internal static bool CheckFullAccessPermissions(ADUser executingAdUser, ADUser accessRequestedForADUser, IRecipientSession session) { ExTraceGlobals.TaskTracer.TraceDebug <string, string>(0L, "Checking if {0} has full access for mailbox {1}", executingAdUser.Alias, accessRequestedForADUser.Alias); ActiveManager activeManagerInstance = ActiveManager.GetActiveManagerInstance(); DatabaseLocationInfo serverForDatabase = activeManagerInstance.GetServerForDatabase(accessRequestedForADUser.Database.ObjectGuid); RawSecurityDescriptor rawSecurityDescriptor = null; using (MapiMessageStoreSession mapiMessageStoreSession = new MapiMessageStoreSession(serverForDatabase.ServerLegacyDN, Server.GetSystemAttendantLegacyDN(serverForDatabase.ServerLegacyDN), Fqdn.Parse(serverForDatabase.ServerFqdn))) { MailboxId mailboxId = new MailboxId(new DatabaseId(accessRequestedForADUser.Database.ObjectGuid), accessRequestedForADUser.ExchangeGuid); try { rawSecurityDescriptor = mapiMessageStoreSession.GetMailboxSecurityDescriptor(mailboxId); } catch (MailboxNotFoundException) { ExTraceGlobals.TaskTracer.TraceDebug <MailboxId>(0L, "Could not find mailbox {0} when attempting to read its security descriptor.", mailboxId); return(false); } } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); int num = AuthzAuthorization.CheckGenericPermission(executingAdUser.Sid, rawSecurityDescriptor, AccessMask.CreateChild); return((num & 1) == 1); }
// Token: 0x060000BB RID: 187 RVA: 0x0000858C File Offset: 0x0000678C private void SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container) { ADDeviceManager.ReadStaticADData(this.protocolLogger); RawSecurityDescriptor rawSecurityDescriptor = null; ADNotificationAdapter.RunADOperation(delegate() { rawSecurityDescriptor = this.session.ReadSecurityDescriptor(container.Id); }); if (rawSecurityDescriptor == null) { if (this.protocolLogger != null) { this.protocolLogger.SetValue(ProtocolLoggerData.Error, "ADObjectWithNoSecurityDescriptor"); } AirSyncPermanentException ex = new AirSyncPermanentException(HttpStatusCode.InternalServerError, StatusCode.ServerError, EASServerStrings.NullNTSD(container.Id.DistinguishedName), true); throw ex; } AirSyncDiagnostics.TraceDebug <string>(this.tracer, this, "Setting ACL on device container for user \"{0}\".", this.userName); ActiveDirectorySecurity acl = new ActiveDirectorySecurity(); byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); acl.SetSecurityDescriptorBinaryForm(array); acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ADDeviceManager.activeSyncDeviceClass, ActiveDirectorySecurityInheritance.None)); acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.Delete | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Children, ADDeviceManager.activeSyncDeviceClass)); ADNotificationAdapter.RunADOperation(delegate() { this.session.SaveSecurityDescriptor(container, new RawSecurityDescriptor(acl.GetSecurityDescriptorBinaryForm(), 0)); }); }
protected override void WriteResult(IConfigurable dataObject) { TaskLogger.LogEnter(); base.HasObjectMatchingIdentity = true; ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError)); if (!base.Owner.IsPresent) { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); int num = 0; while (accessRules.Count > num) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num]; if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference)) { ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id); adacePresentationObject.ResetChangeTracking(true); base.WriteResult(adacePresentationObject); } num++; } } else { IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount)); base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString())); } TaskLogger.LogExit(); }
