internal static bool CheckFullAccessPermissions(ADUser executingAdUser, ADUser accessRequestedForADUser, IRecipientSession session)
{
ExTraceGlobals.TaskTracer.TraceDebug <string, string>(0L, "Checking if {0} has full access for mailbox {1}", executingAdUser.Alias, accessRequestedForADUser.Alias);
ActiveManager activeManagerInstance = ActiveManager.GetActiveManagerInstance();
DatabaseLocationInfo serverForDatabase = activeManagerInstance.GetServerForDatabase(accessRequestedForADUser.Database.ObjectGuid);
RawSecurityDescriptor rawSecurityDescriptor = null;
using (MapiMessageStoreSession mapiMessageStoreSession = new MapiMessageStoreSession(serverForDatabase.ServerLegacyDN, Server.GetSystemAttendantLegacyDN(serverForDatabase.ServerLegacyDN), Fqdn.Parse(serverForDatabase.ServerFqdn)))
{
MailboxId mailboxId = new MailboxId(new DatabaseId(accessRequestedForADUser.Database.ObjectGuid), accessRequestedForADUser.ExchangeGuid);
try
{
rawSecurityDescriptor = mapiMessageStoreSession.GetMailboxSecurityDescriptor(mailboxId);
}
catch (MailboxNotFoundException)
{
ExTraceGlobals.TaskTracer.TraceDebug <MailboxId>(0L, "Could not find mailbox {0} when attempting to read its security descriptor.", mailboxId);
return(false);
}
}
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
int num = AuthzAuthorization.CheckGenericPermission(executingAdUser.Sid, rawSecurityDescriptor, AccessMask.CreateChild);
return((num & 1) == 1);
}
// Token: 0x060000BB RID: 187 RVA: 0x0000858C File Offset: 0x0000678C
private void SetActiveSyncDeviceContainerPermissions(ActiveSyncDevices container)
{
ADDeviceManager.ReadStaticADData(this.protocolLogger);
RawSecurityDescriptor rawSecurityDescriptor = null;
ADNotificationAdapter.RunADOperation(delegate()
{
rawSecurityDescriptor = this.session.ReadSecurityDescriptor(container.Id);
});
if (rawSecurityDescriptor == null)
{
if (this.protocolLogger != null)
{
this.protocolLogger.SetValue(ProtocolLoggerData.Error, "ADObjectWithNoSecurityDescriptor");
}
AirSyncPermanentException ex = new AirSyncPermanentException(HttpStatusCode.InternalServerError, StatusCode.ServerError, EASServerStrings.NullNTSD(container.Id.DistinguishedName), true);
throw ex;
}
AirSyncDiagnostics.TraceDebug <string>(this.tracer, this, "Setting ACL on device container for user \"{0}\".", this.userName);
ActiveDirectorySecurity acl = new ActiveDirectorySecurity();
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
acl.SetSecurityDescriptorBinaryForm(array);
acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.CreateChild | ActiveDirectoryRights.DeleteChild | ActiveDirectoryRights.ListChildren | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ADDeviceManager.activeSyncDeviceClass, ActiveDirectorySecurityInheritance.None));
acl.AddAccessRule(new ActiveDirectoryAccessRule(ADDeviceManager.exchangeServersGroupSid, ActiveDirectoryRights.Delete | ActiveDirectoryRights.ReadProperty | ActiveDirectoryRights.WriteProperty | ActiveDirectoryRights.ListObject, AccessControlType.Allow, ActiveDirectorySecurityInheritance.Children, ADDeviceManager.activeSyncDeviceClass));
ADNotificationAdapter.RunADOperation(delegate()
{
this.session.SaveSecurityDescriptor(container, new RawSecurityDescriptor(acl.GetSecurityDescriptorBinaryForm(), 0));
});
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
base.HasObjectMatchingIdentity = true;
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor((ADRawEntry)dataObject, (IConfigurationSession)base.DataSession, new Task.TaskErrorLoggingDelegate(base.WriteError));
if (!base.Owner.IsPresent)
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
int num = 0;
while (accessRules.Count > num)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
if (base.SecurityPrincipal == null || (base.SecurityPrincipal != null && base.SecurityPrincipal == activeDirectoryAccessRule.IdentityReference))
{
ADAcePresentationObject adacePresentationObject = new ADAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
adacePresentationObject.ResetChangeTracking(true);
