in TestSuites/ADFamily/src/Adapter/MS-ADTS-Security/MS_ADTS_Security_RequirementsValidator.cs [5465:7203]
public void ValidateReadAccessControl(AccessRights accessRights)
{
//Set to false as the attribute is not UserChangepassword
//set userChangePwd and userForcePwd to false.
userChangePwd = false;
userForcePwd = false;
//if the AccessRights is RIGHT_DS_READ_PROPERTY
if (accessRights == AccessRights.RIGHT_DS_READ_PROPERTY)
{
#region SearchAttributes
//The requirements in this block will be validated based on the response of the following
//Search operation
//the procedure of validation is similar for all the requirements
//ProcessSearchRespone returns the actual value as out parameter.
//based on the result of ProcessSearchRespone the requirements are validated.
//Search for the properties of attribute for the given distinguishname of LdapConnection.
SearchResponse searchResponseUser = ADTSHelper.SearchObject("CN=Users," + parsedDN,
"(objectClass=user)",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "name", "objectclass", "primaryGroupID" },
connection);
//local variable
object expectedResult = string.Empty;
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, DomainAdministratorName, "name", out expectedResult);
//Validate MS-ADTS-Security_R518
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(DomainAdministratorName, expectedResult.ToString(), 518,
@"An Administrator has name as Administrator");
bool checkResult;
string msg;
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Administrator");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseUser, DomainAdministratorName, "objectClass", "user", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R519
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
519,
@"An Administrator has objectClass as user");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, DomainAdministratorName, "primaryGroupID", out expectedResult);
//Validate MS-ADTS-Security_R521
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<int>(513, Convert.ToInt32(expectedResult), 521,
@"An Administrator has primaryGroupID as 513 (Domain Users)");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, "guest", "name", out expectedResult);
//Validate MS-ADTS-Security_R522
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Guest", expectedResult.ToString(), 522,
@"A guest must have name as Guest");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Guest");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseUser, "guest", "objectClass", "user", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R523
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
523,
@"An guest MUST have objectClass as user");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, "guest", "primaryGroupID", out expectedResult);
//Validate MS-ADTS-Security_R525
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<int>(514, Convert.ToInt32(expectedResult), 525,
@"An Administrator has primaryGroupID as 513 (Domain Users)");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, "krbtgt", "name", out expectedResult);
//Validate MS-ADTS-Security_R526
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("krbtgt", expectedResult.ToString(), 526,
@" The Key Distribution Center Service Account has name as krbtgt");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of krbtgt");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseUser, "krbtgt", "objectClass", "user", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R527
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
527,
@"The Key Distribution Center Service Account has objectClass as user");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseUser, "krbtgt", "primaryGroupID", out expectedResult);
//Validate MS-ADTS-Security_R529
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<int>(513, Convert.ToInt32(expectedResult), 529,
@"The Key Distribution Center Service Account has primaryGroupID as 513 (Domain Users)");
//The requirements in this block will be validated based on the response of the following
//Search operation
//the procedure of validation is similar for all the requirements
//ProcessSearchRespone returns the actual value as out parameter.
//based on the result of ProcessSearchRespone the requirements are validated.
//Search for the name", "objectclass", "primaryGroupID properties of attributes
SearchResponse searchResponseGroup = ADTSHelper.SearchObject("CN=Users," + parsedDN,
"objectclass=group",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "name", "objectclass", "primaryGroupID" },
connection);
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Cert Publishers", "name", out expectedResult);
//Validate MS-ADTS-Security_R530
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Cert Publishers", expectedResult.ToString(), 530,
@"The Cert Publishers has name as Cert Publishers ");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Cert Publishers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Cert Publishers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R531
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
531,
@"The Cert Publishers has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Cert Publishers", "primaryGroupID", out expectedResult);
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Domain Admins", "name", out expectedResult);
//Validate MS-ADTS-Security_R534
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Domain Admins", expectedResult.ToString(), 534,
@"The Domain Administrators have name as Domain Admins");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Domain Admins.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Domain Admins", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R535
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
535,
@"The Domain Admins has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Domain Computers", "name", out expectedResult);
//Validate MS-ADTS-Security_R538
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Domain Computers", expectedResult.ToString(), 538,
@"The Domain Computers has name as Domain Computers");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Domain Computers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Domain Computers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R539
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
539,
@"The Domain Computers has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Domain Controllers", "name", out expectedResult);
//Validate MS-ADTS-Security_R542
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Domain Controllers", expectedResult.ToString(), 542,
@"The Domain Controllers have name as Domain Controllers ");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Domain Controllers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Domain Controllers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R543
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
543,
@"The Domain Controllers has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Domain Guests", "name", out expectedResult);
//Validate MS-ADTS-Security_R546
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Domain Guests", expectedResult.ToString(), 546,
@"The Domain Guests have name as Domain Guests");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Domain Guests.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Domain Guests", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R547
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
547,
@"The Domain Guests has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Domain Users", "name", out expectedResult);
//Validate MS-ADTS-Security_R550
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Domain Users", expectedResult.ToString(), 550,
@"The Domain Users have name as Domain Users");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Domain Users.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Domain Users", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R551
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
551,
@"The Domain Users has objectClass as group");
expectedResult = new object();
//554 part-1
//process the Search result for Enterprise Admins in other NCRoot other than Forest Root Domain,
//it should fail
ADTSHelper.ProcessSearchRespone(searchResponseUser, "Enterprise Admins", "name", out expectedResult);
//the result should be null
TestClassBase.BaseTestSite.Assert.IsNull(expectedResult,
@"Enterprise Admin does not exist only other than Forest Root Domain.");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Enterprise Admins", "name", out expectedResult);
//554 part-2
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Enterprise Admins", expectedResult.ToString(), 554,
@"The Enterprise Administrators exist only in Forest Root Domain.");
//Validate MS-ADTS-Security_R555
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Enterprise Admins", expectedResult.ToString(), 555,
@"The Enterprise Administrators have name as Enterprise Admins");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Enterprise Admins.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Enterprise Admins", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R556
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
556,
@"The Enterprise Admins has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Group Policy Creator Owners", "name", out expectedResult);
//Validate MS-ADTS-Security_R560
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Group Policy Creator Owners", expectedResult.ToString(), 560,
@"The Group Policy Creator Owners have name as Group Policy Creator Owners");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Group Policy Creator Owners.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Group Policy Creator Owners", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R561
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
561,
@"The Group Policy Creator Owners has objectClass as group");
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "RAS and IAS Servers", "name", out expectedResult);
//Validate MS-ADTS-Security_R564
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("RAS and IAS Servers", expectedResult.ToString(), 564,
@"The RAS and IAS servers have name as RAS and IAS Servers");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of RAS and IAS Servers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "RAS and IAS Servers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R565
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
565,
@"The RAS and IAS Servers has objectClass as group");
//Requirements specific to WindowsServer2008 only
#region WindowsServer2008 Server
//The following attributes will be present from windows server 2008 onwards.
