archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/admin/cys/servmgmt/auw/dll/au_accnt/accntcmt.cpp

767 lines
24 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. // AccntCmt.cpp : Implementation of CAddUser_AccntCommit
  2. #include "stdafx.h"
  3. #include "AU_Accnt.h"
  4. #include "AccntCmt.h"
  6. #include <dsgetdc.h>
  7. #include <lm.h>
  8. #include <lmshare.h>
  9. #include <Aclapi.h>
  10. #include <atlcom.h>
  12. // ldap/adsi includes
  13. #include <iads.h>
  14. #include <adshlp.h>
  15. #include <adsiid.h>
  17. #include <proputil.h>
  18. #include <CreateEmailName.h>
  19. #include <P3admin.h>
  20. #include <CheckUser.h>
  22. // POP3 Defines
  23. #define SZ_AUTH_ID_MD5_HASH _T("c395e20c-2236-4af7-b736-54fad07dc526")
  25. // Defines for account flags.
  26. #define PASSWD_NOCHANGE 0x01
  27. #define PASSWD_CANCHANGE 0x02
  28. #define PASSWD_MUSTCHANGE 0x04
  30. #ifndef CHECK_HR
  32. #define CHECK_HR( x ) CHECK_HR_RET( x, _hr );
  33. #define CHECK_HR_RET( x, y ) \
  34. { \
  35. HRESULT _hr = x; \
  36. if( FAILED(_hr) ) \
  37. { \
  38. _ASSERT( !_T("CHECK_HR_RET() failed. calling TRACE() with HRESULT and statement") ); \
  39. return y; \
  40. } \
  41. }
  43. #endif // CHECK_HRhr;
  45. // ****************************************************************************
  46. // CAddUser_AccntCommit
  47. // ****************************************************************************
  49. // ----------------------------------------------------------------------------
  50. // WriteErrorResults()
  51. // ----------------------------------------------------------------------------
  52. HRESULT CAddUser_AccntCommit::WriteErrorResults( IPropertyPagePropertyBag* pPPPBag )
  53. {
  54. // ------------------------------------------------------------------------
  55. // Write the the values to the property bag.
  56. // ------------------------------------------------------------------------
  57. if( FAILED(WriteInt4 ( pPPPBag, PROP_ACCNT_ERROR_CODE_GUID_STRING, m_dwErrCode, FALSE )) )
  58. {
  59. _ASSERT(FALSE);
  60. }
  61. if( FAILED(WriteString( pPPPBag, PROP_ACCNT_ERROR_STR_GUID_STRING, m_csErrStr, FALSE )) )
  62. {
  63. _ASSERT(FALSE);
  64. }
  66. return S_OK;
  67. }
  69. // ----------------------------------------------------------------------------
  70. // SetErrCode()
  71. // ----------------------------------------------------------------------------
  72. void CAddUser_AccntCommit::SetErrCode( DWORD dwCode )
  73. {
  74. m_dwErrCode |= dwCode;
  75. return;
  76. }
  78. // ----------------------------------------------------------------------------
  79. // SetErrorResults()
  80. // ----------------------------------------------------------------------------
  81. HRESULT CAddUser_AccntCommit::SetErrorResults( DWORD dwErrType, BOOL bPOP3 /* = FALSE */ )
  82. {
  83. SetErrCode(dwErrType);
  85. CString csTemp;
  87. switch( dwErrType )
  88. {
  89. case ERROR_CREATION:
  90. case ERROR_PROPERTIES:
  91. {
  92. m_csErrStr.LoadString(IDS_ERROR_CREATING_USER);
  93. break;