base.WriteResult(adacePresentationObject);
}
num++;
}
}
else
{
IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
base.WriteResult(new OwnerPresentationObject(((ADRawEntry)dataObject).Id, owner.ToString()));
}
TaskLogger.LogExit();
}
private SecurityDescriptor GetSecurityDescriptorToCheckAgainst()
{
if (DiagnosticsAggregationServiceImpl.transportServerSecurity == null)
{
Server localServer = DiagnosticsAggregationServicelet.LocalServer;
RawSecurityDescriptor rawSecurityDescriptor = localServer.ReadSecurityDescriptor();
if (rawSecurityDescriptor != null)
{
try
{
ActiveDirectorySecurity activeDirectorySecurity = TransportADUtils.SetupActiveDirectorySecurity(rawSecurityDescriptor);
DiagnosticsAggregationServiceImpl.transportServerSecurity = new SecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm());
return(DiagnosticsAggregationServiceImpl.transportServerSecurity);
}
catch (OverflowException ex)
{
this.TraceAndLogError(ExTraceGlobals.DiagnosticsAggregationTracer, "Encountered exception while setting up Authorization setttings. Details {0}", new object[]
{
ex
});
}
}
DiagnosticsAggregationServiceImpl.transportServerSecurity = SecurityDescriptor.FromRawSecurityDescriptor(rawSecurityDescriptor);
}
return(DiagnosticsAggregationServiceImpl.transportServerSecurity);
}
protected void ReplaceAddressListACEs(ADObjectId addressBookContainerRoot, SecurityIdentifier originalSid, SecurityIdentifier[] replacementSids)
{
AddressBookBase[] array = this.configurationSession.Find <AddressBookBase>(addressBookContainerRoot, QueryScope.SubTree, null, null, 0);
foreach (AddressBookBase addressBookBase in array)
{
bool flag = false;
RawSecurityDescriptor rawSecurityDescriptor = addressBookBase.ReadSecurityDescriptor();
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
byte[] array3 = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array3, 0);
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array3);
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (activeDirectoryAccessRule.IdentityReference == originalSid)
{
flag = true;
activeDirectorySecurity.RemoveAccessRuleSpecific(activeDirectoryAccessRule);
foreach (SecurityIdentifier identity in replacementSids)
{
ActiveDirectoryAccessRule rule = new ActiveDirectoryAccessRule(identity, activeDirectoryAccessRule.ActiveDirectoryRights, activeDirectoryAccessRule.AccessControlType, activeDirectoryAccessRule.ObjectType, activeDirectoryAccessRule.InheritanceType, activeDirectoryAccessRule.InheritedObjectType);
activeDirectorySecurity.AddAccessRule(rule);
}
}
}
if (flag && base.ShouldProcess(addressBookBase.DistinguishedName, Strings.InfoProcessAction(addressBookBase.DistinguishedName), null))
{
addressBookBase.SaveSecurityDescriptor(new RawSecurityDescriptor(activeDirectorySecurity.GetSecurityDescriptorBinaryForm(), 0));
}
}
}
public static void GetInterestingAcls(string targetDn, string forestDn, bool laps = false)
{
try
{
using (var entry = new DirectoryEntry("LDAP://" + targetDn))
{
ActiveDirectorySecurity sec = entry.ObjectSecurity;
AuthorizationRuleCollection rules = null;
rules = sec.GetAccessRules(true, true, typeof(NTAccount));
foreach (ActiveDirectoryAccessRule rule in rules)
{
if (!laps)
{
Outputs.PrintAce(targetDn, rule, forestDn);
}
else
{
Outputs.PrintLAPSView(targetDn, rule, forestDn);
}
}
}
}
catch { }
}
private static MappedPrincipal GetAclOwner(ActiveDirectorySecurity acl, string domainName)
{
var sid = acl.GetOwner(typeof(SecurityIdentifier)).Value;
//Filter Local System/Creator Owner/Principal Self
if (sid == "S-1-5-18" || sid == "S-1-3-0" || sid == "S-1-5-10")
{
return(null);
}
if (!_nullSids.TryGetValue(sid, out _))
{
//Check if its a common SID
if (!MappedPrincipal.GetCommon(sid, out var owner))
{
//Resolve the sid manually if we still dont have it
var ownerDomain = _utils.SidToDomainName(sid) ?? domainName;
owner = _utils.UnknownSidTypeToDisplay(sid, ownerDomain, Props);
}
else
{
owner.PrincipalName = $"{owner.PrincipalName}@{domainName}";
}
//We'll cache SIDs we've failed to resolve previously so we dont keep trying