//Windows 2008 specific requirements
if (PDCOSVersion > Common.ServerVersion.Win2003)
{
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Read-only Domain Controllers", "name", out expectedResult);
//Validate MS-ADTS-Security_R568
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Read-only Domain Controllers", expectedResult.ToString(), 568,
@"The Read-Only Domain Controllers have name as Read-Only Domain Controllers");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Read-only Domain Controllers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Read-only Domain Controllers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R569
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
569,
@"The Read-only Domain Controllers has objectClass as group");
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Enterprise Read-only Domain Controllers", "name", out expectedResult);
//Validate MS-ADTS-Security_R572
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Enterprise Read-only Domain Controllers", expectedResult.ToString(), 572,
@"The Enterprise Read-Only Domain Controllers have name as Enterprise Read-Only Domain Controllers");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Enterprise Read-only Domain Controllers.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Enterprise Read-only Domain Controllers", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R573
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
573,
@"The Enterprise Read-only Domain Controllers has objectClass as group");
}
#endregion
//process the search Result for the expected property.
ADTSHelper.ProcessSearchRespone(searchResponseGroup, "Schema Admins", "name", out expectedResult);
//Validate MS-ADTS-Security_R576 and MS-ADTS-Security_R577
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Schema Admins", expectedResult.ToString(), 576,
@"The Schema Admins group exists only in forest domain");
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("Schema Admins", expectedResult.ToString(), 577,
@"The Schema Admins have name as schema admins");
//process the search Result for the expected property.
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
"Verify the objectClass of Schema Admins.");
checkResult = ADTSHelper.SearchResponseHasValue(searchResponseGroup, "Schema Admins", "objectClass", "group", out msg);
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Comment,
msg);
//Validate MS-ADTS-Security_R578
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
checkResult,
578,
@"The Schema Admins has objectClass as group");
//Search for name attribute for given dn of ldap connection
SearchResponse searchResponse1 = ADTSHelper.SearchObject(parsedDN, "name=ForeignSecurityPrincipals",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "name" }, connection);
//Validate MS-ADTS-Security_R582
TestClassBase.BaseTestSite.CaptureRequirementIfIsNotNull(searchResponse1, 582, @"In AD DS, each Domain NC contains a
well-known Foreign Security Principals container");
#region AdminSDHolder
//Search for AdminSDHolder.
SearchResponse isAdminSDHolder = ADTSHelper.SearchObject("CN=AdminSDHolder,CN=System," + parsedDN,
"objectClass=container",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "name" },
connection);
//process for AdminSDHolder
ADTSHelper.ProcessSearchRespone(isAdminSDHolder, "AdminSDHolder", "name", out expectedResult);
//Validate MS-ADTS-Security_R138
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>("AdminSDHolder", expectedResult.ToString(),
138, @"The AdminSDHolder object is of class container and has a DN of CN=AdminSDHolder,
CN=System,<Domain NC DN>.");
#endregion
#endregion
#region Search Secret Attributes
//The requirements in this block will be validated based on the response of the following
//Search operation
//the procedure of validation is similar for all the requirements
//ProcessSearchRespone returns the actual value as out parameter.
//based on the result of ProcessSearchRespone the requirements are validated.
SearchResponse resultSearchResponse;
//Search for the peklist properties.
resultSearchResponse = ADTSHelper.SearchObject(parsedDN,
"objectclass=domain",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "peklist" }, connection);
//peklist attributes should not accessible
//Validating peklist attribute access
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("peklist"), 10085, @"While accessing
pekList attribute,Access is never granted to the security context of the requestor. ");
//currentValue attributes should not accessible
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " currentValue" }, connection);
//Validating currentValue attribute
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("currentValue"), 10086, @"While
accessing currentValue attribute,Access is never granted to the security context of the
requestor. ");
//Search for dBCSPwd properties
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "dBCSPwd" }, connection);
//dBCSPwd Should not accessible.
//Validating dBCSPwd attribute access
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("dBCSPwd"), 10087, @"While
accessing dBCSPwd attribute,Access is never granted to the security context of the requestor. ");
//Searching for unicodePwd
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " unicodePwd" }, connection);
//Validate unicodePwd attribute access.
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("unicodePwd"), 10088, @"While
accessing unicodePwd attribute,Access is never granted to the security context of the requestor. ");
//Searching for ntPwdHistory Attribute.
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " ntPwdHistory" }, connection);
//Validating ntPwdHistory attribute access
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("ntPwdHistory"), 10089, @"While
accessing ntPwdHistory attribute,Access is never granted to the security context of the
requestor. ");
//Searching for priorValue Attribute.