  94. }
  95. case ERROR_MAILBOX:
  96. {
  97. csTemp.LoadString( IDS_ERROR_POP3MAILBOX);
  98. m_csErrStr += csTemp;
  99. break;
  100. }
  101. case ERROR_PASSWORD:
  102. {
  103. csTemp.LoadString(IDS_ERROR_PASSWORD);
  104. m_csErrStr += csTemp;
  105. break;
  106. }
  107. case ERROR_DUPE:
  108. {
  109. csTemp.LoadString(IDS_ERROR_DUPLICATE);
  110. m_csErrStr += csTemp;
  111. break;
  112. }
  113. case ERROR_MEMBERSHIPS:
  114. {
  115. csTemp.LoadString(IDS_ERROR_MEMBERSHIP);
  116. m_csErrStr += csTemp;
  117. break;
  118. }
  119. default :
  120. {
  121. m_dwErrCode = 0;
  122. m_csErrStr = _T("");
  123. break;
  124. }
  125. }
  127. return S_OK;
  128. }
  130. // ----------------------------------------------------------------------------
  131. // Commit()
  132. // ----------------------------------------------------------------------------
  133. HRESULT CAddUser_AccntCommit::Commit( IDispatch* pdispPPPBag )
  134. {
  135. HRESULT hr = S_OK;
  137. HRESULT hrAdmin = IsUserInGroup( DOMAIN_ALIAS_RID_ADMINS );
  138. if( hrAdmin != S_OK )
  139. {
  140. return E_ACCESSDENIED;
  141. }
  143. CComPtr<IPropertyPagePropertyBag> spPPPBag = NULL;
  144. hr = pdispPPPBag->QueryInterface( __uuidof(IPropertyPagePropertyBag), (void**)&spPPPBag );
  145. if ( !spPPPBag )
  146. return hr;
  148. BOOL bRO = FALSE;
  149. BOOL bPOP3 = FALSE;
  151. ReadBool( spPPPBag, PROP_POP3_CREATE_MB_GUID_STRING, &bPOP3, &bRO );
  153. // Reset the error conditions
  154. SetErrorResults( 0 );
  156. // ------------------------------------------------------------------------
  157. // Read in the values from the property bag.
  158. // ------------------------------------------------------------------------
  159. CUserInfo cUInfo( spPPPBag, this );
  161. // ------------------------------------------------------------------------
  162. // Use those values to do something.
  163. // ------------------------------------------------------------------------
  164. hr = cUInfo.CreateAccount();
  165. if( FAILED(hr) )
  166. {
  167. if( !(m_dwErrCode & (ERROR_PASSWORD | ERROR_MEMBERSHIPS)) )
  168. {
  169. if ( HRESULT_CODE(hr) == ERROR_OBJECT_ALREADY_EXISTS )
  170. {
  171. SetErrorResults(ERROR_DUPE);
  172. }
  173. else
  174. {
  175. SetErrorResults(ERROR_CREATION);
  176. }
  178. WriteErrorResults(spPPPBag);
  179. return E_FAIL;
  180. }
  181. }
  183. hr = cUInfo.CreateMailbox();
  184. if( FAILED(hr) )
  185. {
  186. SetErrorResults(ERROR_MAILBOX, bPOP3);
  187. }
  189. if( m_dwErrCode )
  190. {
  191. hr = E_FAIL;
  192. WriteErrorResults(spPPPBag);
  193. }
  195. return hr;
  196. }
  198. // ----------------------------------------------------------------------------
  199. // Revert()
  200. // ----------------------------------------------------------------------------
  201. HRESULT CAddUser_AccntCommit::Revert()
  202. {
  203. NET_API_STATUS nApi;
  204. HRESULT hr = S_OK;
  205. CComPtr<IADs> spUser = NULL;
  206. CComPtr<IADsDeleteOps> spDelOps = NULL;
  208. // Remove the entry-point in the AD if we made one.
