|
|
/*---------------------------------------------------------------------------
File: AcctRepl.cpp
Comments: Implementation of Account Replicator COM object. This COM object handles the copying or moving of directory objects.
Win2K to Win2K migration is implemented in this file. NT -> Win2K migration is implemented in UserCopy.cpp
(c) Copyright 1999, Mission Critical Software, Inc., All Rights Reserved Proprietary and confidential to Mission Critical Software, Inc.
REVISION LOG ENTRY Revision By: Christy Boles Revised on 02/12/99 10:08:44
Revision By: Sham Chauthani Revised on 07/02/99 12:40:00 ---------------------------------------------------------------------------*/
// AcctRepl.cpp : Implementation of CAcctRepl
#include "stdafx.h"
#include "WorkObj.h"
#include "AcctRepl.h"
#include "BkupRstr.hpp"
#include "StrHelp.h"
/////////////////////////////////////////////////////////////////////////////
// CAcctRepl
#include "Err.hpp"
#include "ErrDct.hpp"
#include "EaLen.hpp"
#include <dsgetdc.h>
#include "UserRts.h"
#include "BkupRstr.hpp"
#include "DCTStat.h"
#include "ResStr.h"
#include "LSAUtils.h"
#include "ARUtil.hpp"
#include "Names.hpp"
#include <lm.h>
#include <iads.h>
#include "RegTrans.h"
#include "TEvent.hpp"
#include "RecNode.hpp"
#include "ntdsapi.h"
#include "TxtSid.h"
#include "ExLDAP.h"
#include "GetDcName.h"
#include "Array.h"
#include "TReg.hpp"
#import "AdsProp.tlb" no_namespace
#import "NetEnum.tlb" no_namespace
#ifndef IADsPtr
_COM_SMARTPTR_TYPEDEF(IADs, IID_IADs);#endif
#ifndef IADsContainerPtr
_COM_SMARTPTR_TYPEDEF(IADsContainer, IID_IADsContainer);#endif
#ifndef IADsGroupPtr
_COM_SMARTPTR_TYPEDEF(IADsGroup, IID_IADsGroup);#endif
#ifndef IADsPropertyPtr
_COM_SMARTPTR_TYPEDEF(IADsProperty, IID_IADsProperty);#endif
#ifndef IDirectorySearchPtr
_COM_SMARTPTR_TYPEDEF(IDirectorySearch, IID_IDirectorySearch);#endif
#ifndef IADsPathnamePtr
_COM_SMARTPTR_TYPEDEF(IADsPathname, IID_IADsPathname);#endif
#ifndef IADsMembersPtr
_COM_SMARTPTR_TYPEDEF(IADsMembers, IID_IADsMembers);#endif
#ifndef tstring
typedef std::basic_string<_TCHAR> tstring;#endif
extern tstring __stdcall GetEscapedFilterValue(PCTSTR pszValue);
using namespace _com_util;
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;#endif
IVarSet * g_pVarSet = NULL;
TErrorDct err;TErrorDct errAlt; // this is used for logging errors that occur after dispatcher is launched; use migration.log
bool useErrAlt;TError & errCommon = err;extern bool g_bAddSidWorks;DWORD g_dwOpMask = OPS_All; // Global OpSeq by default all ops
bool bAbortMessageWritten = false;
static WCHAR s_ClassUser[] = L"user";static WCHAR s_ClassInetOrgPerson[] = L"inetOrgPerson";
BOOL BuiltinRid(DWORD rid);
ADSGETOBJECT ADsGetObject;typedef BOOL (CALLBACK * TConvertStringSidToSid)(LPCWSTR StringSid,PSID *Sid);TConvertStringSidToSid ConvertStringSidToSid;
bool firstTime = true;
typedef struct _Lookup { WCHAR * pName; WCHAR * pType;} Lookup;
//Function to sort by account sam name only
int TNodeCompareNameOnly(TNode const * t1,TNode const * t2){ // Sort function to sort by Type(dec) and Name(asc)
TAcctReplNode const * n1 = (TAcctReplNode *)t1; TAcctReplNode const * n2 = (TAcctReplNode *)t2;
return UStrICmp(n1->GetSourceSam(), n2->GetTargetSam());}
// Function to do a find on the Account list that is sorted with TNodeCompareNameOnly function.