private SecurityDescriptor GetSecurityDescriptorToCheckAgainst() { if (DiagnosticsAggregationServiceImpl.transportServerSecurity == null) { Server localServer = DiagnosticsAggregationServicelet.LocalServer; RawSecurityDescriptor rawSecurityDescriptor = localServer.ReadSecurityDescriptor(); if (rawSecurityDescriptor != null) { try { ActiveDirectorySecurity activeDirectorySecurity = TransportADUtils.SetupActiveDirectorySecurity(rawSecurityDescriptor); DiagnosticsAggregationServiceImpl.transportServerSecurity = new SecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm()); return(DiagnosticsAggregationServiceImpl.transportServerSecurity); } catch (OverflowException ex) { this.TraceAndLogError(ExTraceGlobals.DiagnosticsAggregationTracer, "Encountered exception while setting up Authorization setttings. Details {0}", new object[] { ex }); } } DiagnosticsAggregationServiceImpl.transportServerSecurity = SecurityDescriptor.FromRawSecurityDescriptor(rawSecurityDescriptor); } return(DiagnosticsAggregationServiceImpl.transportServerSecurity); }
protected void ReplaceAddressListACEs(ADObjectId addressBookContainerRoot, SecurityIdentifier originalSid, SecurityIdentifier[] replacementSids) { AddressBookBase[] array = this.configurationSession.Find <AddressBookBase>(addressBookContainerRoot, QueryScope.SubTree, null, null, 0); foreach (AddressBookBase addressBookBase in array) { bool flag = false; RawSecurityDescriptor rawSecurityDescriptor = addressBookBase.ReadSecurityDescriptor(); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array3 = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array3, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array3); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.IdentityReference == originalSid) { flag = true; activeDirectorySecurity.RemoveAccessRuleSpecific(activeDirectoryAccessRule); foreach (SecurityIdentifier identity in replacementSids) { ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType); activeDirectorySecurity.AddAccessRule(rule); } } } if (flag && base.ShouldProcess(addressBookBase.DistinguishedName, Strings.InfoProcessAction(addressBookBase.DistinguishedName), null)) { addressBookBase.SaveSecurityDescriptor(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0)); } } }
public static void GetInterestingAcls(string targetDn, string forestDn, bool laps = false) { try { using (var entry = new DirectoryEntry("LDAP://" + targetDn)) { ActiveDirectorySecurity sec = entry.ObjectSecurity; AuthorizationRuleCollection rules = null; rules = sec.GetAccessRules(true, true, typeof(NTAccount)); foreach (ActiveDirectoryAccessRule rule in rules) { if (!laps) { Outputs.PrintAce(targetDn, rule, forestDn); } else { Outputs.PrintLAPSView(targetDn, rule, forestDn); } } } } catch { } }
private static MappedPrincipal GetAclOwner(ActiveDirectorySecurity acl, string domainName) { var sid = acl.GetOwner(typeof(SecurityIdentifier)).Value; //Filter Local System/Creator Owner/Principal Self if (sid == "S-1-5-18" || sid == "S-1-3-0" || sid == "S-1-5-10") { return(null); } if (!_nullSids.TryGetValue(sid, out _)) { //Check if its a common SID if (!MappedPrincipal.GetCommon(sid, out var owner)) { //Resolve the sid manually if we still dont have it var ownerDomain = _utils.SidToDomainName(sid) ?? domainName; owner = _utils.UnknownSidTypeToDisplay(sid, ownerDomain, Props); } else { owner.PrincipalName = $"{owner.PrincipalName}@{domainName}"; } //We'll cache SIDs we've failed to resolve previously so we dont keep trying if (owner == null) { _nullSids.TryAdd(sid, new byte()); } return(owner); } return(null); }
public static ActiveDirectorySecurity ReadMailboxSecurityDescriptor(ADUser mailbox, IConfigurationSession adSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.ErrorLoggerDelegate logError) { TaskLogger.LogEnter(); RawSecurityDescriptor exchangeSecurityDescriptor = mailbox.ExchangeSecurityDescriptor; RawSecurityDescriptor rawSecurityDescriptor; if (mailbox.RecipientType == RecipientType.SystemAttendantMailbox) { rawSecurityDescriptor = exchangeSecurityDescriptor; } else { RawSecurityDescriptor rawSecurityDescriptor2 = adSession.ReadSecurityDescriptor(mailbox.Database); if (rawSecurityDescriptor2 == null) { logError(new TaskInvalidOperationException(Strings.ErrorReadDatabaseSecurityDescriptor(mailbox.Database.ToString())), ExchangeErrorCategory.ServerOperation, null); return(null); } rawSecurityDescriptor = MailboxSecurity.CreateMailboxSecurityDescriptor(SecurityDescriptor.FromRawSecurityDescriptor(rawSecurityDescriptor2), SecurityDescriptor.FromRawSecurityDescriptor(exchangeSecurityDescriptor)).ToRawSecurityDescriptor(); if (rawSecurityDescriptor == null) { logError(new TaskInvalidOperationException(Strings.ErrorReadMailboxSecurityDescriptor(mailbox.DistinguishedName)), ExchangeErrorCategory.ServerOperation, mailbox.Identity); return(null); } } ActiveDirectorySecurity result = SecurityDescriptorConverter.ConvertToActiveDirectorySecurity(rawSecurityDescriptor); TaskLogger.LogExit(); return(result); }