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " priorValue" }, connection);
//Validating priorValue attribute access
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("priorValue"), 10090, @"While
accessing priorValue attribute,Access is never granted to the security context of the
requestor. ");
//Searching for supplementalCredentials attibute
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " supplementalCredentials" }, connection);
//Validating supplementalCredentials attribute access
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("supplementalCredentials"), 10091, @"While
accessing supplementalCredentials attribute,Access is never granted to the security context
of the requestor. ");
//Searching for lmPwdHistory attribute
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " lmPwdHistory" }, connection);
//Validating lmPwdHistory attribute
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("lmPwdHistory"), 10094, @"While
accessing lmPwdHistory attribute,Access is never granted to the security context of the
requestor. ");
//Searching for msDS-ExecuteScriptPassword attribute
resultSearchResponse = ADTSHelper.SearchObject("CN=" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { " msDS-ExecuteScriptPassword" }, connection);
//Validating msDS-ExecuteScriptPassword attribute
TestClassBase.BaseTestSite.CaptureRequirementIfIsFalse(resultSearchResponse.Entries[0].Attributes.Contains("msDS-ExecuteScriptPassword"), 10098, @"While
accessing msDS-ExecuteScriptPassword attribute,Access is never granted to the security context of the
requestor. ");
#endregion
#region ControlAccessRightsGuid's
//The requirements in this block will be validated based on the response of the following
//Search operation
//the procedure of validation is similar for all the requirements
//ProcessSearchRespone returns the actual value as out parameter.
//based on the result of ProcessSearchRespone the requirements are validated.
//Temporary Ldapconnection instance used to search ControlAccess Guids
LdapConnection tempLdapConnection = new LdapConnection(new LdapDirectoryIdentifier(PdcFqdn), new NetworkCredential(ClientUserName, ClientUserPassword, adDomain), AuthType.Basic);
//Searching for Control access rights.
SearchResponse searchControlAccessGuids = ADTSHelper.SearchObject("CN=Extended-Rights,CN=Configuration," + parsedDN,
"objectclass=ControlAccessRight",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "rightsGuid" },
tempLdapConnection);
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Self-Membership", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"bf9679c0-0de6-11d0-a285-00aa003049e2",
expectedResult.ToString(),
325,
@"The Validated write right symbol Self-Membership has an identifying GUID used in
ACE as bf9679c0-0de6-11d0-a285-00aa003049e2 (member attribute)");
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"bf9679c0-0de6-11d0-a285-00aa003049e2",
expectedResult.ToString(),
587,
@"The Self-Membership Validated write right symbol has an Identifying GUID used in ACE as
bf9679c0-0de6-11d0-a285-00aa003049e2 (member attribute))");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Add-GUID", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"440820ad-65b4-11d1-a3da-0000f875ae0d",
expectedResult.ToString(),
346,
@"TThe control Access Right Symbol Add-GUID has an identifying GUID in ACE as
440820ad-65b4-11d1-a3da-0000f875ae0d");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Allocate-Rids", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd",
expectedResult.ToString(),
347,
@"The control Access Right Symbol Allocate-Rids has an identifying GUID in ACE as
1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Allowed-To-Authenticate", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"68B1D179-0D15-4d4f-AB71-46152E79A7BC",
expectedResult.ToString(),
348,
@"The control Access Right Symbol Allowed-To-Authenticate has an identifying GUID in ACE as
68b1d179-0d15-4d4f-ab71-46152e79a7bc");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Apply-Group-Policy", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"edacfd8f-ffb3-11d1-b41d-00a0c968f939",
expectedResult.ToString(),
349,
@"The control Access Right Symbol Apply-Group-Policy has an identifying GUID in ACE as
edacfd8f-ffb3-11d1-b41d-00a0c968f939");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Certificate-Enrollment", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"0e10c968-78fb-11d2-90d4-00c04f79dc55",
expectedResult.ToString(),
350,
@"The control Access Right Symbol Certificate-Enrollment has an identifying GUID in ACE as
0e10c968-78fb-11d2-90d4-00c04f79dc55");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Change-Domain-Master", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"014bf69c-7b3b-11d1-85f6-08002be74fab",
expectedResult.ToString(),
351,
@"The control Access Right Symbol Change-Domain-Master has an identifying GUID in ACE as
014bf69c-7b3b-11d1-85f6-08002be74fab");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Change-Infrastructure-Master", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd",
expectedResult.ToString(),
352,
@"The control Access Right Symbol Change-Infrastructure-Master has an identifying GUID in ACE
as cc17b1fb-33d9-11d2-97d4-00c04fd8d5cd");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Change-PDC", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"bae50096-4752-11d1-9052-00c04fc2d4cf",
expectedResult.ToString(),
353,
@"The control Access Right Symbol Change-PDC has an identifying GUID in ACE as
bae50096-4752-11d1-9052-00c04fc2d4cf");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Change-Rid-Master", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"d58d5f36-0a98-11d1-adbb-00c04fd8d5cd",
expectedResult.ToString(),
354,
@"The control Access Right Symbol Change-Rid-Master has an identifying GUID in ACE as
d58d5f36-0a98-11d1-adbb-00c04fd8d5cd");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Change-Schema-Master", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"e12b56b6-0a95-11d1-adbb-00c04fd8d5cd",
expectedResult.ToString(),
355,
@"The control Access Right Symbol Change-Schema-Master has an identifying GUID in ACE as