  209. if( m_csADName != _T("") )
  210. {
  211. CHECK_HR( ::ADsGetObject( m_csADName, IID_IADs, (void**)&spUser ) );
  213. // Delete the User
  214. hr = spUser->QueryInterface( IID_IADsDeleteOps, (void**)&spDelOps );
  215. if( SUCCEEDED(hr) && spDelOps )
  216. {
  217. hr = spDelOps->DeleteObject( 0 );
  218. }
  219. }
  221. return hr;
  222. }
  225. // ****************************************************************************
  226. // CUserInfo
  227. // ****************************************************************************
  229. // ----------------------------------------------------------------------------
  230. // CUserInfo()
  231. //
  232. // Constructor.
  233. // ----------------------------------------------------------------------------
  234. CUserInfo::CUserInfo( IPropertyPagePropertyBag* pPPPBag, CAddUser_AccntCommit* pCmt )
  235. {
  236. _ASSERT(pCmt);
  238. m_pCmt = pCmt;
  239. m_pPPPBag = pPPPBag;
  240. m_dwAccountOptions = 0;
  241. m_bPOP3 = FALSE;
  243. // Get domain controller name
  244. PDOMAIN_CONTROLLER_INFO pDCI = NULL;
  245. DWORD dwErr = DsGetDcName( NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_REQUIRED, &pDCI );
  247. // cache the domain
  248. if( (dwErr == NO_ERROR) && pDCI )
  249. {
  250. m_csDomainName = pDCI->DomainName;
  251. NetApiBufferFree( pDCI );
  252. pDCI = NULL;
  253. }
  255. // convert from '.' separated names to Dc=xxx,DC=yyy,... format
  256. m_csFQDomainName = GetDomainPath( m_csDomainName ).c_str();
  258. ReadBag( );
  259. }
  261. // ----------------------------------------------------------------------------
  262. // ReadBag()
  263. //
  264. // Read in the values from the property bag into the member variables.
  265. // ----------------------------------------------------------------------------
  266. HRESULT CUserInfo::ReadBag()
  267. {
  268. HRESULT hr = S_OK;
  270. if ( !m_pPPPBag ) // Make sure we have the property bag to read from.
  271. return(E_FAIL); // If not, fail.
  273. BOOL bRO;
  275. // User Properties
  276. ReadString( m_pPPPBag, PROP_USEROU_GUID_STRING, m_csUserOU, &bRO );
  277. ReadString( m_pPPPBag, PROP_USERNAME_GUID_STRING, m_csUserName, &bRO );
  278. ReadString( m_pPPPBag, PROP_USER_CN, m_csUserCN, &bRO );
  279. ReadString( m_pPPPBag, PROP_PASSWD_GUID_STRING, m_csPasswd, &bRO );
  280. ReadInt4 ( m_pPPPBag, PROP_ACCOUNT_OPT_GUID_STRING, (LONG*)&m_dwAccountOptions, &bRO );
  281. ReadString( m_pPPPBag, PROP_USERNAME_PRE2K_GUID_STRING, m_csUserNamePre2k, &bRO );
  282. ReadString( m_pPPPBag, PROP_FIRSTNAME_GUID_STRING, m_csFirstName, &bRO );
  283. ReadString( m_pPPPBag, PROP_LASTNAME_GUID_STRING, m_csLastName, &bRO );
  284. ReadString( m_pPPPBag, PROP_TELEPHONE_GUID_STRING, m_csTelephone, &bRO );
  285. ReadString( m_pPPPBag, PROP_OFFICE_GUID_STRING, m_csOffice, &bRO );
  286. ReadString( m_pPPPBag, PROP_DESCRIPTION_GUID_STRING, m_csDesc, &bRO );
  287. ReadString( m_pPPPBag, PROP_LOGON_DNS, m_csLogonDns, &bRO );
  289. // Mailbox properties
  290. ReadBool ( m_pPPPBag, PROP_POP3_CREATE_MB_GUID_STRING, &m_bPOP3, &bRO );
  291. ReadString( m_pPPPBag, PROP_EX_ALIAS_GUID_STRING, m_csEXAlias, &bRO );
  292. ReadString( m_pPPPBag, PROP_EX_SERVER_GUID_STRING, m_csEXServer, &bRO );
  293. ReadString( m_pPPPBag, PROP_EX_HOMESERVER_GUID_STRING, m_csEXHomeServer, &bRO );
  294. ReadString( m_pPPPBag, PROP_EX_HOME_MDB_GUID_STRING, m_csEXHomeMDB, &bRO );
  296. // Escape the User's Name
  297. m_csUserCN = EscapeString(((LPCTSTR)m_csUserCN+3), 2);
  298. m_csUserCN = _T("CN=") + m_csUserCN;
  300. // Let's figure out the fullname right here and fill in the m_csFullName variable.