int TNodeFindByNameOnly(TNode const * t1, void const * pVoid){ TAcctReplNode const * n1 = (TAcctReplNode *) t1; WCHAR * pLookup = (WCHAR *) pVoid;
return UStrICmp(n1->GetTargetSam(), pLookup);}
int TNodeCompareAccountType(TNode const * t1,TNode const * t2){ // Sort function to sort by Type(dec) and Name(asc)
TAcctReplNode const * n1 = (TAcctReplNode *)t1; TAcctReplNode const * n2 = (TAcctReplNode *)t2;
// Compare types
int retVal = UStrICmp(n2->GetType(), n1->GetType()); if ( retVal == 0 ) { // If same type then compare names.
return UStrICmp(n1->GetName(), n2->GetName()); } else return retVal;}
int TNodeCompareAccountTypeAndRDN(TNode const * t1,TNode const * t2){ // Sort function to sort by Type(dec) and RDN(asc)
TAcctReplNode const * n1 = (TAcctReplNode *)t1; TAcctReplNode const * n2 = (TAcctReplNode *)t2;
// Compare types
int retVal = UStrICmp(n2->GetType(), n1->GetType()); if ( retVal == 0 ) { // If same type then compare RDNs in the source paths.
//get the RDNs from the source paths
WCHAR* sN1RDN = wcschr(n1->GetSourcePath() + wcslen(L"WinNT://"), L'/'); WCHAR* sN2RDN = wcschr(n2->GetSourcePath() + wcslen(L"WinNT://"), L'/'); //if got RDNs
if ((sN1RDN && *sN1RDN) && (sN2RDN && *sN2RDN)) return UStrICmp(sN1RDN, sN2RDN); else //else, compare the whole source paths
return UStrICmp(n1->GetSourcePath(), n2->GetSourcePath());; } else return retVal;}
// Function to sort by Account type and then by SamAccountName
int TNodeCompareAccountSam(TNode const * t1,TNode const * t2){ // Sort function to sort by Type(dec) and Name(asc)
TAcctReplNode const * n1 = (TAcctReplNode *)t1; TAcctReplNode const * n2 = (TAcctReplNode *)t2;
// Compare types Sort in decending order
int retVal = UStrICmp(n2->GetType(), n1->GetType()); if ( retVal == 0 ) { // If same type then compare Sam Account names.
return UStrICmp(n1->GetSourceSam(), n2->GetSourceSam()); } else return retVal;}
// Function to do a find on the Account list that is sorted with TNodeCompareAccountType function.
int TNodeFindAccountName(TNode const * t1, void const * pVoid){ TAcctReplNode const * n1 = (TAcctReplNode *) t1; Lookup * pLookup = (Lookup *) pVoid;
int retVal = UStrICmp(pLookup->pType, n1->GetType()); if ( retVal == 0 ) { return UStrICmp(n1->GetSourceSam(), pLookup->pName); } else return retVal;}
// Function to do a find on the Account list that is sorted with TNodeCompareAccountTypeAndRDN
// function by using the RDN in a given path.