e12b56b6-0a95-11d1-adbb-00c04fd8d5cd");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Create-Inbound-Forest-Trust", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"e2a36dc9-ae17-47c3-b58b-be34c55ba633",
expectedResult.ToString(),
356,
@"The control Access Right Symbol Create-Inbound-Forest-Trust has an identifying GUID in ACE as
e2a36dc9-ae17-47c3-b58b-be34c55ba633");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Do-Garbage-Collection", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"fec364e0-0a98-11d1-adbb-00c04fd8d5cd",
expectedResult.ToString(),
357,
@"The control Access Right Symbol Do-Garbage-Collection has an identifying GUID in ACE as
fec364e0-0a98-11d1-adbb-00c04fd8d5cd");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Domain-Administer-Server", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ab721a52-1e2f-11d0-9819-00aa0040529b",
expectedResult.ToString(),
358,
@"The control Access Right Symbol Domain-Administer-Server has an identifying GUID in ACE as
ab721a52-1e2f-11d0-9819-00aa0040529b");
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Check-Stale-Phantoms", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"69ae6200-7f46-11d2-b9ad-00c04f79f805",
expectedResult.ToString(),
359,
@"The control Access Right Symbol DS-Check-Stale-Phantoms has an identifying GUID in ACE as
69ae6200-7f46-11d2-b9ad-00c04f79f805");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Execute-Intentions-Script", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"2f16c4a5-b98e-432c-952a-cb388ba33f2e",
expectedResult.ToString(),
360,
@"The control Access Right Symbol DS-Execute-Intentions-Script has an identifying GUID in ACE as
2f16c4a5-b98e-432c-952a-cb388ba33f2e");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Install-Replica", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"9923a32a-3607-11d2-b9be-0000f87a36b2",
expectedResult.ToString(),
361,
@"The control Access Right Symbol DS-Install-Replica has an identifying GUID in ACE as
9923a32a-3607-11d2-b9be-0000f87a36b2");
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Query-Self-Quota", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"4ecc03fe-ffc0-4947-b630-eb672a8a9dbc",
expectedResult.ToString(),
362,
@"The control Access Right Symbol DS-Query-Self-Quota has an identifying GUID in ACE as
4ecc03fe-ffc0-4947-b630-eb672a8a9dbc");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Replication-Get-Changes", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
expectedResult.ToString(),
363,
@"The control Access Right Symbol DS-Replication-Get-Changes has an identifying GUID in ACE as
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Replication-Get-Changes-All", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
expectedResult.ToString(),
364,
@"The control Access Right Symbol DS-Replication-Get-Changes-All has an identifying GUID in ACE as
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Replication-Manage-Topology", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1131f6ac-9c07-11d1-f79f-00c04fc2dcd2",
expectedResult.ToString(),
366,
@"The control Access Right Symbol DS-Replication-Manage-Topology has an identifying GUID in ACE as
1131f6ac-9c07-11d1-f79f-00c04fc2dcd2");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Replication-Monitor-Topology", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"f98340fb-7c5b-4cdb-a00b-2ebdfa115a96",
expectedResult.ToString(),
367,
@"The control Access Right Symbol DS-Replication-Monitor-Topology has an identifying GUID in ACE as
f98340fb-7c5b-4cdb-a00b-2ebdfa115a96");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Replication-Synchronize", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2",
expectedResult.ToString(),
368,
@"The control Access Right Symbol DS-Replication-Synchronize has an identifying GUID in ACE as 1
131f6ab-9c07-11d1-f79f-00c04fc2dcd2");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Enable-Per-User-Reversibly-Encrypted-Password", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"05c74c5e-4deb-43b4-bd9f-86664c2a7fd5",
expectedResult.ToString(),
370,
@"The control Access Right Symbol Enable-Per-User-Reversibly-Encrypted-Password has an identifying GUID in ACE as
05c74c5e-4deb-43b4-bd9f-86664c2a7fd5");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Generate-RSoP-Logging", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"b7b1b3de-ab09-4242-9e30-9980e5d322f7",
expectedResult.ToString(),
371,
@"The control Access Right Symbol Generate-RSoP-Logging has an identifying GUID in ACE as
b7b1b3de-ab09-4242-9e30-9980e5d322f7");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Generate-RSoP-Planning", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"b7b1b3dd-ab09-4242-9e30-9980e5d322f7",
expectedResult.ToString(),
372,
@"The control Access Right Symbol Generate-RSoP-Planning has an identifying GUID in ACE as
b7b1b3dd-ab09-4242-9e30-9980e5d322f7");
if (PDCOSVersion == ServerVersion.Win2008R2)
{
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Manage-Optional-Features", "rightsGuid", out expectedResult);
//Verify MS-ADTS-Security_R10664
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"7c0e2a7c-a419-48e4-a995-10180aad54dd",
expectedResult.ToString(),
10664,
@"The control Access Right Symbol Manage-Optional-Features has an identifying GUID in ACE as
7c0e2a7c-a419-48e4-a995-10180aad54dd");
}
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Migrate-SID-History", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"BA33815A-4F93-4c76-87F3-57574BFF8109",
expectedResult.ToString(),
373,
@"The control Access Right Symbol Migrate-SID-History has an identifying GUID in ACE as
ba33815a-4f93-4c76-87f3-57574bff8109");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Open-Connector", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"b4e60130-df3f-11d1-9c86-006008764d0e",
expectedResult.ToString(),
374,
@"The control Access Right Symbol msmq-Open-Connector has an identifying GUID in ACE as
b4e60130-df3f-11d1-9c86-006008764d0e");
//process the search Result for the expected guid.
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Peek", "rightsGuid", out expectedResult);
//Search in Configuration NC.