  301. m_csFirstName.TrimLeft ( );
  302. m_csFirstName.TrimRight( );
  303. m_csLastName.TrimLeft ( );
  304. m_csLastName.TrimRight ( );
  305. m_csFullName.FormatMessage(IDS_FULLNAME_FORMAT_STR, (LPCTSTR)m_csFirstName, (LPCTSTR)m_csLastName);
  306. m_csFullName.TrimLeft ( );
  307. m_csFullName.TrimRight ( );
  309. return(hr);
  310. }
  312. // ----------------------------------------------------------------------------
  313. // CreateAccount()
  314. //
  315. // Makes a new user account in the Active Directory.
  316. // ----------------------------------------------------------------------------
  317. HRESULT CUserInfo::CreateAccount( )
  318. {
  319. HRESULT hr = S_OK;
  320. BOOL bRO = TRUE;
  322. CComVariant vaTmpVal;
  323. CComBSTR bstrProp;
  324. CComPtr<IADsContainer> spADsContainer = NULL;
  326. // Bind to the container.
  327. CString csLdapUserOU = _T("LDAP://");
  328. if( _tcsstr( (LPCTSTR)m_csUserOU, _T("LDAP://") ) )
  329. {
  330. csLdapUserOU = m_csUserOU;
  331. }
  332. else
  333. {
  334. csLdapUserOU += m_csUserOU;
  335. }
  337. hr = ::ADsGetObject( (LPWSTR)(LPCWSTR)csLdapUserOU, IID_IADsContainer, (VOID**) &spADsContainer );
  338. CHECK_HR(hr);
  340. // Create the user account.
  341. CComPtr<IDispatch> spDisp = NULL;
  342. bstrProp = _T("user");
  343. CComBSTR bstrValue = (LPCWSTR)m_csUserCN;
  344. hr = spADsContainer->Create( bstrProp, bstrValue, &spDisp );
  345. CHECK_HR(hr);
  347. m_pCmt->m_csADName = _T("LDAP://");
  348. m_pCmt->m_csADName += m_csUserCN;
  349. m_pCmt->m_csADName += _T(",");
  350. m_pCmt->m_csADName += (LPCTSTR)csLdapUserOU+7;
  352. // Use this new account and set it's properties (e.g. first name, home folder, etc.).