if (owner == null)
{
_nullSids.TryAdd(sid, new byte());
}
return(owner);
}
return(null);
}
public static ActiveDirectorySecurity ReadMailboxSecurityDescriptor(ADUser mailbox, IConfigurationSession adSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.ErrorLoggerDelegate logError)
{
TaskLogger.LogEnter();
RawSecurityDescriptor exchangeSecurityDescriptor = mailbox.ExchangeSecurityDescriptor;
RawSecurityDescriptor rawSecurityDescriptor;
if (mailbox.RecipientType == RecipientType.SystemAttendantMailbox)
{
rawSecurityDescriptor = exchangeSecurityDescriptor;
}
else
{
RawSecurityDescriptor rawSecurityDescriptor2 = adSession.ReadSecurityDescriptor(mailbox.Database);
if (rawSecurityDescriptor2 == null)
{
logError(new TaskInvalidOperationException(Strings.ErrorReadDatabaseSecurityDescriptor(mailbox.Database.ToString())), ExchangeErrorCategory.ServerOperation, null);
return(null);
}
rawSecurityDescriptor = MailboxSecurity.CreateMailboxSecurityDescriptor(SecurityDescriptor.FromRawSecurityDescriptor(rawSecurityDescriptor2), SecurityDescriptor.FromRawSecurityDescriptor(exchangeSecurityDescriptor)).ToRawSecurityDescriptor();
if (rawSecurityDescriptor == null)
{
logError(new TaskInvalidOperationException(Strings.ErrorReadMailboxSecurityDescriptor(mailbox.DistinguishedName)), ExchangeErrorCategory.ServerOperation, mailbox.Identity);
return(null);
}
}
ActiveDirectorySecurity result = SecurityDescriptorConverter.ConvertToActiveDirectorySecurity(rawSecurityDescriptor);
TaskLogger.LogExit();
return(result);
}
public static List <string> ConvertSecurityDescriptor(DirectoryAttribute attribute)
{
List <string> descriptors = new List <string>();
//Resolve Security Descriptor
//From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL
for (int i = 0; i < attribute.Count; i++)
{
ActiveDirectorySecurity ads = new ActiveDirectorySecurity();
ads.SetSecurityDescriptorBinaryForm((byte[])attribute[i]);
var rules = ads.GetAccessRules(true, true, typeof(SecurityIdentifier));
foreach (ActiveDirectoryAccessRule rule in rules)
{
string name = rule.IdentityReference.ToString();
if (name.ToUpper().Contains("S-1-5"))
{
name = SIDNameSID(name);
}
descriptors.Add(name + " ([ControlType: " + rule.AccessControlType.ToString() + "] Rights: " + rule.ActiveDirectoryRights.ToString() + ")");
}
}
return(descriptors);
}
public static void DisplaySecurityDescriptor(DirectoryEntry entry)
{
// Specify SACL and DACL to be returned
entry.Options.SecurityMasks = SecurityMasks.Owner | SecurityMasks.Group
| SecurityMasks.Dacl | SecurityMasks.Sacl;
ActiveDirectorySecurity sd = entry.ObjectSecurity;
Console.WriteLine("DISPLAYING DIRECTORY ENTRY SID");
Console.WriteLine("Group:\t" +
sd.GetGroup(typeof(SecurityIdentifier)).Value);
Console.WriteLine("Owner:\t" +
sd.GetOwner(typeof(SecurityIdentifier)).Value);
Console.WriteLine("Access Rules canonical:\t" +
sd.AreAccessRulesCanonical.ToString());
Console.WriteLine("Access Rules protected:\t" +
sd.AreAccessRulesProtected);
Console.WriteLine("Audit Rules canonical:\t" +
sd.AreAuditRulesCanonical.ToString());
Console.WriteLine("Audit Rules protected:\t" +
sd.AreAuditRulesProtected.ToString());
Console.WriteLine("Access right type:\t" +
sd.AccessRightType.ToString());
Console.WriteLine("Audit rule type:\t" +
sd.AuditRuleType.ToString());
Console.WriteLine();
Console.WriteLine("Access Rules");
DisplayDACL(sd.GetAccessRules(true, true, typeof(SecurityIdentifier)));
Console.WriteLine("Audit Rules");
Console.ReadLine();
DisplaySACL(sd.GetAuditRules(true, true, typeof(SecurityIdentifier)));
}
//helper in SecurityDescriptorSearch()
private void PrintSD(ActiveDirectorySecurity sd)
{
Console.WriteLine("=====Security Descriptor=====");
Console.Write(" Owner: ");
Console.WriteLine(sd.GetOwner(typeof(SecurityIdentifier))); //can use NTAccount for AD
Console.Write(" Group: ");
Console.WriteLine(sd.GetGroup(typeof(SecurityIdentifier)));
}
public void GetAccessRules_InvalidTargetType()
{
var activeDirectorySecurity = new ActiveDirectorySecurity();