//non-configurable values
DirectoryEntry tempEntry = new DirectoryEntry(string.Format("LDAP://{0}/CN=msmq-Peek,CN=Extended-Rights,CN=Configuration,{1}", PdcFqdn, parsedDN));
//Check for the presence of rightsGuid
if (tempEntry.Properties.Contains("rightsGuid"))
{
expectedResult = tempEntry.Properties["rightsGuid"].Value;
}
//reset to null
tempEntry = null;
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"06bd3201-df3e-11d1-9c86-006008764d0e",
expectedResult.ToString(),
375,
@"The control Access Right Symbol msmq-Peek has an identifying GUID in ACE as
06bd3201-df3e-11d1-9c86-006008764d0e");
//process the easrch response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Peek-computer-Journal", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"4b6e08c3-df3c-11d1-9c86-006008764d0e",
expectedResult.ToString(),
376,
@"The control Access Right Symbol msmq-Peek-computer-Journal has an identifying GUID in ACE as
4b6e08c3-df3c-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Peek-Dead-Letter", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"4b6e08c1-df3c-11d1-9c86-006008764d0e",
expectedResult.ToString(),
377,
@"The control Access Right Symbol msmq-Peek-Dead-Letter has an identifying GUID in ACE as
4b6e08c1-df3c-11d1-9c86-006008764d0e");
//process the easrch response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Receive", "rightsGuid", out expectedResult);
//Seacrh for extended right
tempEntry = new DirectoryEntry(string.Format("LDAP://{0}/CN=msmq-Receive,CN=Extended-Rights,CN=Configuration,{1}", PdcFqdn, parsedDN));
//Check for the presence of specifies Guid.
if (tempEntry.Properties.Contains("rightsGuid"))
{
expectedResult = tempEntry.Properties["rightsGuid"].Value;
}
tempEntry = null;
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"06bd3200-df3e-11d1-9c86-006008764d0e",
expectedResult.ToString(),
378,
@"The control Access Right Symbol msmq-Receive has an identifying GUID in ACE as
06bd3200-df3e-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Receive-computer-Journal", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"4b6e08c2-df3c-11d1-9c86-006008764d0e",
expectedResult.ToString(),
379,
@"The control Access Right Symbol msmq-Receive-computer-Journal has an identifying GUID in ACE as
4b6e08c2-df3c-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Receive-Dead-Letter", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"4b6e08c0-df3c-11d1-9c86-006008764d0e",
expectedResult.ToString(),
380,
@"The control Access Right Symbol msmq-Receive-Dead-Letter has an identifying GUID in ACE as
4b6e08c0-df3c-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Receive-journal", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"06bd3203-df3e-11d1-9c86-006008764d0e",
expectedResult.ToString(),
381,
@"The control Access Right Symbol msmq-Receive-journal has an identifying GUID in ACE as
06bd3203-df3e-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "msmq-Send", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"06bd3202-df3e-11d1-9c86-006008764d0e",
expectedResult.ToString(),
382,
@"The control Access Right Symbol msmq-Send has an identifying GUID in ACE as
06bd3202-df3e-11d1-9c86-006008764d0e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Open-Address-Book", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"a1990816-4298-11d1-ade2-00c04fd8d5cd",
expectedResult.ToString(),
383,
@"The control Access Right Symbol Open-Address-Book has an identifying GUID in ACE as
a1990816-4298-11d1-ade2-00c04fd8d5cd");
//The following requirements are specific to Win 2k8
#region ControlAccessRightGuid's 2008
if (PDCOSVersion > Common.ServerVersion.Win2003)
{
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Read-Only-Replication-Secret-Synchronization", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1131f6ae-9c07-11d1-f79f-00c04fc2dcd2",
expectedResult.ToString(),
384,
@"The control Access Right Symbol Read-Only-Replication-Secret-Synchronization has an identifying
GUID in ACE as 1131f6ae-9c07-11d1-f79f-00c04fc2dcd2");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Reload-SSL-Certificate", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8",
expectedResult.ToString(),
391,
@"The control Access Right Symbol Reload-SSL-Certificate has an identifying GUID in ACE as
1a60ea8d-58a6-4b20-bcdc-fb71eb8a9ff8");
}
#endregion
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Reanimate-Tombstones", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"45EC5156-DB7E-47bb-B53F-DBEB2D03C40F",
expectedResult.ToString(),
385,
@"The control Access Right Symbol Reanimate-Tombstones has an identifying GUID in ACE as
45ec5156-db7e-47bb-b53f-dbeb2d03c40f");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Recalculate-Hierarchy", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"0bc1554e-0a99-11d1-adbb-00c04fd8d5cd",
expectedResult.ToString(),
386,
@"The control Access Right Symbol Recalculate-Hierarchy has an identifying GUID in ACE as
0bc1554e-0a99-11d1-adbb-00c04fd8d5cd");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Recalculate-Security-Inheritance", "rightsGuid", out expectedResult);
//process the search response for expected Guid
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"62dd28a8-7f46-11d2-b9ad-00c04f79f805",
expectedResult.ToString(),
387,
@"The control Access Right Symbol Recalculate-Security-Inheritance has an identifying GUID in ACE as
62dd28a8-7f46-11d2-b9ad-00c04f79f805");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Receive-As", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ab721a56-1e2f-11d0-9819-00aa0040529b",
expectedResult.ToString(),
388,
@"The control Access Right Symbol Receive-As has an identifying GUID in ACE as
ab721a56-1e2f-11d0-9819-00aa0040529b");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Refresh-Group-Cache", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"9432c620-033c-4db7-8b58-14ef6d0bf477",
expectedResult.ToString(),
389,
@"The control Access Right Symbol Refresh-Group-Cache has an identifying GUID in ACE as
9432c620-033c-4db7-8b58-14ef6d0bf477");
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "SAM-Enumerate-Entire-Domain", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"91d67418-0135-4acc-8d79-c08e857cfbec",
expectedResult.ToString(),
392,
@"The control Access Right Symbol SAM-Enumerate-Entire-Domain has an identifying GUID in ACE as
91d67418-0135-4acc-8d79-c08e857cfbec");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Send-As", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ab721a54-1e2f-11d0-9819-00aa0040529b",