  353. CComQIPtr<IADsUser, &IID_IADsUser> spADsUserObj(spDisp);
  354. if( !spADsUserObj )
  355. {
  356. _ASSERT(FALSE);
  357. return E_FAIL;
  358. }
  360. TCHAR szTmp[MAX_PATH*4] = {0};
  361. LdapToDCName( (LPCTSTR)csLdapUserOU, szTmp, (MAX_PATH*4) );
  363. CString csUserPrincName = m_csUserName;
  364. csUserPrincName += _T("@");
  365. csUserPrincName += szTmp;
  367. // Username:
  368. vaTmpVal.Clear();
  369. vaTmpVal = ((LPCWSTR)csUserPrincName);
  370. bstrProp = _T("userPrincipalName");
  371. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  373. // Pre-Win2000 username:
  374. vaTmpVal.Clear();
  375. vaTmpVal = ((LPCWSTR)m_csUserNamePre2k);
  376. bstrProp = _T("sAMAccountName");
  377. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  379. // First name:
  380. if( m_csFirstName.GetLength() )
  381. {
  382. bstrProp = (LPCWSTR)m_csFirstName;
  383. CHECK_HR( spADsUserObj->put_FirstName( bstrProp ) );
  384. }
  386. // Last name:
  387. if( m_csLastName.GetLength() )
  388. {
  389. bstrProp = (LPCWSTR)m_csLastName;
  390. CHECK_HR( spADsUserObj->put_LastName( bstrProp ) );
  391. }
  393. if( m_csFullName.GetLength() )
  394. {
  395. // Full name:
  396. bstrProp = (LPCWSTR)m_csFullName;
  397. CHECK_HR( spADsUserObj->put_FullName( bstrProp ) );
  399. // Display Name
  400. vaTmpVal.Clear();
  401. vaTmpVal = (LPCWSTR)m_csFullName;
  402. bstrProp = _T("displayName");
  403. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  404. }
  406. // Telephone number
  407. if( _tcslen((LPCTSTR)m_csTelephone) )
  408. {
  409. vaTmpVal.Clear();
  410. vaTmpVal = (LPCWSTR)m_csTelephone;
  411. bstrProp = _T("telephoneNumber");
  412. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  413. }
  415. // Office Location
  416. if( _tcslen((LPCTSTR)m_csOffice) )
  417. {
  418. vaTmpVal.Clear();
  419. vaTmpVal = (LPCWSTR)m_csOffice;
  420. bstrProp = _T("physicalDeliveryOfficeName");
  421. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  422. }
  424. // Commit this information to the AD.
  425. CHECK_HR( spADsUserObj->SetInfo() );
  427. // Password expired?
  428. vaTmpVal.Clear();
  429. vaTmpVal = (m_dwAccountOptions & PASSWD_MUSTCHANGE) ? (INT) 0 : (INT) -1;
  430. bstrProp = _T("pwdLastSet");
  431. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  433. // Account disabled?
  434. vaTmpVal.Clear();
  435. bstrProp = _T("userAccountControl");
  436. CHECK_HR( spADsUserObj->Get( bstrProp, &vaTmpVal ) );
  438. vaTmpVal.lVal &= ~UF_PASSWD_NOTREQD; // Make passwd required.
  439. vaTmpVal.lVal &= ~UF_ACCOUNTDISABLE; // Do not disable the account.
  440. bstrProp = _T("userAccountControl");
  441. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  443. // Set the password.
  444. if( FAILED(SetPasswd()) )
  445. {
  446. m_pCmt->SetErrorResults( ERROR_PASSWORD );
  448. vaTmpVal.Clear();
  449. bstrProp = _T("userAccountControl");
  450. CHECK_HR( spADsUserObj->Get( bstrProp, &vaTmpVal ) );
  452. vaTmpVal.lVal &= ~UF_PASSWD_NOTREQD; // Make passwd required.
  453. vaTmpVal.lVal |= UF_ACCOUNTDISABLE; // Disable the account.
  454. bstrProp = _T("userAccountControl");
  455. CHECK_HR( spADsUserObj->Put( bstrProp, vaTmpVal ) );
  457. // Commit this information to the AD.
  458. CHECK_HR( spADsUserObj->SetInfo() );
  460. return E_FAIL;
  461. }
  463. // Commit this information to the AD.
  464. CHECK_HR( spADsUserObj->SetInfo() );
  466. // Join to Domain Users
  467. if ( FAILED(JoinToDomainUsers()) )
  468. {
  469. m_pCmt->SetErrorResults( ERROR_MEMBERSHIPS );
  470. return E_FAIL;
  471. }
  473. return S_OK;
  474. }
  476. // ----------------------------------------------------------------------------
  477. // CreateMailbox()
  478. //
  479. // Makes a new mailbox for the user.