AssertExtensions.Throws <ArgumentException>("targetType", () =>
activeDirectorySecurity
.GetAccessRules(false, false, typeof(System.Security.Principal.GenericPrincipal)));
}
private static IEnumerable <ActiveDirectoryAccessRule> GetRules(ActiveDirectorySecurity security, IdentityReference identity)
{
return(security
.GetAccessRules(true, true, typeof(SecurityIdentifier))
.Cast <ActiveDirectoryAccessRule>()
.Where(r => r.IdentityReference.Value == GetIdentitySid(identity))
.Where(r => r.AccessControlType == AccessControlType.Allow));
}
public static void PrintSD(ActiveDirectorySecurity sd)
{
Console.WriteLine("=====Security Descriptor=====");
Console.Write(" Owner: ");
Console.WriteLine(sd.GetOwner(typeof(NTAccount)));
Console.Write(" Group: ");
Console.WriteLine(sd.GetGroup(typeof(NTAccount)));
}
public void Ctor_Default()
{
var security = new ActiveDirectorySecurity();
Assert.Equal(typeof(ActiveDirectoryRights), security.AccessRightType);
Assert.Equal(typeof(ActiveDirectoryAccessRule), security.AccessRuleType);
Assert.Equal(typeof(ActiveDirectoryAuditRule), security.AuditRuleType);
}
private void InsertDelegationRelation(ADItem aditem)
{
ActiveDirectorySecurity sd = aditem.msDSAllowedToActOnBehalfOfOtherIdentity;
foreach (ActiveDirectoryAccessRule rule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
Storage.InsertRelation(((SecurityIdentifier)rule.IdentityReference).Value, MappingType.Sid, aditem.DistinguishedName, MappingType.DistinguishedName, RelationType.msDS_Allowed_To_Act_On_Behalf_Of_Other_Identity);
}
}
private static ActiveDirectorySecurity ConvertToActiveDirectorySecurity(RawSecurityDescriptor rawSd)
{
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
byte[] array = new byte[rawSd.BinaryLength];
rawSd.GetBinaryForm(array, 0);
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
return(activeDirectorySecurity);
}
public void ObjectSecurity_Set_GetReturnsExpected()
{
var security = new ActiveDirectorySecurity();
var entry = new DirectoryEntry {
ObjectSecurity = security
};
Assert.Same(security, entry.ObjectSecurity);
}
public List <SecurityIdentifier> GetPrincipalsForComputer(SearchResult computer, bool filterLocalAccounts)
{
byte[] sd = computer.GetPropertyBytes("ntSecurityDescriptor");
if (sd == null)
{
throw new InvalidOperationException($"Security descriptor for computer {computer.GetPropertyString("msDS-PrincipalName")} was empty");
}
var sec = new ActiveDirectorySecurity();
sec.SetSecurityDescriptorBinaryForm(sd);
string domain = this.discoveryServices.GetDomainNameDns(computer.GetPropertySid("objectSid"));
Guid mslapsGuid = this.discoveryServices.GetSchemaAttributeGuid(domain, "ms-Mcs-AdmPwd") ?? throw new ObjectNotFoundException("The ms-Mcs-AdmPwd attribute was not found in the schema");
List <SecurityIdentifier> results = new List <SecurityIdentifier>();
foreach (ActiveDirectoryAccessRule accessRule in sec.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
var sid = accessRule.IdentityReference as SecurityIdentifier;
if (sid == null)
{
continue;
}
if (sid.IsWellKnown(WellKnownSidType.LocalSystemSid))
{
continue;
}
if (accessRule.ActiveDirectoryRights == ActiveDirectoryRights.GenericAll)
{
results.Add(sid);
continue;
}
if (accessRule.ObjectType == mslapsGuid)
{
if (accessRule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if (!accessRule.ActiveDirectoryRights.HasFlag((ActiveDirectoryRights)0x110))
{
continue;
}
results.Add(sid);
}
}
return(results);
}
/// <summary>
/// Processes the msds-groupmsamembership property, and determines who can read the password
/// </summary>
/// <param name="wrapper"></param>
/// <returns></returns>
private static async Task <List <ACL> > ProcessGMSA(LdapWrapper wrapper)
{
var aces = new List <ACL>();
//Grab the property as a byte array
var securityDescriptor = wrapper.SearchResult.GetPropertyAsBytes("msds-groupmsamembership");
//If the property is null, its either not a GMSA or something went wrong, so just exit out
if (securityDescriptor == null)
{
return(aces);
}
//Create a new ActiveDirectorySecurity object and set the bytes to the descriptor