expectedResult.ToString(),
393,
@"The control Access Right Symbol Send-As has an identifying GUID in ACE as
ab721a54-1e2f-11d0-9819-00aa0040529b");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Send-To", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ab721a55-1e2f-11d0-9819-00aa0040529b",
expectedResult.ToString(),
394,
@"The control Access Right Symbol Send-To has an identifying GUID in ACE as
ab721a55-1e2f-11d0-9819-00aa0040529b");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Unexpire-Password", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501",
expectedResult.ToString(),
395,
@"The control Access Right Symbol Unexpire-Password has an identifying GUID in ACE as
ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Update-Password-Not-Required-Bit", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"280f369c-67c7-438e-ae98-1d46f3c6f541",
expectedResult.ToString(),
396,
@"The control Access Right Symbol Update-Password-Not-Required-Bit has an identifying GUID in ACE as
280f369c-67c7-438e-ae98-1d46f3c6f541");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Update-Schema-Cache", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"be2bb760-7f46-11d2-b9ad-00c04f79f805",
expectedResult.ToString(),
397,
@"The control Access Right Symbol Update-Schema-Cache has an identifying GUID in ACE as
be2bb760-7f46-11d2-b9ad-00c04f79f805");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "User-Change-Password", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"ab721a53-1e2f-11d0-9819-00aa0040529b",
expectedResult.ToString(),
398,
@"The control Access Right Symbol User-Change-Password has an identifying GUID in ACE as
ab721a53-1e2f-11d0-9819-00aa0040529b");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "User-Force-Change-Password", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"00299570-246d-11d0-a768-00aa006e0529",
expectedResult.ToString(),
399,
@"The control Access Right Symbol User-Force-Change-Password has an identifying GUID in ACE as
00299570-246d-11d0-a768-00aa006e0529");
if (PDCOSVersion >= Common.ServerVersion.Win2012R2)
{
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Clone-Domain-Controller", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"3e0f7e18-2c7a-4c10-ba82-4d926db99a3e",
expectedResult.ToString().ToLower(),
@"The control Access Right Symbol DS-Clone-Domain-Controller has an identifying GUID in ACE as
3e0f7e18-2c7a-4c10-ba82-4d926db99a3e");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Read-Partition-Secrets", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"084c93a2-620d-4879-a836-f0ae47de0e89",
expectedResult.ToString().ToLower(),
@"The control Access Right Symbol DS-Read-Partition-Secrets has an identifying GUID in ACE as
084c93a2-620d-4879-a836-f0ae47de0e89");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Write-Partition-Secrets", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"94825a8d-b171-4116-8146-1e34d8f54401",
expectedResult.ToString().ToLower(),
@"The control Access Right Symbol DS-Write-Partition-Secrets has an identifying GUID in ACE as
94825a8d-b171-4116-8146-1e34d8f54401");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Set-Owner", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"4125c71f-7fac-4ff0-bcb7-f09a41325286",
expectedResult.ToString().ToLower(),
@"The control Access Right Symbol DS-Set-Owner has an identifying GUID in ACE as
4125c71f-7fac-4ff0-bcb7-f09a41325286");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "DS-Bypass-Quota", "rightsGuid", out expectedResult);
//TDI 72228. The GUID in TD is 4125c71f-7fac-4ff0-bcb7-f09a41325286. It is incorrect.
TestClassBase.BaseTestSite.Assert.AreEqual(
"88a9933e-e5c8-4f2a-9dd7-2527416b8092",
expectedResult.ToString().ToLower(),
@"The control Access Right Symbol DS-Bypass-Quota has an identifying GUID in ACE as
88a9933e-e5c8-4f2a-9dd7-2527416b8092");
//process the Search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Validated-MS-DS-Additional-DNS-Host-Name", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"80863791-dbe9-4eb8-837e-7f0ab55d9ac7",
expectedResult.ToString(),
@"The Validated-MS-DS-Additional-DNS-Host-Name Validated write right symbol has an Identifying
Guid used in ACE as 80863791-dbe9-4eb8-837e-7f0ab55d9ac7(msDS-AdditionalDnsHostName attribute)"
);
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Validated-MS-DS-Behavior-Version", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.Assert.AreEqual(
"d31a8757-2447-4545-8081-3bb610cacbf2",
expectedResult.ToString(),
@"TheValidated-MS-DS-Behavior-Version Validated write right symbol has an Identifying
Guid used in ACE as d31a8757-2447-4545-8081-3bb610cacbf2(msDS-Behavior-Version attribute)"
);
}
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Validated-DNS-Host-Name", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"72e39547-7b18-11d1-adef-00c04fd8d5cd",
expectedResult.ToString(),
326,
@"The Validated write right symbol Validated-DNS-Host-Name has an identifying GUID used in ACE as
72e39547-7b18-11d1-adef-00c04fd8d5cd (dNSHostName attribute)");
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"72e39547-7b18-11d1-adef-00c04fd8d5cd",
expectedResult.ToString(),
588,
@"The Validated-DNS-Host-Name Validated write right symbol has an Identifying
GUID used in ACE as 72e39547-7b18-11d1-adef-00c04fd8d5cd (dNSHostName attribute)");
//process the search response for expected Guid
ADTSHelper.ProcessSearchRespone(searchControlAccessGuids, "Validated-SPN", "rightsGuid", out expectedResult);
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"f3a64788-5306-11d1-a9c5-0000f80367c1",
expectedResult.ToString(),
327,
@"The Validated write right symbol Validated-SPN has an identifying GUID used in ACE as
f3a64788-5306-11d1-a9c5-0000f80367c1 (servicePrincipalName attribute)");
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual<string>(
"f3a64788-5306-11d1-a9c5-0000f80367c1",
expectedResult.ToString(),
589,
@"The Validated-SPN Validated write right symbol has an Identifying
GUID used in ACE as f3a64788-5306-11d1-a9c5-0000f80367c1 (servicePrincipalName attribute)");
#endregion
#region GroupType Requirements
//This region validates the group type related requirements
//Specifies expected value
object expectedValue;
//Specifies actual value
int actualValue;
//if the search contains the expected ,then set this variable to true.