  480. // ----------------------------------------------------------------------------
  481. HRESULT CUserInfo::CreateMailbox()
  482. {
  483. HRESULT hr = S_OK;
  485. if( m_bPOP3 )
  486. {
  487. hr = CreatePOP3Mailbox();
  488. }
  490. return hr;
  491. }
  493. // ----------------------------------------------------------------------------
  494. // CreatePOP3Mailbox()
  495. //
  496. // Makes a new (MS) POP3 mailbox for the user.
  497. // ----------------------------------------------------------------------------
  498. HRESULT CUserInfo::CreatePOP3Mailbox()
  499. {
  500. HRESULT hr = S_OK;
  502. CComPtr<IP3Config> spConfig = NULL;
  503. CComPtr<IAuthMethods> spMethods = NULL;
  504. CComPtr<IAuthMethod> spAuth = NULL;
  505. CComPtr<IP3Domains> spDomains = NULL;
  506. CComPtr<IP3Domain> spDomain = NULL;
  507. CComPtr<IP3Users> spUsers = NULL;
  509. // Open our Pop3 Admin Interface
  510. hr = CoCreateInstance(__uuidof(P3Config), NULL, CLSCTX_ALL, __uuidof(IP3Config), (LPVOID*)&spConfig);
  512. if( SUCCEEDED(hr) )
  513. {
  514. // Get the Domains
  515. hr = spConfig->get_Domains( &spDomains );
  516. }
  518. if( SUCCEEDED(hr) )
  519. {
  520. // Get the first domain
  521. CComVariant cVar;
  522. cVar = 1;
  524. hr = spDomains->get_Item( cVar, &spDomain );
  525. }
  527. if( SUCCEEDED(hr) )
  528. {
  529. hr = spDomain->get_Users( &spUsers );
  530. }
  532. if ( SUCCEEDED(hr) )
  533. {
  534. hr = spConfig->get_Authentication( &spMethods );
  535. }
  537. CComVariant var;
  538. if ( SUCCEEDED(hr) )
  539. {
  540. hr = spMethods->get_CurrentAuthMethod( &var );
  541. }
  543. if ( SUCCEEDED(hr) )
  544. {
  545. hr = spMethods->get_Item( var, &spAuth );
  546. }
  548. CComBSTR bstrID;
  549. if( SUCCEEDED(hr) )
  550. {
  551. hr = spAuth->get_ID( &bstrID );
  552. }
  554. if( SUCCEEDED(hr) )
  555. {
  556. CComBSTR bstrName = (LPCTSTR)m_csEXAlias;
  558. if( _tcsicmp(bstrID, SZ_AUTH_ID_MD5_HASH) == 0 )
  559. {
  560. CComBSTR bstrPassword = m_csPasswd;
  561. hr = spUsers->AddEx( bstrName, bstrPassword );
  562. SecureZeroMemory( (LPOLESTR)bstrPassword.m_str, sizeof(OLECHAR)*bstrPassword.Length() );
  563. }
  564. else
  565. {
  566. hr = spUsers->Add( bstrName );
  567. }
  568. }
  570. return hr;
  571. }
  573. // ----------------------------------------------------------------------------
  574. // SetPasswd()
  575. // ----------------------------------------------------------------------------
  576. HRESULT CUserInfo::SetPasswd()
  577. {
  578. HRESULT hr = S_OK;
  579. TCHAR *szPath = NULL;
  580. TCHAR *szTok = NULL;
  581. CString csUser = _T("LDAP://");
  583. if ( _tcsstr((LPCTSTR)m_csUserOU, _T("LDAP://")) )
  584. {
  585. csUser += m_csUserCN;
  586. csUser += _T(",");
  587. csUser += (LPCTSTR)m_csUserOU+7;
  588. }
  589. else
  590. {
  591. csUser += m_csUserCN;
  592. csUser += _T(",");
  593. csUser += (LPCTSTR)m_csUserOU;
  594. }
  596. // Now csUser is something like "WinNT://test.microsoft.com/JohnDoe,user"
  597. CComPtr<IADsUser> spDS = NULL;
  598. hr = ::ADsGetObject( (LPCWSTR)csUser, IID_IADsUser, (void**)&spDS );
  599. if ( FAILED(hr) )
  600. return(hr);
  602. // Set the password.