var descriptor = new ActiveDirectorySecurity();
descriptor.SetSecurityDescriptorBinaryForm(securityDescriptor);
// Loop over the entries in the security descriptor
foreach (ActiveDirectoryAccessRule ace in descriptor.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
//Ignore null aces
if (ace == null)
{
continue;
}
//Ignore deny aces (although this should never show up in GMSAs
if (ace.AccessControlType == AccessControlType.Deny)
{
continue;
}
//Pre-process the principal for the SID
var principalSid = FilterAceSids(ace.IdentityReference.Value);
//Ignore null SIDs
if (principalSid == null)
{
continue;
}
//Resolve the principal SID and grab its type
var(finalSid, type) = await ResolutionHelpers.ResolveSidAndGetType(principalSid, wrapper.Domain);
aces.Add(new ACL
{
RightName = "ReadGMSAPassword",
AceType = "",
PrincipalSID = finalSid,
PrincipalType = type,
IsInherited = false
});
}
return(aces);
}
internal static List <ADRecipient> GetUsersGrantedSendAsPermission(ADRecipient mailbox, IRecipientSession galSession)
{
TraceWrapper.SearchLibraryTracer.TraceDebug <ADRecipient>(0, "Reading users who have SendAs rights for: {0}", mailbox);
RawSecurityDescriptor rawSecurityDescriptor = galSession.ReadSecurityDescriptor(mailbox.Id);
if (rawSecurityDescriptor == null)
{
TraceWrapper.SearchLibraryTracer.TraceDebug(0, "Null security-descriptor returned for mailbox", new object[0]);
return(null);
}
byte[] array = new byte[rawSecurityDescriptor.BinaryLength];
rawSecurityDescriptor.GetBinaryForm(array, 0);
ActiveDirectorySecurity activeDirectorySecurity = new ActiveDirectorySecurity();
activeDirectorySecurity.SetSecurityDescriptorBinaryForm(array);
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, false, typeof(SecurityIdentifier));
if (accessRules == null)
{
TraceWrapper.SearchLibraryTracer.TraceDebug(0, "No rules on ACL for this mailbox", new object[0]);
return(null);
}
List <ADRecipient> list = null;
foreach (object obj in accessRules)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj;
if (activeDirectoryAccessRule.AccessControlType == AccessControlType.Allow && object.Equals(activeDirectoryAccessRule.ObjectType, WellKnownGuid.SendAsExtendedRightGuid))
{
IdentityReference identityReference = activeDirectoryAccessRule.IdentityReference;
string value = identityReference.Value;
try
{
ADRecipient adrecipient = galSession.FindBySid(new SecurityIdentifier(value));
if (adrecipient == null)
{
TraceWrapper.SearchLibraryTracer.TraceError <string>(0, "User not found for SID: {0}", value);
}
else
{
if (list == null)
{
list = new List <ADRecipient>();
}
list.Add(adrecipient);
TraceWrapper.SearchLibraryTracer.TraceDebug <string, string>(0, "Added {0} to list of users who have Send-As permission for {1}.", adrecipient.DisplayName, mailbox.DisplayName);
}
}
catch (NonUniqueRecipientException arg)
{
TraceWrapper.SearchLibraryTracer.TraceError <string, string, NonUniqueRecipientException>(0, "Caught NonUniqueRecipientException when attempting to look up user with SID {0} while reading list of users granted Send-As permission to {1}: {2}", value, mailbox.Name, arg);
}
}
}
return(list);
}
private static ActiveDirectorySecurity ExtractSDValue(XmlNode child)
{
string value = ExtractStringValue(child);
byte[] data = Convert.FromBase64String(value);
ActiveDirectorySecurity sd = new ActiveDirectorySecurity();
sd.SetSecurityDescriptorBinaryForm(data);
return(sd);
}
public static void SetMailboxAces(ADUser mailbox, IConfigDataProvider writableAdSession, Task.TaskVerboseLoggingDelegate logVerbose, Task.TaskWarningLoggingDelegate logWarning, Task.ErrorLoggerDelegate logError, IConfigurationSession adSession, ref MapiMessageStoreSession storeSession, bool remove, params ActiveDirectoryAccessRule[] aces)
{
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor(mailbox, adSession, logVerbose, logError);
if (activeDirectorySecurity != null)
{
DirectoryCommon.ApplyAcesOnAcl(logVerbose, logWarning, null, mailbox.DistinguishedName, activeDirectorySecurity, remove, aces);