bool isExisted = false;
#region Constants
//from ADTS Technical Specification
const uint GROUP_TYPE_ACCOUNT_GROUP = 2;
//from ADTS Technical Specification
const uint GROUP_TYPE_RESOURCE_GROUP = 4;
//from ADTS Technical Specification
const uint GROUP_TYPE_UNIVERSAL_GROUP = 8;
//from ADTS Technical Specification
const uint GROUP_TYPE_SECURITY_ENABLED = 2147483648;
#endregion
//Searching Group objects in Users container in Domain NC.
resultSearchResponse = ADTSHelper.SearchObject("CN=Users," + parsedDN,
"objectclass=group",
System.DirectoryServices.Protocols.SearchScope.Subtree,
new string[] { "groupType" }, tempLdapConnection);
#region Validate MS-ADTS-Security_R533
isExisted = false;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Cert Publishers", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_RESOURCE_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_RESOURCE_GROUP) == GROUP_TYPE_RESOURCE_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 533, @"The Cert Publishers has
groupType as {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED} _ENABLED}");
#endregion
#region Validate MS-ADTS-Security_R537
//reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Domain Admins", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 537, @"The Domain Administrators have
groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}");
#endregion
#region Validate MS-ADTS-Security_R541
//reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Domain Computers", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 541, @"The Domain Computers has
groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED }");
#endregion
#region Validate MS-ADTS-Security_R545
//reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Domain Controllers", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 545, @"The Domain Controllers have
groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED }");
#endregion
#region Validate MS-ADTS-Security_R549
//reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//Process the Search response for the expected group type value.
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Domain Guests", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 549, @"The Domain Guests have
groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED }");
#endregion
#region Validate MS-ADTS-Security_R553
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Domain Users", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 553, @"The Domain Users have
groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED }");
#endregion
#region Validate MS-ADTS-Security_R558, MS-ADTS-Security_R559, MS-ADTS-Security_R580, MS-ADTS-Security_R581
//reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
int mixedValue = -1;
// Disable referral.
tempLdapConnection.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
//search for DomainDNS
SearchResponse mixedSearch = ADTSHelper.SearchObject(parsedDN, "objectClass=domainDNS",
System.DirectoryServices.Protocols.SearchScope.Subtree, new string[] { "nTMixedDomain" }, tempLdapConnection);
//get nTMixedDomain to know whether the domain is in native or mixed mode
ADTSHelper.ProcessSearchRespone(mixedSearch, adDomain, "nTMixedDomain", out expectedValue);
mixedValue = int.Parse(expectedValue.ToString());
//if domain is in mixed mode,
if (mixedValue == 1)
{
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Enterprise Admins", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 558, @"The Enterprise
Administrators have groupType as { GROUP_TYPE_ACCOUNT_GROUP |
GROUP_TYPE_SECURITY_ENABLED } If the forest root domain is mixed");
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Schema Admins", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 580, @"The Schema Admins have
groupType as {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED } if the forest root
domain is mixed ");
//ModifyRequest to modify nTMixedDomain
ModifyRequest modReq = new ModifyRequest(parsedDN,
DirectoryAttributeOperation.Replace,
"nTMixedDomain",
"0");
//Response
ModifyResponse modRes = (ModifyResponse)tempLdapConnection.SendRequest(modReq);
}
//search for DomainDNS
mixedSearch = ADTSHelper.SearchObject(parsedDN, "objectClass=domainDNS",
System.DirectoryServices.Protocols.SearchScope.Subtree, new string[] { "nTMixedDomain" }, tempLdapConnection);
//get nTMixedDomain to know whether the domain is in native or mixed mode
ADTSHelper.ProcessSearchRespone(mixedSearch, adDomain, "nTMixedDomain", out expectedValue);
mixedValue = int.Parse(expectedValue.ToString());
//if domain in in native mode
if (mixedValue == 0)
{
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Enterprise Admins", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_UNIVERSAL_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_UNIVERSAL_GROUP) == GROUP_TYPE_UNIVERSAL_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 559, @"The Enterprise
Administrators have groupType as {GROUP_TYPE_UNIVERSAL_GROUP |
GROUP_TYPE_SECURITY_ENABLED } If the forest root domain is not mixed");
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Schema Admins", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_UNIVERSAL_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_UNIVERSAL_GROUP) == GROUP_TYPE_UNIVERSAL_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 581, @"The Schema Admins have
group type as { GROUP_TYPE_UNIVERSAL_GROUP | GROUP_TYPE_SECURITY_ENABLED }
If the forest root domain is not mixed");
}
#endregion
#region Validate MS-ADTS-Security_R563
//Reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Group Policy Creator Owners", "groupType", out expectedValue);
//parse for actual value
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 563, @"The Group Policy Creator Owners
have groupType as { GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}");
#endregion
#region Validate MS-ADTS-Security_R567
//Reset to default values
isExisted = false;
expectedValue = null;
actualValue = -1;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "RAS and IAS Servers", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_RESOURCE_GROUP) == GROUP_TYPE_RESOURCE_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isExisted, 567, @"The RAS and IAS servers have
groupType as {GROUP_TYPE_RESOURCE_GROUP | GROUP_TYPE_SECURITY_ENABLED}");
#endregion
//Specific to win 2k8 .