public static List <string> ConvertSecurityDescriptor(DirectoryAttribute attribute) { List <string> descriptors = new List <string>(); //Resolve Security Descriptor //From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL for (int i = 0; i < attribute.Count; i++) { ActiveDirectorySecurity ads = new ActiveDirectorySecurity(); ads.SetSecurityDescriptorBinaryForm((byte[])attribute[i]); var rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier)); foreach (ActiveDirectoryAccessRule rule in rules) { string name = rule.IdentityReference.ToString(); if (name.ToUpper().Contains("S-1-5")) { name = SIDNameSID(name); } descriptors.Add(name + " ([ControlType: " + rule.AccessControlType.ToString() + "] Rights: " + rule.ActiveDirectoryRights.ToString() + ")"); } } return(descriptors); }
public static void DisplaySecurityDescriptor(DirectoryEntry entry) { // Specify SACL and DACL to be returned entry.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl; ActiveDirectorySecurity sd = entry.ObjectSecurity; Console.WriteLine("DISPLAYING DIRECTORY ENTRY SID"); Console.WriteLine("Group:\t" + sd.GetGroup(typeof(SecurityIdentifier)).Value); Console.WriteLine("Owner:\t" + sd.GetOwner(typeof(SecurityIdentifier)).Value); Console.WriteLine("Access Rules canonical:\t" + sd.AreAccessRulesCanonical.ToString()); Console.WriteLine("Access Rules protected:\t" + sd.AreAccessRulesProtected); Console.WriteLine("Audit Rules canonical:\t" + sd.AreAuditRulesCanonical.ToString()); Console.WriteLine("Audit Rules protected:\t" + sd.AreAuditRulesProtected.ToString()); Console.WriteLine("Access right type:\t" + sd.AccessRightType.ToString()); Console.WriteLine("Audit rule type:\t" + sd.AuditRuleType.ToString()); Console.WriteLine(); Console.WriteLine("Access Rules"); DisplayDACL(sd.GetAccessRules(true, true, typeof(SecurityIdentifier))); Console.WriteLine("Audit Rules"); Console.ReadLine(); DisplaySACL(sd.GetAuditRules(true, true, typeof(SecurityIdentifier))); }
//helper in SecurityDescriptorSearch() private void PrintSD(ActiveDirectorySecurity sd) { Console.WriteLine("=====Security Descriptor====="); Console.Write(" Owner: "); Console.WriteLine(sd.GetOwner(typeof(SecurityIdentifier))); //can use NTAccount for AD Console.Write(" Group: "); Console.WriteLine(sd.GetGroup(typeof(SecurityIdentifier))); }
public void GetAccessRules_InvalidTargetType() { var activeDirectorySecurity = new ActiveDirectorySecurity(); AssertExtensions.Throws <ArgumentException>("targetType", () => activeDirectorySecurity .GetAccessRules(false, false, typeof(System.Security.Principal.GenericPrincipal))); }
private static IEnumerable <ActiveDirectoryAccessRule> GetRules(ActiveDirectorySecurity security, IdentityReference identity) { return(security .GetAccessRules(true, true, typeof(SecurityIdentifier)) .Cast <ActiveDirectoryAccessRule>() .Where(r => r.IdentityReference.Value == GetIdentitySid(identity)) .Where(r => r.AccessControlType == AccessControlType.Allow)); }
public static void PrintSD(ActiveDirectorySecurity sd) { Console.WriteLine("=====Security Descriptor====="); Console.Write(" Owner: "); Console.WriteLine(sd.GetOwner(typeof(NTAccount))); Console.Write(" Group: "); Console.WriteLine(sd.GetGroup(typeof(NTAccount))); }
public void Ctor_Default() { var security = new ActiveDirectorySecurity(); Assert.Equal(typeof(ActiveDirectoryRights), security.AccessRightType); Assert.Equal(typeof(ActiveDirectoryAccessRule), security.AccessRuleType); Assert.Equal(typeof(ActiveDirectoryAuditRule), security.AuditRuleType); }
private void InsertDelegationRelation(ADItem aditem) { ActiveDirectorySecurity sd = aditem.msDSAllowedToActOnBehalfOfOtherIdentity; foreach (ActiveDirectoryAccessRule rule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier))) { Storage.InsertRelation(((SecurityIdentifier)rule.IdentityReference).Value, MappingType.Sid, aditem.DistinguishedName, MappingType.DistinguishedName, RelationType.msDS_Allowed_To_Act_On_Behalf_Of_Other_Identity); } }