PermissionTaskHelper.SaveMailboxSecurityDescriptor(mailbox, activeDirectorySecurity, writableAdSession, ref storeSession, logVerbose, logError);
}
}
protected override void WriteResult(IConfigurable dataObject)
{
TaskLogger.LogEnter();
this.HasObjectMatchingIdentity = true;
ADUser aduser = (ADUser)dataObject;
if (aduser.Database == null || aduser.ExchangeGuid == Guid.Empty)
{
base.Validate(aduser);
}
else
{
ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadMailboxSecurityDescriptor((ADUser)dataObject, PermissionTaskHelper.GetReadOnlySession(base.DomainController), new Task.TaskVerboseLoggingDelegate(base.WriteVerbose), new Task.ErrorLoggerDelegate(base.WriteError));
if (!this.Owner.IsPresent)
{
AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier));
int num = 0;
while (accessRules.Count > num)
{
ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)accessRules[num];
if (this.SecurityPrincipal == null || this.SecurityPrincipal.Sid == activeDirectoryAccessRule.IdentityReference || this.SecurityPrincipal.SidHistory.Contains(activeDirectoryAccessRule.IdentityReference as SecurityIdentifier))
{
MailboxAcePresentationObject mailboxAcePresentationObject = new MailboxAcePresentationObject(activeDirectoryAccessRule, ((ADRawEntry)dataObject).Id);
if (Globals.IsDatacenter && base.TenantGlobalCatalogSession != null)
{
SecurityIdentifier securityIdentifier = (SecurityIdentifier)activeDirectoryAccessRule.IdentityReference;
ADRecipient adrecipient = null;
try
{
adrecipient = base.TenantGlobalCatalogSession.FindBySid(securityIdentifier);
}
catch
{
}
if (adrecipient != null)
{
string friendlyName = (!string.IsNullOrEmpty(adrecipient.DisplayName)) ? adrecipient.DisplayName : adrecipient.Name;
mailboxAcePresentationObject.User = new SecurityPrincipalIdParameter(securityIdentifier, friendlyName);
}
}
mailboxAcePresentationObject.ResetChangeTracking(true);
base.WriteResult(mailboxAcePresentationObject);
}
num++;
}
}
else
{
IdentityReference owner = activeDirectorySecurity.GetOwner(typeof(NTAccount));
OwnerPresentationObject dataObject2 = new OwnerPresentationObject(((ADUser)dataObject).Id, owner.ToString());
base.WriteResult(dataObject2);
}
}
TaskLogger.LogExit();
}
//Only print the first attribute in the attrReturned array list
public static void PrintMulti(SearchResponse response, string attr)
{
foreach (SearchResultEntry entry in response.Entries)
{
//Only if the attribute is specified to be returned, then "Attributes" contains it
Console.WriteLine(" * {0}", entry.Attributes["sAMAccountName"][0]);
Console.WriteLine(" {0}\n", entry.DistinguishedName);
//in case the attribute value is null
try
{
if (attr == "")
{
}
else if (entry.Attributes[attr][0] is string)
{
for (int i = 0; i < entry.Attributes[attr].Count; i++)
{
Console.WriteLine(" - {0}: {1}", attr.ToUpper(), entry.Attributes[attr][i]);
}
}
else if (entry.Attributes[attr][0] is byte[])
{
//Resolve Security Descriptor
//From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL
ActiveDirectorySecurity ads = new ActiveDirectorySecurity();
ads.SetSecurityDescriptorBinaryForm((byte[])entry.Attributes[attr][0]);
var rules = ads.GetAccessRules(true, true, typeof(NTAccount));
foreach (ActiveDirectoryAccessRule rule in rules)
{
Console.WriteLine(" - {0}: {1} ([ControlType: {2}] Rights: {3})",
attr.ToUpper(),
rule.IdentityReference.ToString(),
rule.AccessControlType.ToString(),
rule.ActiveDirectoryRights.ToString());
}
//for (int i = 0; i < entry.Attributes[attr].Count; i++)
//{
// Console.WriteLine(" - {0}: {1}",
// attr.ToUpper(),
// System.Text.Encoding.ASCII.GetString((byte[])entry.Attributes[attr][i]));
//}
}
else
{
Console.WriteLine("Unexpected multi-valued type {0}", entry.Attributes[attr][0].GetType().Name);
}
}
catch { }
Console.WriteLine();
}
}
//repeated from Listing 5.9's helper as well
private void PrintSD(ActiveDirectorySecurity sd)
{
Console.WriteLine("=====Security Descriptor=====");
Console.Write(" Owner: ");
//change this to SecurityIdentifier from NTAccount
//for ADAM to work.
