Bin/ADSyncDiagnostics/PSScripts/ADSyncConfigurePermissions.ps1
|
#------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. #------------------------------------------------------------------------- Function CheckConfigureAccountPermissionsPrerequisites { # Check if all the features installed by RSAT-AD-Tools are available. These are required for the AdSyncConfig module if (((Get-WindowsFeature RSAT-AD-PowerShell).InstallState -ne "Installed") -or ((Get-WindowsFeature RSAT-AD-AdminCenter).InstallState -ne "Installed") -or ((Get-WindowsFeature RSAT-ADDS-Tools).InstallState -ne "Installed") -or ((Get-WindowsFeature RSAT-ADLDS).InstallState -ne "Installed")) { $installRSATOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Yes", "&No") $canInstall = !($host.UI.PromptForChoice("RSAT-AD-Tools Warning", "The use of these options requires 'Remote Server Administration Tools for AD DS' to be installed. Is it okay to install them now?", $installRSATOptions, 0)) if (!$canInstall) { return $false } Try { $installState = $null $osVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ProductName).ProductName if ($osVersion -Like "*Windows Server 2008 R2*") { $installState = Add-WindowsFeature RSAT-AD-Tools } else { $installState = Install-WindowsFeature RSAT-AD-Tools } if ($installState.RestartNeeded -eq "Yes") { $restartOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Restart Now", "&Back to Previous Menu") $confirmRestart = !($host.UI.PromptForChoice("Feature Install Warning", "A restart is required to complete installation of the RSAT-AD-Tools Windows Feature. Is it okay to restart now?", $installRSATOptions, 0)) if ($confirmRestart) { Restart-Computer } else { return $false } } } Catch { Write-Host "[ERROR]`t Installing RSAT-AD-Tools Windows Feature failed." Exit 1 } } if (-not (Get-Module ActiveDirectory)) { Import-Module ActiveDirectory -ErrorAction Stop } # These options make use of the AdSyncConfig module included with the product Try { $aadConnectRegKey = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" $aadConnectWizardPath = $aadConnectRegKey.WizardPath $aadConnectWizardFileName = "AzureADConnect.exe" $aadConnectPathLength = $aadConnectWizardPath.IndexOf($aadConnectWizardFileName) $aadConnectPath = $aadConnectWizardPath.Substring(0, $aadConnectPathLength) $adSyncConfigModulePath = [System.IO.Path]::Combine($aadConnectPath, "AdSyncConfig\AdSyncConfig.psm1") Import-Module $adSyncConfigModulePath -ErrorAction Stop } Catch { Write-Host "[ERROR]`t Importing the AdSyncTools module failed." Exit 1 } return $true } Function ConfigureAccountPermissions { param ( [string] [parameter(mandatory=$true)] $ConfigurationOption ) Write-Host "`r`n" if ($ConfigurationOption -eq "GetADSyncADConnectorAccount") { $allAccounts = Get-ADSyncADConnectorAccount Write-Host ($allAccounts | Format-Table -Wrap -AutoSize -Property ADConnectorName, ADConnectorForest, ADConnectorAccountName,ADConnectorAccountDomain | Out-String) } elseif ($ConfigurationOption -eq "GetADSyncObjectsWithInheritanceDisabled") { Write-Host "`r`n" $targetForest = Read-Host "Please enter the forest to search for objects" Write-Host "`r`n" $searchBase = Read-Host "Please enter the search base for the LDAP query, it can be an AD Domain DistinguishedName or a FQDN" Write-Host "`r`n" $objectClass = Read-Host "Please enter the object class. It can be '*' (for any object class), 'user', 'group', 'container', etc. Giving no input will use the default, 'organizationalUnit'" if ($targetForest -ne (Get-ADForest).Name) { $targetForestCredentials = Get-Credential -Message "Please enter credentials for target forest '$targetForest' in DOMAIN\username format" if ($objectClass) { Write-Host (Get-ADSyncObjectsWithInheritanceDisabled -SearchBase $searchBase -ObjectClass $objectClass -TargetForest $targetForest -TargetForestCredential $targetForestCredentials | Out-String) } else { Write-Host (Get-ADSyncObjectsWithInheritanceDisabled -SearchBase $searchBase -TargetForest $targetForest -TargetForestCredential $targetForestCredentials | Out-String) } } else { if ($objectClass) { Write-Host (Get-ADSyncObjectsWithInheritanceDisabled -SearchBase $searchBase -ObjectClass $objectClass | Out-String) } else { Write-Host (Get-ADSyncObjectsWithInheritanceDisabled -SearchBase $searchBase | Out-String) } } } elseif ($ConfigurationOption -eq "ShowADSyncADObjectPermissions") { Write-Host "`r`n" $targetForest = Read-Host "Please enter the forest where the object exists" $objectToCheck = Read-Host "Please enter the DistinguishedName of the object to view the permissions on" if ($targetForest -ne (Get-ADForest).Name) { $targetForestCredentials = Get-Credential -Message "Please enter credentials for target forest '$targetForest' in DOMAIN\username format" Write-Host (Show-ADSyncADObjectPermissions -ADobjectDN $objectToCheck -TargetForestCredential $targetForestCredentials | Out-String) } else { Write-Host (Show-ADSyncADObjectPermissions -ADobjectDN $objectToCheck | Out-String) } } else { if ($ConfigurationOption -eq "SetADSyncDefaultPermssions") { Write-Host "`r`n" Write-Host "This option will set permissions required for the following:" Write-Host " Password Hash Sync" Write-Host " Password Writeback" Write-Host " Hybrid Exchange" Write-Host " Exchange Mail Public Folder" Write-Host " MsDsConsistencyGuid" Write-Host "It will then restrict permissions" $confirmDefaultOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Yes", "&No") $confirmDefaultChoice = !($host.UI.PromptForChoice("Confirm", "Would you like to continue with these options?", $confirmDefaultOptions, 0)) if (!$confirmDefaultChoice) { return } } $configureArguments = @{ } $accountTypeOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Existing Connector Account", "&Custom Account") $accountTypeChoice = $host.UI.PromptForChoice("Account to Configure", "Would you like to configure an existing connector account or a custom account?", $accountTypeOptions, 0) if ($accountTypeChoice) { Write-Host "`r`n" $accountChoiceOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Distinguished Name", "&Account Name and Account Domain") $accountInputChoice = $host.UI.PromptForChoice("Account Information", "How would you like to input the account information?", $accountChoiceOptions, 0) Write-Host "`r`n" $targetForest = Read-Host "Please enter the forest on which to configure the account" if ($accountInputChoice) { $connectorAccountName = Read-Host "Please enter the Account Name" $connectorAccountDomain = Read-Host "Please enter the Account Domain" $configureArguments.Add("ADConnectorAccountName", $connectorAccountName) $configureArguments.Add("ADConnectorAccountDomain", $connectorAccountDomain) } else { Write-Host "`r`n" $connectorAccountDN = Read-Host "Please enter the Account Distinguished Name" $configureArguments.Add("ADConnectorAccountDN", $connectorAccountDN) } } else { $allAccounts = Get-ADSyncADConnectorAccount $selectedConnector = $null while ($selectedConnector -eq $null) { Write-Host "`r`n" Write-Host "Configured connectors and their related accounts:" Write-Host ($allAccounts | Out-String) Write-Host "`r`n" $connectorSelection = Read-Host "Name of the connector who's account to configure" if ($allAccounts.ADConnectorName -contains $connectorSelection) { $selectedConnector = $allAccounts | Where-Object { $_.ADConnectorName -like $connectorSelection } $configureArguments.Add("ADConnectorAccountName", $selectedConnector.ADConnectorAccountName) $configureArguments.Add("ADConnectorAccountDomain", $selectedConnector.ADConnectorAccountDomain) $targetForest = $selectedConnector.ADConnectorForest } else { Write-Host "`r`n" ReportWarning "'$connectorSelection' is not a configured connector. Please try again!" } } } if ($targetForest -ne (Get-ADForest).Name) { $targetForestCredentials = Get-Credential -Message "Please enter credentials for target forest '$targetForest' in DOMAIN\username format" $configureArguments.Add("TargetForest", $targetForest) $configureArguments.Add("TargetForestCredential", $targetForestCredentials) } Write-Host "`r`n" if (($ConfigurationOption -eq "SetADSyncRestrictedPermissions") -or ($ConfigurationOption -eq "SetADSyncDefaultPermssions")) { if ($configureArguments.ContainsKey("ADConnectorAccountName")) { $ldapFilter = "(|(Name=" + $configureArguments.ADConnectorAccountName + ")(sAMAccountName=" + $configureArguments.ADConnectorAccountName + "))" if ($targetForest -ne (Get-ADForest).Name) { $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server $configureArguments.ADConnectorAccountDomain -Properties distinguishedName -Credential $configureArguments.TargetForestCredential -ErrorAction Stop } else { $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server $configureArguments.ADConnectorAccountDomain -Properties distinguishedName -ErrorAction Stop } $configureArguments.Remove("ADConnectorAccountName") $configureArguments.Remove("ADConnectorAccountDomain") $configureArguments.Add("ADConnectorAccountDN", $adObject.distinguishedName) } $adminCredential = Get-Credential -Message "Please enter Administrator credentials that have the necessary privileges to restrict the permissions on the Connector Account" if ($ConfigurationOption -eq "SetADSyncDefaultPermssions") { Write-Host (Set-ADSyncPasswordHashSyncPermissions @configureArguments | Out-String) Write-Host (Set-ADSyncPasswordWritebackPermissions @configureArguments | Out-String) Write-Host (Set-ADSyncExchangeHybridPermissions @configureArguments | Out-String) Write-Host (Set-ADSyncExchangeMailPublicFolderPermissions @configureArguments | Out-String) Write-Host (Set-ADSyncMsDsConsistencyGuidPermissions @configureArguments | Out-String) $configureArguments.Add("Credential", $adminCredential) if ($configureArguments.ContainsKey("TargetForestCredential")) { $configureArguments.Remove("TargetForestCredential") } Write-Host (Set-ADSyncRestrictedPermissions @configureArguments | Out-String) } else { $configureArguments.Add("Credential", $adminCredential) if ($configureArguments.ContainsKey("TargetForestCredential")) { $configureArguments.Remove("TargetForestCredential") } Write-Host "`r`n" $validationChoiceOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Yes", "&No") $disableCredentialValidation = !($host.UI.PromptForChoice("Disable Credential Validation", "Skip checking if the credentials provided are valid in AD and if they have the necessary privileges to restrict the permissions on the Connector account.", $validationChoiceOptions, 1)) if ($disableCredentialValidation) { $configureArguments.Add("DisableCredentialValidation", $true) } Write-Host "`r`n" Write-Host (Set-ADSyncRestrictedPermissions @configureArguments | Out-String) } } elseif ($ConfigurationOption -eq "SetADSyncPasswordHashSyncPermissions") { Write-Host (Set-ADSyncPasswordHashSyncPermissions @configureArguments | Out-String) } else { $adObjectDN = Read-Host "To set permissions for a single target object, enter the DistinguishedName of the target AD object. Giving no input will set root permissions for all Domains in the Forest" Write-Host "`r`n" $includeChoiceOptions = [System.Management.Automation.Host.ChoiceDescription[]] @("&Yes", "&No") $includeAdminSDHolders = !($host.UI.PromptForChoice("Update AdminSdHolders", "Update AdminSDHolder container when updating with these permissions?", $includeChoiceOptions, 1)) if ($adObjectDN) { $configureArguments.Add("ADobjectDN", $adObjectDN) } if ($includeAdminSDHolders) { $configureArguments.Add("IncludeAdminSDHolders", $true) } Write-Host "`r`n" if ($ConfigurationOption -eq "SetADSyncBasicReadPermissions") { Write-Host (Set-ADSyncBasicReadPermissions @configureArguments | Out-String) } elseif ($ConfigurationOption -eq "SetADSyncExchangeHybridPermissions") { Write-Host (Set-ADSyncExchangeHybridPermissions @configureArguments | Out-String) } elseif ($ConfigurationOption -eq "SetADSyncExchangeMailPublicFolderPermissions") { Write-Host (Set-ADSyncExchangeMailPublicFolderPermissions @configureArguments | Out-String) } elseif ($ConfigurationOption -eq "SetADSyncMsDsConsistencyGuidPermissions") { Write-Host (Set-ADSyncMsDsConsistencyGuidPermissions @configureArguments | Out-String) } elseif ($ConfigurationOption -eq "SetADSyncPasswordWritebackPermissions") { Write-Host (Set-ADSyncPasswordWritebackPermissions @configureArguments | Out-String) } elseif ($ConfigurationOption -eq "SetADSyncUnifiedGroupWritebackPermissions") { Write-Host (Set-ADSyncUnifiedGroupWritebackPermissions @configureArguments | Out-String) } } } } # SIG # Begin signature block # MIInogYJKoZIhvcNAQcCoIInkzCCJ48CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDZ7I+XwaUhLp33 # bPHQpAN5xYlDd9kR8siFMxxQw8Wbp6CCDYIwggYAMIID6KADAgECAhMzAAADXJXz # SFtKBGrPAAAAAANcMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMwNDA2MTgyOTIyWhcNMjQwNDAyMTgyOTIyWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDijA1UCC84R0x+9Vr/vQhPNbfvIOBFfymE+kuP+nho3ixnjyv6vdnUpgmm6RT/ # pL9cXL27zmgVMw7ivmLjR5dIm6qlovdrc5QRrkewnuQHnvhVnLm+pLyIiWp6Tow3 # ZrkoiVdip47m+pOBYlw/vrkb8Pju4XdA48U8okWmqTId2CbZTd8yZbwdHb8lPviE # NMKzQ2bAjytWVEp3y74xc8E4P6hdBRynKGF6vvS6sGB9tBrvu4n9mn7M99rp//7k # ku5t/q3bbMjg/6L6mDePok6Ipb22+9Fzpq5sy+CkJmvCNGPo9U8fA152JPrt14uJ # ffVvbY5i9jrGQTfV+UAQ8ncPAgMBAAGjggF/MIIBezArBgNVHSUEJDAiBgorBgEE # AYI3TBMBBgorBgEEAYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUXgIsrR+tkOQ8 # 10ekOnvvfQDgTHAwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEWMBQGA1UEBRMNMjMzMTEwKzUwMDg2ODAfBgNVHSMEGDAWgBRI # bmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEt # MDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBABIm # T2UTYlls5t6i5kWaqI7sEfIKgNquF8Ex9yMEz+QMmc2FjaIF/HQQdpJZaEtDM1Xm # 07VD4JvNJEplZ91A4SIxjHzqgLegfkyc384P7Nn+SJL3XK2FK+VAFxdvZNXcrkt2 # WoAtKo0PclJOmHheHImWSqfCxRispYkKT9w7J/84fidQxSj83NPqoCfUmcy3bWKY # jRZ6PPDXlXERRvl825dXOfmCKGYJXHKyOEcU8/6djs7TDyK0eH9ss4G9mjPnVZzq # Gi/qxxtbddZtkREDd0Acdj947/BTwsYLuQPz7SNNUAmlZOvWALPU7OOVQlEZzO8u # Ec+QH24nep/yhKvFYp4sHtxUKm1ZPV4xdArhzxJGo48Be74kxL7q2AlTyValLV98 # u3FY07rNo4Xg9PMHC6sEAb0tSplojOHFtGtNb0r+sioSttvd8IyaMSfCPwhUxp+B # Td0exzQ1KnRSBOZpxZ8h0HmOlMJOInwFqrCvn5IjrSdjxKa/PzOTFPIYAfMZ4hJn # uKu15EUuv/f0Tmgrlfw+cC0HCz/5WnpWiFso2IPHZyfdbbOXO2EZ9gzB1wmNkbBz # hj8hFyImnycY+94Eo2GLavVTtgBiCcG1ILyQabKDbL7Vh/OearAxcRAmcuVAha07 # WiQx2aLghOSaZzKFOx44LmwUxRuaJ4vO/PRZ7EzAMIIHejCCBWKgAwIBAgIKYQ6Q # 0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNh # dGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5 # WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQD # Ex9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0B # AQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4 # BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe # 0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato # 88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v # ++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDst # rjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN # 91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4ji # JV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmh # D+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbi # wZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8Hh # hUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaI # jAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTl # UAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNV # HQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQF # TuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29m # dC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNf # MjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5t # aWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNf # MjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcC # ARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnlj # cHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5 # AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oal # mOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0ep # o/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1 # HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtY # SWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInW # H8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZ # iWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMd # YzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7f # QccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKf # enoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOpp # O6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZO # SEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGXYwghlyAgEBMIGVMH4xCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv # c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAANclfNIW0oEas8AAAAAA1ww # DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK # KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIJ2efEzX # txOc3nQ2Ll5GC0G90qbA8lFkzofh667vytDUMEIGCisGAQQBgjcCAQwxNDAyoBSA # EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w # DQYJKoZIhvcNAQEBBQAEggEAX8l3bCyCy7MyrLzPHCRXS13+qRyeV7Zn+Hiyqllw # I+7bTERyxI8lMNWGPsZNRmhSaj0P05qq7GbPc6wM+GUJnjWSLnxreaBX+UK3WVre # yMxmNuXFbe7rEUBW6wrCYj3elBPlnYl8lFdMbdzQCtJ/M6XN3iScXlwgC+tkHSdG # cuIRCZ/0/hDvnVV5Yq5pekW00bqBznPM/51v1jFH5VDvW7AvRsdMbgqaHkm5QWwQ # wp8U2EV9bPOcNIGkt2FBJLXIsvi+mJ0sx1FbwASt6EDbKaCN1AHElj7gdfJvkQ/5 # QZX05rJoB+0ZyCfF9K3XRDnbXqrbN1UaY/0ASjyQPoM1SaGCFwAwghb8BgorBgEE # AYI3AwMBMYIW7DCCFugGCSqGSIb3DQEHAqCCFtkwghbVAgEDMQ8wDQYJYIZIAWUD # BAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoD # ATAxMA0GCWCGSAFlAwQCAQUABCDsCgYHG90YX0JlevN7Z2ZGtGSw2HX4MzLm007I # +bM9BgIGZF1oa0GNGBMyMDIzMDUxNzIyNTcxOC4wMTlaMASAAgH0oIHQpIHNMIHK # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxN # aWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNT # IEVTTjo4QTgyLUUzNEYtOUREQTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZaCCEVcwggcMMIIE9KADAgECAhMzAAABwvp9hw5UU0ckAAEAAAHC # MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4X # DTIyMTEwNDE5MDEyOFoXDTI0MDIwMjE5MDEyOFowgcoxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh # IE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjhBODItRTM0Ri05 # RERBMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjAN # BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtfEJvPKOSFn3petp9wco29/UoJmD # DyHpmmpRruRVWBF37By0nvrszScOV/K+LvHWWWC4S9cme4P63EmNhxTN/k2CgPnI # t/sDepyACSkya4ukqc1sT2I+0Uod0xjy9K2+jLH8UNb9vM3yH/vCYnaJSUqgtqZU # ly82pgYSB6tDeZIYcQoOhTI+M1HhRxmxt8RaAKZnDnXgLdkhnIYDJrRkQBpIgaht # ExtTuOkmVp2y8YCoFPaUhUD2JT6hPiDD7qD7A77PLpFzD2QFmNezT8aHHhKsVBuJ # MLPXZO1k14j0/k68DZGts1YBtGegXNkyvkXSgCCxt3Q8WF8laBXbDnhHaDLBhCOB # aZQ8jqcFUx8ZJSXQ8sbvEnmWFZmgM93B9P/JTFTF6qBVFMDd/V0PBbRQC2TctZH4 # bfv+jyWvZOeFz5yltPLRxUqBjv4KHIaJgBhU2ntMw4H0hpm4B7s6LLxkTsjLsajj # CJI8PiKi/mPKYERdmRyvFL8/YA/PdqkIwWWg2Tj5tyutGFtfVR+6GbcCVhijjy7l # 7otxa/wYVSX66Lo0alaThjc+uojVwH4psL+A1qvbWDB9swoKla20eZubw7fzCpFe # 6qs++G01sst1SaA0GGmzuQCd04Ue1eH3DFRDZPsN+aWvA455Qmd9ZJLGXuqnBo4B # XwVxdWZNj6+b4P8CAwEAAaOCATYwggEyMB0GA1UdDgQWBBRGsYh76V41aUCRXE9W # vD++sIfGajAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8E # WDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N # aWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYB # BQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20v # cGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEw # KDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqG # SIb3DQEBCwUAA4ICAQARdu3dCkcLLPfaJ3rR1M7D9jWHvneffkmXvFIJtqxHGWM1 # oqAh+bqxpI7HZz2MeNhh1Co+E9AabOgj94Sp1seXxdWISJ9lRGaAAWzA873aTB3/ # SjwuGqbqQuAvUzBFCO40UJ9anpavkpq/0nDqLb7XI5H+nsmjFyu8yqX1PMmnb4s1 # fbc/F30ijaASzqJ+p5rrgYWwDoMihM5bF0Y0riXihwE7eTShak/EwcxRmG3h+OT+ # Ox8KOLuLqwFFl1siTeQCp+YSt4J1tWXapqGJDlCbYr3Rz8+ryTS8CoZAU0vSHCOQ # cq12Th81p7QlHZv9cTRDhZg2TVyg8Gx3X6mkpNOXb56QUohI3Sn39WQJwjDn74J0 # aVYMai8mY6/WOurKMKEuSNhCiei0TK68vOY7sH0XEBWnRSbVefeStDo94UIUVTwd # 2HmBEfY8kfryp3RlA9A4FvfUvDHMaF9BtvU/pK6d1CdKG29V0WN3uVzfYETJoRpj # LYFGq0MvK6QVMmuNxk3bCRfj1acSWee14UGjglxWwvyOfNJe3pxcNFOd8Hhyp9d4 # AlQGVLNotaFvopgPLeJwUT3dl5VaAAhMwvIFmqwsffQy93morrprcnv74r5g3ejC # 39NYpFEoy+qmzLW1jFa1aXE2Xb/KZw2yawqldSp0Hu4VEkjGxFNc+AztIUWwmTCC # B3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAw # gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMT # KU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIx # MDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57Ry # IQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VT # cVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhx # XFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQ # HJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1 # KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s # 4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUg # fX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3 # Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je # 1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUY # hEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUY # P3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGC # NxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4w # HQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYB # BAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcD # CDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0T # AQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNV # HR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9w # cm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEE # TjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOC # AgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/a # ZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp # 4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq # 95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qB # woEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG # +jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3B # FARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77 # IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJ # fn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K # 6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDx # yKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLOMIICNwIBATCB # +KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO # BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEl # MCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMd # VGhhbGVzIFRTUyBFU046OEE4Mi1FMzRGLTlEREExJTAjBgNVBAMTHE1pY3Jvc29m # dCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAMp1N1VLhPMvWXEo # ZfmF4apZlnRUoIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAw # DQYJKoZIhvcNAQEFBQACBQDoD8/LMCIYDzIwMjMwNTE4MDYxMjI3WhgPMjAyMzA1 # MTkwNjEyMjdaMHcwPQYKKwYBBAGEWQoEATEvMC0wCgIFAOgPz8sCAQAwCgIBAAIC # Bv4CAf8wBwIBAAICEbswCgIFAOgRIUsCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK # KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF # AAOBgQAOcEM/tGVYofgsVgmB7+n9LL+gyOSZJeGjbYdz/brGNvqgplomk5u+xahu # MEp+QnDQHmvhm2qIT1WX4XPuhOkJMCGoGaZwlYVDicgU4+FCl0xyidK8NLKdiLeD # 3BhHPYDHSBzXLc4kQjHmZl3qImC8rdx28Lq4wZKwsOhWiS8yhTGCBA0wggQJAgEB # MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABwvp9hw5UU0ck # AAEAAAHCMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN # AQkQAQQwLwYJKoZIhvcNAQkEMSIEIDG7dE+a+2ESxo55C59j+7cojO/BDBWhnD3+ # LSd3jkEZMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgypNgW8fpsMV57r0F # 5beUuiEVOVe4BdmaO+e28mGDUBYwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt # cCBQQ0EgMjAxMAITMwAAAcL6fYcOVFNHJAABAAABwjAiBCCb5c/0EjdIPNI3b3R2 # wqfJX2Pf2Bx1/pzWJ/cik6fIMDANBgkqhkiG9w0BAQsFAASCAgAHXfHLtej97uMd # Ii5wLnNXLT09m1R6pqsrC0U+bSAGJP64KYg0Jtsu3+yJPg7lYffn0iboLo9o+wLj # HFFgu/n8sMw9nW9FFr+LmjjMMX9We+wm2mXQIf67FXv4ceeAGr5G1kD/A0dWHiHH # MbBbcMv17E2CHOCGJioqCdAgKpXgQb12x5+H4QtXhOQbBvse1RG0XxGXB/XyulPf # U/thTO5jx3g8T/Szj2+zv66EcwbtPyhbPeWqbU1oAfpPRnXWnAYHOQrQ3EwecUzM # TGO+W2Na0HEzd84uFq3g4XCUrWwGuS2Vc7I9eexro7LA3OifcKS7z8UyWMsK4YH5 # 4A7Q+d6L4ijKjTUx+ou0s31zCR/W0LFFYJGo9AUv2Fs5SwFMc7PF+AsXx+1lF6x7 # wZU/lYaIF/F4NjhIo+NSlUbWbB44GZY4Eyjd1n/vFeTzKalfgmIDWaPkRxf8v2Kq # X3XsyTYAQvqyG71iTmpbVVdeoaBQ1xBl/ql9A95Jp6sD672pxgVXxbZXdr6l8RHx # zkKoOjrTNCSsvoIiuyadA3cilgA+Hf0xEVZ/UbJAx0nVxE0YgFUglUiU2EB+taUp # Wxi1IXqioYXmCdFVnUpjLBqobb5gUnkwbMY/+ojIFm9HhotcaWPWHigaGuy3auvk # +RSPlEfAbtHm9s6A+kPLH1/j8tDZyA== # SIG # End signature block |