private static ActiveDirectorySecurity ConvertToActiveDirectorySecurity(RawSecurityDescriptor rawSd) { ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); byte[] array = new byte[rawSd.BinaryLength]; rawSd.GetBinaryForm(array, 0); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); return(activeDirectorySecurity); }
public void ObjectSecurity_Set_GetReturnsExpected() { var security = new ActiveDirectorySecurity(); var entry = new DirectoryEntry { ObjectSecurity = security }; Assert.Same(security, entry.ObjectSecurity); }
public List <SecurityIdentifier> GetPrincipalsForComputer(SearchResult computer, bool filterLocalAccounts) { byte[] sd = computer.GetPropertyBytes("ntSecurityDescriptor"); if (sd == null) { throw new InvalidOperationException($"Security descriptor for computer {computer.GetPropertyString("msDS-PrincipalName")} was empty"); } var sec = new ActiveDirectorySecurity(); sec.SetSecurityDescriptorBinaryForm(sd); string domain = this.discoveryServices.GetDomainNameDns(computer.GetPropertySid("objectSid")); Guid mslapsGuid = this.discoveryServices.GetSchemaAttributeGuid(domain, "ms-Mcs-AdmPwd") ?? throw new ObjectNotFoundException("The ms-Mcs-AdmPwd attribute was not found in the schema"); List <SecurityIdentifier> results = new List <SecurityIdentifier>(); foreach (ActiveDirectoryAccessRule accessRule in sec.GetAccessRules(true, true, typeof(SecurityIdentifier))) { var sid = accessRule.IdentityReference as SecurityIdentifier; if (sid == null) { continue; } if (sid.IsWellKnown(WellKnownSidType.LocalSystemSid)) { continue; } if (accessRule.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll) { results.Add(sid); continue; } if (accessRule.ObjectType == mslapsGuid) { if (accessRule.AccessControlType != AccessControlType.Allow) { continue; } if (!accessRule.ActiveDirectoryRights.HasFlag((ActiveDirectoryRights)0x110)) { continue; } results.Add(sid); } } return(results); }
/// <summary> /// Processes the msds-groupmsamembership property, and determines who can read the password /// </summary> /// <param name="wrapper"></param> /// <returns></returns> private static async Task <List <ACL> > ProcessGMSA(LdapWrapper wrapper) { var aces = new List <ACL>(); //Grab the property as a byte array var securityDescriptor = wrapper.SearchResult.GetPropertyAsBytes("msds-groupmsamembership"); //If the property is null, its either not a GMSA or something went wrong, so just exit out if (securityDescriptor == null) { return(aces); } //Create a new ActiveDirectorySecurity object and set the bytes to the descriptor var descriptor = new ActiveDirectorySecurity(); descriptor.SetSecurityDescriptorBinaryForm(securityDescriptor); // Loop over the entries in the security descriptor foreach (ActiveDirectoryAccessRule ace in descriptor.GetAccessRules(true, true, typeof(SecurityIdentifier))) { //Ignore null aces if (ace == null) { continue; } //Ignore deny aces (although this should never show up in GMSAs if (ace.AccessControlType == AccessControlType.Deny) { continue; } //Pre-process the principal for the SID var principalSid = FilterAceSids(ace.IdentityReference.Value); //Ignore null SIDs if (principalSid == null) { continue; } //Resolve the principal SID and grab its type var(finalSid, type) = await ResolutionHelpers.ResolveSidAndGetType(principalSid, wrapper.Domain); aces.Add(new ACL { RightName = "ReadGMSAPassword", AceType = "", PrincipalSID = finalSid, PrincipalType = type, IsInherited = false }); } return(aces); }