if (PDCOSVersion == ServerVersion.Win2008 || PDCOSVersion == ServerVersion.Win2008R2)
{
#region Covering MS-ADTS-Security_R571
isExisted = false;
//get groupType value
ADTSHelper.ProcessSearchRespone(resultSearchResponse, "Read-only Domain Controllers", "groupType", out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_RESOURCE_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_ACCOUNT_GROUP) == GROUP_TYPE_ACCOUNT_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
//Add the log information
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Debug,
@"[MS-ADTS-Security_R571] actualValue={0},GROUP_TYPE_ACCOUNT_GROUP={1}",
actualValue,
GROUP_TYPE_ACCOUNT_GROUP);
//Verify MS-ADTS-Security_R571
//This action assume taking place in deployment
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
isExisted,
571,
@"The Read-Only Domain Controllers have groupType as { GROUP_TYPE_ACCOUNT_GROUP |
GROUP_TYPE_SECURITY_ENABLED } and the group is created in a domain by the PDC,
the first time(This may occur upon the new installation of or upgrade to a W2K8/Win7
DC if that DC also holds the PDC role. However, it may also occur when the first
DC that is running WS08 or Win7 assumes the PDC role.) a Windows Server 2008
operating system or Windows Server 2008 R2 operating system DC holds the PDC FSMO.");
#endregion
#region Covering MS-ADTS-Security_R575
isExisted = false;
//get groupType value
ADTSHelper.ProcessSearchRespone(
resultSearchResponse,
"Enterprise Read-only Domain Controllers",
"groupType",
out expectedValue);
actualValue = int.Parse(expectedValue.ToString());
//check GROUP_TYPE_RESOURCE_GROUP and GROUP_TYPE_SECURITY_ENABLED bits are set
if ((actualValue & GROUP_TYPE_UNIVERSAL_GROUP) == GROUP_TYPE_UNIVERSAL_GROUP &&
(actualValue & GROUP_TYPE_SECURITY_ENABLED) == GROUP_TYPE_SECURITY_ENABLED)
{
isExisted = true;
}
//capturing requirement
//Add the log information
TestClassBase.BaseTestSite.Log.Add(
LogEntryKind.Debug,
@"[MS-ADTS-Security_R575] actualValue={0},GROUP_TYPE_ACCOUNT_GROUP={1}",
actualValue,
GROUP_TYPE_ACCOUNT_GROUP);
//Verify MS-ADTS-Security_R575
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
isExisted,
575,
@"The Enterprise Read-Only Domain Controllers have groupType as { GROUP_TYPE_UNIVERSAL_GROUP |
GROUP_TYPE_SECURITY_ENABLED } and the group is created in the root domain by
the root domain PDC, the first time a Windows Server 2008 operating system or Windows Server
2008 R2 operating system DC holds the root domain PDC FSMO.");
#endregion
}
#endregion
#region MS-ADTS-Security_R38
//Access Rights are set indicates accessing
//Set Right Access.
bool isResult = ADTSHelper.SetAccessRights(PdcFqdn,
"CN =" + ClientUserName + ",CN=Users," + parsedDN,
ClientUserName,
ClientUserPassword,
adDomain,
ActiveDirectoryRights.ReadControl,
AccessControlType.Allow);
//perform SearchOpeartion
SearchResponse response = ADTSHelper.SearchObject("CN =" + ClientUserName + ",CN=Users," + parsedDN,
"objectclass=user", System.DirectoryServices.Protocols.SearchScope.Base,
new string[] { "cn" }, connection);
//if the SearchResponse Entries is greater than 0
isResult = response.Entries.Count > 0;
//Validate MS-ADTS-Security_R38
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isResult, 38, @"Generally, the security
context of the requester must be granted rights RIGHT_DS_READ_PROPERTY on OA by
O!nTSecurityDescriptor. Otherwise, the value is treated as does not exist in the
returned attributes and the LDAP filter");
#endregion
#region ValidatingParentChildSidMatchingRequirements.
if (ADTSHelper.CreateActiveDirectoryUser(PdcFqdn, TempUser1, TempUser1Password, parsedDN))
{
try
{
string requiredObjectDN = "CN=" + TempUser1 + ",CN=Users," + parsedDN;
//getting the newly created user object.
DirectoryEntry obj = new DirectoryEntry(string.Format("LDAP://{0}/{1}", PdcFqdn, requiredObjectDN));
//get its owner sid
string expectedSid = obj.ObjectSecurity.GetOwner(typeof(SecurityIdentifier)).Value;
//get its parent name
NTAccount ownerAcctName = (NTAccount)obj.ObjectSecurity.GetOwner(typeof(SecurityIdentifier)).Translate(typeof(NTAccount));
string parentName = ownerAcctName.Value.Split(new string[] { "\\" }, StringSplitOptions.None)[1];
//get the parent object
DirectoryEntry parentObj = new DirectoryEntry(string.Format("LDAP://{0}/CN={1},CN=Users,{2}", PdcFqdn, parentName, parsedDN));
//get its object sid
SecurityIdentifier parentSid = new SecurityIdentifier((byte[])parentObj.Properties["objectsid"].Value, 0);
string actualSid = parentSid.Value;
bool readRight = false, writeDaclRight = false, writeOwnerRight = false;
//if both sids are equal
if (expectedSid.ToLower().Equals(actualSid.ToLower()))
{
readRight = ADTSHelper.SetAccessRights(PdcFqdn, requiredObjectDN, AdminUser, AdminUserPassword, adDomain, ActiveDirectoryRights.ReadControl, AccessControlType.Allow);
writeDaclRight = ADTSHelper.SetAccessRights(PdcFqdn, requiredObjectDN, AdminUser, AdminUserPassword, adDomain, ActiveDirectoryRights.WriteDacl, AccessControlType.Allow);
writeOwnerRight = ADTSHelper.SetAccessRights(PdcFqdn, requiredObjectDN, AdminUser, AdminUserPassword, adDomain, ActiveDirectoryRights.WriteOwner, AccessControlType.Allow);
}
bool isSuccess = readRight && writeDaclRight && writeOwnerRight;
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(isSuccess, 343, @"G and D denote the
access rights that are granted and denied, respectively, on the object. If the SID in
the Owner field of the object's security descriptor matches any SID in the requester's
security context, then add the bits Read Control (RC), Write DACL (WD) and Write Owner
(WO) to G.");
}
catch (DirectoryServicesCOMException ex)
{
TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "An Exception has occured", ex.Message);
}
catch (System.Security.SecurityException ex)
{
TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "An Exception has occured", ex.Message);
}
}
#endregion
}