protected override void InternalProcessRecord() { bool flag = true; StringBuilder stringBuilder = new StringBuilder(); ADDomain addomain = ADForest.GetLocalForest().FindRootDomain(true); if (addomain == null) { flag = false; stringBuilder.AppendLine("Failed to read root domain"); } else { IRootOrganizationRecipientSession session = TestDataCenterDKMAccess.CreateAdSession(); foreach (Tuple <string, Dictionary <SecurityIdentifier, ActiveDirectoryRights> > tuple in this.ExpectedAccessRights) { flag &= TestDataCenterDKMAccess.VerifyDkmObjectPermissions(session, tuple.Item1, addomain.Id.ToDNString(), tuple.Item2, stringBuilder); } } if (flag) { stringBuilder.Append("DKM has correct ACL settings"); } this.ReportDkmAclStatus(flag, stringBuilder); }
private static IEnumerable <ADRawEntry> ReadDkmAdObjects(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, StringBuilder detailStatus) { string dkmContainerDN = TestDataCenterDKMAccess.CreateDkmContainerDN(dkmContainerName, rootDomain); ADRawEntry[] dkmObjects = null; ADOperationResult adoperationResult = ADNotificationAdapter.TryRunADOperation(delegate() { dkmObjects = session.Find(new ADObjectId(dkmContainerDN), QueryScope.SubTree, new CustomLdapFilter("(objectClass=contact)"), null, -1, new ADPropertyDefinition[] { ADObjectSchema.Name }); }); if (!adoperationResult.Succeeded) { detailStatus.AppendFormat("Failed to read DKM objects under DN {0} with exception {1}", dkmContainerDN, (adoperationResult.Exception == null) ? "N/A" : adoperationResult.Exception.Message); return(null); } if (dkmObjects.Length == 0) { detailStatus.AppendFormat("Failed to find any DKM objects under DN {0}. Examine the ACL settings on DKM objects to ensure the Exchange Servers group is allowed.", dkmContainerDN); return(null); } return(dkmObjects); }
private static bool CheckPermissionsOnDkmObjects(IEnumerable <ADRawEntry> dkmObjects, IRootOrganizationRecipientSession session, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedAccessRights, StringBuilder detailStatus) { bool result = true; foreach (ADRawEntry adrawEntry in dkmObjects) { RawSecurityDescriptor rawSecurityDescriptor; ActiveDirectorySecurity activeDirectorySecurity = PermissionTaskHelper.ReadAdSecurityDescriptor(adrawEntry, session, null, out rawSecurityDescriptor); if (activeDirectorySecurity == null) { result = false; detailStatus.AppendFormat("Failed to read security descriptor for DKM object {0}. Examine the ACL settings on DKM objects.\r\n", adrawEntry.Id.DistinguishedName); } else { AuthorizationRuleCollection accessRules = activeDirectorySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)); StringBuilder stringBuilder = new StringBuilder(); stringBuilder.AppendLine(string.Format("Object DN: {0}\r\n", adrawEntry.Id.DistinguishedName)); bool flag = false; Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(); foreach (object obj in accessRules) { ActiveDirectoryAccessRule activeDirectoryAccessRule = (ActiveDirectoryAccessRule)obj; try { if (!expectedAccessRights.ContainsKey((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference)) { int num = AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed); if (num != 0) { stringBuilder.AppendFormat("Unexpected ACE with Identity: {0}, Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), (ActiveDirectoryRights)num); result = false; flag = true; } } else { dictionary[(SecurityIdentifier)activeDirectoryAccessRule.IdentityReference] = (ActiveDirectoryRights)AuthzAuthorization.CheckGenericPermission((SecurityIdentifier)activeDirectoryAccessRule.IdentityReference, rawSecurityDescriptor, AccessMask.MaximumAllowed); } } catch (Win32Exception ex) { stringBuilder.AppendFormat("Failed to check ACL for Identity: {0} with Win32Exception {1} and ErrorCode {2}\r\n", TestDataCenterDKMAccess.AccountNameFromSid(activeDirectoryAccessRule.IdentityReference.ToString()), ex.Message, ex.ErrorCode); result = false; flag = true; } } Dictionary <SecurityIdentifier, ActiveDirectoryRights> dictionary2 = new Dictionary <SecurityIdentifier, ActiveDirectoryRights>(expectedAccessRights); foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair in dictionary) { if (dictionary2[keyValuePair.Key] != keyValuePair.Value) { stringBuilder.AppendFormat("Wrong rights in ACE for Identity {0}\r\nExpected Rights: {1}\r\nActual Rights: {2}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair.Key.ToString()), dictionary2[keyValuePair.Key], keyValuePair.Value); result = false; flag = true; } dictionary2.Remove(keyValuePair.Key); } if (dictionary2.Count > 0) { foreach (KeyValuePair <SecurityIdentifier, ActiveDirectoryRights> keyValuePair2 in dictionary2) { stringBuilder.AppendFormat("Missing expected ACE for Identity {0}\r\nExpected Rights: {1}\r\n\r\n", TestDataCenterDKMAccess.AccountNameFromSid(keyValuePair2.Key.ToString()), keyValuePair2.Value); result = false; flag = true; } } if (flag) { detailStatus.AppendLine(stringBuilder.ToString()); } } } return(result); }
private static bool VerifyDkmObjectPermissions(IRootOrganizationRecipientSession session, string dkmContainerName, string rootDomain, Dictionary <SecurityIdentifier, ActiveDirectoryRights> expectedRights, StringBuilder detailStatus) { IEnumerable <ADRawEntry> enumerable = TestDataCenterDKMAccess.ReadDkmAdObjects(session, dkmContainerName, rootDomain, detailStatus); return(enumerable != null && TestDataCenterDKMAccess.CheckPermissionsOnDkmObjects(enumerable, session, expectedRights, detailStatus)); }