internal static List <ADRecipient> GetUsersGrantedSendAsPermission(ADRecipient mailbox, IRecipientSession galSession) { TraceWrapper.SearchLibraryTracer.TraceDebug <ADRecipient>(0, "Reading users who have SendAs rights for: {0}", mailbox); RawSecurityDescriptor rawSecurityDescriptor = galSession.ReadSecurityDescriptor(mailbox.Id); if (rawSecurityDescriptor == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "Null security-descriptor returned for mailbox", new object[0]); return(null); } byte[] array = new byte[rawSecurityDescriptor.BinaryLength]; rawSecurityDescriptor.GetBinaryForm(array, 0); ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity(); activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array); AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); if (accessRules == null) { TraceWrapper.SearchLibraryTracer.TraceDebug(0, "No rules on ACL for this mailbox", new object[0]); return(null); } List <ADRecipient> list = null; foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; if (activeDirectoryAccessRule.AccessControlType == AccessControlType.Allow && object.Equals(activeDirectoryAccessRule.ObjectType, WellKnownGuid.SendAsExtendedRightGuid)) { IdentityReference identityReference = activeDirectoryAccessRule.IdentityReference; string value = identityReference.Value; try { ADRecipient adrecipient = galSession.FindBySid(new SecurityIdentifier(value)); if (adrecipient == null) { TraceWrapper.SearchLibraryTracer.TraceError <string>(0, "User not found for SID: {0}", value); } else { if (list == null) { list = new List <ADRecipient>(); } list.Add(adrecipient); TraceWrapper.SearchLibraryTracer.TraceDebug <string, string>(0, "Added {0} to list of users who have Send-As permission for {1}.", adrecipient.DisplayName, mailbox.DisplayName); } } catch (NonUniqueRecipientException arg) { TraceWrapper.SearchLibraryTracer.TraceError <string, string, NonUniqueRecipientException>(0, "Caught NonUniqueRecipientException when attempting to look up user with SID {0} while reading list of users granted Send-As permission to {1}: {2}", value, mailbox.Name, arg); } } } return(list); }
private static ActiveDirectorySecurity ExtractSDValue(XmlNode child) { string value = ExtractStringValue(child); byte[] data = Convert.FromBase64String(value); ActiveDirectorySecurity sd = new ActiveDirectorySecurity(); sd.SetSecurityDescriptorBinaryForm(data); return(sd); }
public static void SetMailboxAces(ADUser mailbox, IConfigDataProvider writableAdSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.TaskWarningLoggingDelegate logWarning, Task.ErrorLoggerDelegate logError, IConfigurationSession adSession, ref MapiMessageStoreSession storeSession, bool remove, params ActiveDirectoryAccessRule[] aces) { ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor(mailbox, adSession, logVerbose, logError); if (activeDirectorySecurity != null) { DirectoryCommon.ApplyAcesOnAcl(logVerbose, logWarning, null, mailbox.DistinguishedName, activeDirectorySecurity, remove, aces); PermissionTaskHelper.SaveMailboxSecurityDescriptor(mailbox, activeDirectorySecurity, writableAdSession, ref storeSession, logVerbose, logError); } }
protected override void WriteResult(IConfigurable dataObject) { TaskLogger.LogEnter(); this.HasObjectMatchingIdentity = true; ADUser aduser = (ADUser)dataObject; if (aduser.Database == null || aduser.ExchangeGuid == Guid.Empty) { base.Validate(aduser); } else { ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor((ADUser)dataObject, PermissionTaskHelper.GetReadOnlySession(base.DomainController), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError)); if (!this.Owner.IsPresent) { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); int num = 0; while (accessRules.Count > num) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num]; if (this.SecurityPrincipal == null || this.SecurityPrincipal.Sid == activeDirectoryAccessRule.IdentityReference || this.SecurityPrincipal.SidHistory.Contains(activeDirectoryAccessRule.IdentityReference as SecurityIdentifier)) { MailboxAcePresentationObject mailboxAcePresentationObject = new MailboxAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id); if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null) { SecurityIdentifier securityIdentifier = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference; ADRecipient adrecipient = null; try { adrecipient = base.TenantGlobalCatalogSession.FindBySid(securityIdentifier); } catch { } if (adrecipient != null) { string friendlyName = (!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name; mailboxAcePresentationObject.User = new SecurityPrincipalIdParameter(securityIdentifier, friendlyName); } } mailboxAcePresentationObject.ResetChangeTracking(true); base.WriteResult(mailboxAcePresentationObject); } num++; } } else { IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount)); OwnerPresentationObject dataObject2 = new OwnerPresentationObject(((ADUser)dataObject).Id, owner.ToString()); base.WriteResult(dataObject2); } } TaskLogger.LogExit(); }