  603. if ( _tcslen((LPCTSTR)m_csPasswd) ) // Only if there IS a passwd!
  604. {
  605. CComBSTR bszPasswd = (LPCWSTR) m_csPasswd;
  607. hr = spDS->SetPassword(bszPasswd);
  608. if ( FAILED(hr) )
  609. return(hr);
  610. }
  612. // Allow change?
  613. if ( m_dwAccountOptions & PASSWD_NOCHANGE )
  614. {
  615. // Get the current ACL.
  616. CComBSTR bstrName = csUser;
  617. PACL pDACL = NULL;
  618. PSECURITY_DESCRIPTOR pSD = NULL;
  620. hr = GetSDForDsObjectPath( bstrName, &pDACL, &pSD);
  621. if( hr != S_OK ) return hr;
  623. // build SID's for Self and World.
  624. PSID pSidSelf = NULL;
  625. SID_IDENTIFIER_AUTHORITY NtAuth = SECURITY_NT_AUTHORITY;
  626. if( !AllocateAndInitializeSid(&NtAuth, 1, SECURITY_PRINCIPAL_SELF_RID, 0, 0, 0, 0, 0, 0, 0, &pSidSelf) )
  627. {
  628. return HRESULT_FROM_WIN32(GetLastError());
  629. }
  631. PSID pSidWorld;
  632. SID_IDENTIFIER_AUTHORITY WorldAuth = SECURITY_WORLD_SID_AUTHORITY;
  633. if( !AllocateAndInitializeSid(&WorldAuth, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSidWorld) )
  634. {
  635. return HRESULT_FROM_WIN32(GetLastError());
  636. }
  638. // initialize the entries (DENY ACE's)
  639. EXPLICIT_ACCESS rgAccessEntry[2] = {0};
  640. OBJECTS_AND_SID rgObjectsAndSid[2] = {0};
  641. rgAccessEntry[0].grfAccessPermissions = ACTRL_DS_CONTROL_ACCESS;
  642. rgAccessEntry[0].grfAccessMode = DENY_ACCESS;
  643. rgAccessEntry[0].grfInheritance = NO_INHERITANCE;
  645. rgAccessEntry[1].grfAccessPermissions = ACTRL_DS_CONTROL_ACCESS;
  646. rgAccessEntry[1].grfAccessMode = DENY_ACCESS;
  647. rgAccessEntry[1].grfInheritance = NO_INHERITANCE;
  649. // build the trustee structs for change password
  650. GUID UserChangePasswordGUID = { 0xab721a53, 0x1e2f, 0x11d0, { 0x98, 0x19, 0x00, 0xaa, 0x00, 0x40, 0x52, 0x9b}};
  651. BuildTrusteeWithObjectsAndSid( &(rgAccessEntry[0].Trustee), &(rgObjectsAndSid[0]), &UserChangePasswordGUID, NULL, pSidSelf );
  652. BuildTrusteeWithObjectsAndSid( &(rgAccessEntry[1].Trustee), &(rgObjectsAndSid[1]), &UserChangePasswordGUID, NULL, pSidWorld );
  654. // Build the new DACL
  655. PACL pNewDACL = NULL;
  656. DWORD dwErr = ::SetEntriesInAcl(2, rgAccessEntry, pDACL, &pNewDACL);
  657. if( dwErr != ERROR_SUCCESS ) return HRESULT_FROM_WIN32(dwErr);
  659. // Set the new DACL
  660. hr = SetDaclForDsObjectPath( bstrName, pNewDACL );
  661. if( hr != S_OK ) return hr;
  663. LocalFree(pSD);
  664. }
  666. // SetInfo only if we actually changed anything.
  667. if ( ( _tcslen((LPCTSTR)m_csPasswd) ) || // Did we mess with the passwd?
