOlderThan(ADRecipientSchema.ArbitrationMailbox.VersionAdded) && (group.ArbitrationMailbox == null || group.ArbitrationMailbox.IsDescendantOf(ADSession.GetDeletedObjectsContainer(group.ArbitrationMailbox.DomainId)))) { group.ArbitrationMailbox = MailboxTaskHelper.GetArbitrationMailbox(base.TenantGlobalCatalogSession, group.ConfigurationUnit ?? base.RootOrgContainerId); if (group.ArbitrationMailbox == null) { if (group.MemberJoinRestriction == MemberUpdateType.ApprovalRequired) { if (base.Fields.IsModified(ADGroupSchema.MemberJoinRestriction)) { base.WriteError(new RecipientTaskException(Strings.ErrorArbitrationMbxNotSetForApproval(this.Identity.ToString())), ExchangeErrorCategory.Client, group.Identity); } else { group.MemberJoinRestriction = MemberUpdateType.Closed; this.flagCloseGroupMemberJoinForNoArbitrationMbx = true; } } if (group.MemberDepartRestriction == MemberUpdateType.ApprovalRequired) { if (base.Fields.IsModified(ADGroupSchema.MemberDepartRestriction)) { base.WriteError(new RecipientTaskException(Strings.ErrorArbitrationMbxNotSetForApproval(this.Identity.ToString())), ExchangeErrorCategory.Client, group.Identity); } else { group.MemberDepartRestriction = MemberUpdateType.Closed; this.flagCloseGroupMemberDepartForNoArbitrationMbx = true; } } } } TaskLogger.LogExit(); return(group); }
bool IDirectorySession.TryVerifyIsWithinScopes(ADObject entry, bool isModification, out ADScopeException exception) { FfoDirectorySession.LogNotSupportedInFFO(null); exception = null; return(true); }