//Only print the first attribute in the attrReturned array list public static void PrintMulti(SearchResponse response, string attr) { foreach (SearchResultEntry entry in response.Entries) { //Only if the attribute is specified to be returned, then "Attributes" contains it Console.WriteLine(" * {0}", entry.Attributes["sAMAccountName"][0]); Console.WriteLine(" {0}\n", entry.DistinguishedName); //in case the attribute value is null try { if (attr == "") { } else if (entry.Attributes[attr][0] is string) { for (int i = 0; i < entry.Attributes[attr].Count; i++) { Console.WriteLine(" - {0}: {1}", attr.ToUpper(), entry.Attributes[attr][i]); } } else if (entry.Attributes[attr][0] is byte[]) { //Resolve Security Descriptor //From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL ActiveDirectorySecurity ads = new ActiveDirectorySecurity(); ads.SetSecurityDescriptorBinaryForm((byte[])entry.Attributes[attr][0]); var rules = ads.GetAccessRules(true, true, typeof(NTAccount)); foreach (ActiveDirectoryAccessRule rule in rules) { Console.WriteLine(" - {0}: {1} ([ControlType: {2}] Rights: {3})", attr.ToUpper(), rule.IdentityReference.ToString(), rule.AccessControlType.ToString(), rule.ActiveDirectoryRights.ToString()); } //for (int i = 0; i < entry.Attributes[attr].Count; i++) //{ // Console.WriteLine(" - {0}: {1}", // attr.ToUpper(), // System.Text.Encoding.ASCII.GetString((byte[])entry.Attributes[attr][i])); //} } else { Console.WriteLine("Unexpected multi-valued type {0}", entry.Attributes[attr][0].GetType().Name); } } catch { } Console.WriteLine(); } }
//repeated from Listing 5.9's helper as well private void PrintSD(ActiveDirectorySecurity sd) { Console.WriteLine("=====Security Descriptor====="); Console.Write(" Owner: "); //change this to SecurityIdentifier from NTAccount //for ADAM to work. Console.WriteLine(sd.GetOwner(typeof(NTAccount))); Console.Write(" Group: "); //same here. Console.WriteLine(sd.GetGroup(typeof(NTAccount))); }
protected override void ProcessRecord() { //OU can be passed as name or as dn List <ObjectInfo> OUs = DirectoryUtils.GetOU(Identity); if (OUs.Count > 1) { foreach (ObjectInfo ou in OUs) { WriteObject(ou); } throw new Exception("More than one object found, search using distinguishedName instead"); } if (OUs.Count == 0) { throw new Exception("Object not found"); } ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl); //apply permissions only to computer objects Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, "computer", SchemaObjectType.Class); Guid timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute); //System.DirectoryServices.PropertyAccessRule rule; System.DirectoryServices.ActiveDirectoryAccessRule rule; foreach (string principalName in AllowedPrincipals) { System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName); // read ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Read, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); // write ms-Mcs-AdmPwdExpirationTime on computer objects rule = new System.DirectoryServices.PropertyAccessRule(principal, System.Security.AccessControl.AccessControlType.Allow, PropertyAccess.Write, timestampGuid, ActiveDirectorySecurityInheritance.Descendents, inheritedObjectGuid ); sec.AddAccessRule(rule); } DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl); OUs[0].Status = PermissionDelegationState.Delegated; WriteObject(OUs[0]); }
public static void PrintDirectoryAttrDict(Dictionary <string, DirectoryAttribute> myDict, string banner) { PrintGreen(string.Format("\n[-] {0}:\n", banner)); if (myDict == null) { return; } foreach (var obj in myDict) { Console.WriteLine(" * {0}", obj.Key); if (obj.Value[0] is string) { for (int i = 0; i < obj.Value.Count; i++) { Console.WriteLine(" - {0}", obj.Value[i]); } } else if (obj.Value[0] is byte[]) { //Resolve Security Descriptor //From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL for (int i = 0; i < obj.Value.Count; i++) { ActiveDirectorySecurity ads = new ActiveDirectorySecurity(); ads.SetSecurityDescriptorBinaryForm((byte[])obj.Value[i]); var rules = ads.GetAccessRules(true, true, typeof(NTAccount)); foreach (ActiveDirectoryAccessRule rule in rules) { string name = rule.IdentityReference.ToString(); if (name.ToUpper().Contains("S-1-5")) { name = ConvertSIDToName(name); } Console.WriteLine(" - {0} ([ControlType: {1}] Rights: {2})", name, rule.AccessControlType.ToString(), rule.ActiveDirectoryRights.ToString()); } } } Console.WriteLine(); } }