Console.WriteLine(sd.GetOwner(typeof(NTAccount)));
Console.Write(" Group: ");
//same here.
Console.WriteLine(sd.GetGroup(typeof(NTAccount)));
}
protected override void ProcessRecord()
{
//OU can be passed as name or as dn
List <ObjectInfo> OUs = DirectoryUtils.GetOU(Identity);
if (OUs.Count > 1)
{
foreach (ObjectInfo ou in OUs)
{
WriteObject(ou);
}
throw new Exception("More than one object found, search using distinguishedName instead");
}
if (OUs.Count == 0)
{
throw new Exception("Object not found");
}
ActiveDirectorySecurity sec = DirectoryUtils.GetObjectSecurity(conn, OUs[0].DistinguishedName, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
//apply permissions only to computer objects
Guid inheritedObjectGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, "computer", SchemaObjectType.Class);
Guid timestampGuid = DirectoryUtils.GetSchemaGuid(conn, forestRootDomain.schemaNamingContext, Constants.TimestampAttributeName, SchemaObjectType.Attribute);
//System.DirectoryServices.PropertyAccessRule rule;
System.DirectoryServices.ActiveDirectoryAccessRule rule;
foreach (string principalName in AllowedPrincipals)
{
System.Security.Principal.NTAccount principal = new System.Security.Principal.NTAccount(principalName);
// read ms-Mcs-AdmPwdExpirationTime on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Read,
timestampGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
// write ms-Mcs-AdmPwdExpirationTime on computer objects
rule = new System.DirectoryServices.PropertyAccessRule(principal,
System.Security.AccessControl.AccessControlType.Allow,
PropertyAccess.Write,
timestampGuid, ActiveDirectorySecurityInheritance.Descendents,
inheritedObjectGuid
);
sec.AddAccessRule(rule);
}
DirectoryUtils.SetObjectSecurity(conn, OUs[0].DistinguishedName, sec, System.DirectoryServices.Protocols.SecurityMasks.Dacl);
OUs[0].Status = PermissionDelegationState.Delegated;
WriteObject(OUs[0]);
}
public static void PrintDirectoryAttrDict(Dictionary <string, DirectoryAttribute> myDict, string banner)
{
PrintGreen(string.Format("\n[-] {0}:\n", banner));
if (myDict == null)
{
return;
}
foreach (var obj in myDict)
{
Console.WriteLine(" * {0}", obj.Key);
if (obj.Value[0] is string)
{
for (int i = 0; i < obj.Value.Count; i++)
{
Console.WriteLine(" - {0}", obj.Value[i]);
}
}
else if (obj.Value[0] is byte[])
{
//Resolve Security Descriptor
//From The .Net Developer Guide to Directory Services Programming Listing 8.2. Listing the DACL
for (int i = 0; i < obj.Value.Count; i++)
{
ActiveDirectorySecurity ads = new ActiveDirectorySecurity();
ads.SetSecurityDescriptorBinaryForm((byte[])obj.Value[i]);
var rules = ads.GetAccessRules(true, true, typeof(NTAccount));
foreach (ActiveDirectoryAccessRule rule in rules)
{
string name = rule.IdentityReference.ToString();
if (name.ToUpper().Contains("S-1-5"))
{
name = ConvertSIDToName(name);
}
Console.WriteLine(" - {0} ([ControlType: {1}] Rights: {2})",
name,
rule.AccessControlType.ToString(),
rule.ActiveDirectoryRights.ToString());
}
}
}
Console.WriteLine();
}
}
internal override void AdjustADSecurity(string objPath, string securityGroupPath, bool isAddressBook)
{
ExchangeLog.LogStart("AdjustADSecurity");
ExchangeLog.DebugInfo(" Active Direcory object: {0}", objPath);
ExchangeLog.DebugInfo(" Security Group: {0}", securityGroupPath);
if (isAddressBook)
{
ExchangeLog.DebugInfo(" Updating Security");
//"Download Address Book" security permission for offline address book
Guid openAddressBookGuid = new Guid("{bd919c7c-2d79-4950-bc9c-e16fd99285e8}");
DirectoryEntry groupEntry = GetADObject(securityGroupPath);
byte[] byteSid = (byte[])GetADObjectProperty(groupEntry, "objectSid");
DirectoryEntry objEntry = GetADObject(objPath);
ActiveDirectorySecurity security = objEntry.ObjectSecurity;
// Create a SecurityIdentifier object for security group.