  668. ( m_dwAccountOptions & PASSWD_NOCHANGE ) ) // Did we make it unable to change?
  669. {
  670. hr = spDS->SetInfo(); // If either, then set the new info.
  671. }
  673. return(hr);
  674. }
  676. // ----------------------------------------------------------------------------
  677. // JoinToGroup()
  678. // ----------------------------------------------------------------------------
  679. HRESULT CUserInfo::JoinToDomainUsers()
  680. {
  681. USES_CONVERSION;
  683. HRESULT hr = S_OK;
  684. CString csGroupName;
  685. tstring strDomain;
  686. tstring strUser;
  688. // Get Domain SID
  689. USER_MODALS_INFO_2 *pUserModalsInfo2;
  690. NET_API_STATUS status = ::NetUserModalsGet( NULL, 2, (LPBYTE *)&pUserModalsInfo2 );
  692. if ( (status != ERROR_SUCCESS) || (pUserModalsInfo2 == NULL) )
  693. {
  694. return E_FAIL;
  695. }
  697. PSID pSIDDomain = pUserModalsInfo2->usrmod2_domain_id;
  699. // copy Domain RIDs
  700. UCHAR nSubAuthorities = *::GetSidSubAuthorityCount(pSIDDomain);
  702. DWORD adwSubAuthority[8];
  703. for ( UCHAR index = 0; index < nSubAuthorities; index++ )
  704. {
  705. adwSubAuthority[index] = *::GetSidSubAuthority(pSIDDomain, index);
  706. }
  708. adwSubAuthority[nSubAuthorities++] = DOMAIN_GROUP_RID_USERS; // finally, append the RID we want.
  710. SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
  711. PSID pSid = NULL;
  713. if ( !::AllocateAndInitializeSid(&SIDAuthNT, nSubAuthorities,
  714. adwSubAuthority[0], adwSubAuthority[1],
  715. adwSubAuthority[2], adwSubAuthority[3],
  716. adwSubAuthority[4], adwSubAuthority[5],
  717. adwSubAuthority[6], adwSubAuthority[7],
  718. &pSid) )
  719. {
  720. ::NetApiBufferFree(pUserModalsInfo2);
  721. return E_FAIL;
  722. }
  723. ::NetApiBufferFree(pUserModalsInfo2);
  725. // The builtin group names are looked up on the DC
  726. TCHAR szDomain[MAX_PATH];
  727. TCHAR szName[MAX_PATH];
  728. DWORD cbDomain = MAX_PATH;
  729. DWORD cbName = MAX_PATH;
  730. SID_NAME_USE peUse;
  732. if( !::LookupAccountSid( NULL, pSid, szName, &cbName, szDomain, &cbDomain, &peUse ) )
  733. {
  734. FreeSid(pSid);
  735. return E_FAIL;
  736. }
  738. FreeSid( pSid );
  740. // Find the Group Name
  741. CString csTmp;
  742. tstring strTmp = _T("LDAP://");
  743. strTmp += m_csFQDomainName;
  745. hr = FindADsObject(strTmp.c_str(), szName, _T("(name=%1)"), csTmp, 1, TRUE);
  746. CHECK_HR( hr );
  748. strTmp = _T("LDAP://");
  749. strTmp += csTmp;
  751. // Open the group
  752. CComPtr<IADsGroup> spGroup = NULL;
  753. hr = ::ADsGetObject( strTmp.c_str(), IID_IADsGroup, (void**)&spGroup );
  754. if( SUCCEEDED(hr) )
  755. {
  756. // Add the User
  757. CComBSTR bstrName = (LPCTSTR)m_csUserOU;
  758. hr = spGroup->Add( bstrName );
  760. if ( HRESULT_CODE(hr) == ERROR_OBJECT_ALREADY_EXISTS )
  761. {
  762. hr = S_FALSE;
  763. }
  764. }
  766. return hr;
  767. }