internal override void AdjustADSecurity(string objPath, string securityGroupPath, bool isAddressBook) { ExchangeLog.LogStart("AdjustADSecurity"); ExchangeLog.DebugInfo(" Active Direcory object: {0}", objPath); ExchangeLog.DebugInfo(" Security Group: {0}", securityGroupPath); if (isAddressBook) { ExchangeLog.DebugInfo(" Updating Security"); //"Download Address Book" security permission for offline address book Guid openAddressBookGuid = new Guid("{bd919c7c-2d79-4950-bc9c-e16fd99285e8}"); DirectoryEntry groupEntry = GetADObject(securityGroupPath); byte[] byteSid = (byte[])GetADObjectProperty(groupEntry, "objectSid"); DirectoryEntry objEntry = GetADObject(objPath); ActiveDirectorySecurity security = objEntry.ObjectSecurity; // Create a SecurityIdentifier object for security group. SecurityIdentifier groupSid = new SecurityIdentifier(byteSid, 0); // Create an access rule to allow users in Security Group to open address book. ActiveDirectoryAccessRule allowOpenAddressBook = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.ExtendedRight, AccessControlType.Allow, openAddressBookGuid); // Create an access rule to allow users in Security Group to read object. ActiveDirectoryAccessRule allowRead = new ActiveDirectoryAccessRule( groupSid, ActiveDirectoryRights.GenericRead, AccessControlType.Allow); // Remove existing rules if exist security.RemoveAccessRuleSpecific(allowOpenAddressBook); security.RemoveAccessRuleSpecific(allowRead); // Add a new access rule to allow users in Security Group to open address book. security.AddAccessRule(allowOpenAddressBook); // Add a new access rule to allow users in Security Group to read object. security.AddAccessRule(allowRead); // Commit the changes. objEntry.CommitChanges(); } ExchangeLog.LogEnd("AdjustADSecurity"); }
private static void GetSendas(UserInfo utente) { string pathNameDomain = "LDAP://" + sDomain + "/" + utente.Distinguishedname; var direcotyEntry = new DirectoryEntry(pathNameDomain, username, password); var directorySearcher = new DirectorySearcher(direcotyEntry); directorySearcher.PropertiesToLoad.Add("msExchRecipientTypeDetails"); directorySearcher.PropertiesToLoad.Add("distinguishedname"); directorySearcher.PropertiesToLoad.Add("mail"); var res = directorySearcher.FindOne(); DirectoryEntry ssStoreObj = res.GetDirectoryEntry(); ActiveDirectorySecurity StoreobjSec = ssStoreObj.ObjectSecurity; AuthorizationRuleCollection Storeacls = StoreobjSec.GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier)); foreach (ActiveDirectoryAccessRule ace in Storeacls) { if (ace.IdentityReference.Value != "S-1-5-7" & ace.IdentityReference.Value != "S-1-1-0" & ace.IsInherited != true & ace.IdentityReference.Value != "S-1-5-10") { if (ace.ActiveDirectoryRights.ToString() == "ExtendedRight") { bool found = false; try { filead.WriteLine(utente.Mail + "," + Utenti.Find(x => x.ObjectSID.Contains(ace.IdentityReference.Value)).Mail + ",SendAS," + exRighthash[ace.ObjectType.ToString()].ToString() + ",,"); Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::INF::SendAS::OK::SendAS permission of --> " + utente.Mail + " exported successfully"); found = true; } catch { } try { filead.WriteLine(utente.Mail + "," + GruppiInfo.Find(x => x.ObjectSID.Contains(ace.IdentityReference.Value)).samaccountname + ",SendAS," + exRighthash[ace.ObjectType.ToString()].ToString() + ",,"); Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::INF::SendAS::OK::SendAS permission of --> " + utente.Mail + " exported successfully"); found = true; } catch { } if (!found) { Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::WRN::Cannot resolve SID " + ace.IdentityReference.Value); } } } } }