SecurityIdentifier groupSid = new SecurityIdentifier(byteSid, 0);
// Create an access rule to allow users in Security Group to open address book.
ActiveDirectoryAccessRule allowOpenAddressBook =
new ActiveDirectoryAccessRule(
groupSid,
ActiveDirectoryRights.ExtendedRight,
AccessControlType.Allow,
openAddressBookGuid);
// Create an access rule to allow users in Security Group to read object.
ActiveDirectoryAccessRule allowRead =
new ActiveDirectoryAccessRule(
groupSid,
ActiveDirectoryRights.GenericRead,
AccessControlType.Allow);
// Remove existing rules if exist
security.RemoveAccessRuleSpecific(allowOpenAddressBook);
security.RemoveAccessRuleSpecific(allowRead);
// Add a new access rule to allow users in Security Group to open address book.
security.AddAccessRule(allowOpenAddressBook);
// Add a new access rule to allow users in Security Group to read object.
security.AddAccessRule(allowRead);
// Commit the changes.
objEntry.CommitChanges();
}
ExchangeLog.LogEnd("AdjustADSecurity");
}
private static void GetSendas(UserInfo utente)
{
string pathNameDomain = "LDAP://" + sDomain + "/" + utente.Distinguishedname;
var direcotyEntry = new DirectoryEntry(pathNameDomain, username, password);
var directorySearcher = new DirectorySearcher(direcotyEntry);
directorySearcher.PropertiesToLoad.Add("msExchRecipientTypeDetails");
directorySearcher.PropertiesToLoad.Add("distinguishedname");
directorySearcher.PropertiesToLoad.Add("mail");
var res = directorySearcher.FindOne();
DirectoryEntry ssStoreObj = res.GetDirectoryEntry();
ActiveDirectorySecurity StoreobjSec = ssStoreObj.ObjectSecurity;
AuthorizationRuleCollection Storeacls = StoreobjSec.GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
foreach (ActiveDirectoryAccessRule ace in Storeacls)
{
if (ace.IdentityReference.Value != "S-1-5-7" & ace.IdentityReference.Value != "S-1-1-0" & ace.IsInherited != true & ace.IdentityReference.Value != "S-1-5-10")
{
if (ace.ActiveDirectoryRights.ToString() == "ExtendedRight")
{
bool found = false;
try
{
filead.WriteLine(utente.Mail + "," + Utenti.Find(x => x.ObjectSID.Contains(ace.IdentityReference.Value)).Mail + ",SendAS," + exRighthash[ace.ObjectType.ToString()].ToString() + ",,");
Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::INF::SendAS::OK::SendAS permission of --> " + utente.Mail + " exported successfully");
found = true;
}
catch
{
}
try
{
filead.WriteLine(utente.Mail + "," + GruppiInfo.Find(x => x.ObjectSID.Contains(ace.IdentityReference.Value)).samaccountname + ",SendAS," + exRighthash[ace.ObjectType.ToString()].ToString() + ",,");
Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::INF::SendAS::OK::SendAS permission of --> " + utente.Mail + " exported successfully");
found = true;
}
catch
{
}
if (!found)
{
Trace.WriteLine(DateTime.Now.ToString("yyyyMMddHHmmss") + "::WRN::Cannot resolve SID " + ace.IdentityReference.Value);
}
}
}
}
}