int TNodeFindAccountRDN(TNode const * t1, void const * pVoid){ TAcctReplNode const * n1 = (TAcctReplNode *) t1; Lookup * pLookup = (Lookup *) pVoid;
int retVal = UStrICmp(pLookup->pType, n1->GetType()); if ( retVal == 0 ) { //get and compare the RDNs in these paths
WCHAR* sNodeRDN = wcschr(n1->GetSourcePath() + wcslen(L"LDAP://"), L'/'); WCHAR* sLookupRDN = wcschr(pLookup->pName + wcslen(L"LDAP://"), L'/'); //if got the RDNs, compare them
if ((sNodeRDN && *sNodeRDN) && (sLookupRDN && *sLookupRDN)) return UStrICmp(sNodeRDN, sLookupRDN); else //else, compare the whole source path
return UStrICmp(n1->GetSourcePath(), pLookup->pName);; } else return retVal;}
int TNodeCompareMember(TNode const * t1, TNode const * t2){ TRecordNode const * n1 = (TRecordNode *) t1; TRecordNode const * n2 = (TRecordNode *) t2;
if ( n1->GetARNode() < n2->GetARNode() ) return -1; if ( n1->GetARNode() > n2->GetARNode() ) return 1; return UStrICmp(n1->GetMember(), n2->GetMember());}
int TNodeCompareMemberName(TNode const * t1, TNode const * t2){ TRecordNode const * n1 = (TRecordNode *) t1; TRecordNode const * n2 = (TRecordNode *) t2;
return UStrICmp(n1->GetMember(), n2->GetMember());}
int TNodeCompareMemberDN(TNode const * t1, TNode const * t2){ TRecordNode const * n1 = (TRecordNode *) t1; TRecordNode const * n2 = (TRecordNode *) t2;
return UStrICmp(n1->GetDN(), n2->GetDN());}
int TNodeCompareMemberItem(TNode const * t1, void const * t2){ TRecordNode const * n1 = (TRecordNode *) t1; WCHAR const * n2 = (WCHAR const *) t2;
return UStrICmp(n1->GetDN(),n2);}
int TNodeCompareAcctNode(TNode const * t1, TNode const * t2){ TRecordNode const * n1 = (TRecordNode *) t1; TRecordNode const * n2 = (TRecordNode *) t2; if ( n1->GetARNode() < n2->GetARNode() ) return -1; if ( n1->GetARNode() > n2->GetARNode() ) return 1; return 0;}
// Checks to see if the account is from the BUILTIN domain.
BOOL IsBuiltinAccount(Options * pOptions, WCHAR * sAcctName){ BOOL ret = FALSE; PSID sid = new BYTE[35]; SID_NAME_USE use; WCHAR sDomain[LEN_Path]; DWORD dwDom, dwsid;
if (!sid) return TRUE;
dwDom = DIM(sDomain); dwsid = 35; if ( LookupAccountName(pOptions->srcComp, sAcctName, sid, &dwsid, sDomain, &dwDom, &use) ) { ret = !_wcsicmp(sDomain, L"BUILTIN"); }
if (sid) delete [] sid;
return ret;}
// global counters defined in usercopy.cpp
extern AccountStats warnings;extern AccountStats errors;extern AccountStats created;extern AccountStats replaced;extern AccountStats processed;
// updates progress indicator
// this updates the stats entries in the VarSet
// this information will be returned to clients who call DCTAgent::QueryJobStatus
// while the job is running.
void Progress( WCHAR const * mesg // in - progress message
){ if ( g_pVarSet ) { g_pVarSet->put(GET_WSTR(DCTVS_CurrentPath),mesg); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Users_Examined),processed.users); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Users_Created),created.users); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Users_Replaced),replaced.users); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Users_Warnings),warnings.users); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Users_Errors),errors.users);
g_pVarSet->put(GET_WSTR(DCTVS_Stats_GlobalGroups_Examined),processed.globals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_GlobalGroups_Created),created.globals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_GlobalGroups_Replaced),replaced.globals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_GlobalGroups_Warnings),warnings.globals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_GlobalGroups_Errors),errors.globals);
g_pVarSet->put(GET_WSTR(DCTVS_Stats_LocalGroups_Examined),processed.locals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_LocalGroups_Created),created.locals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_LocalGroups_Replaced),replaced.locals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_LocalGroups_Warnings),warnings.locals); g_pVarSet->put(GET_WSTR(DCTVS_Stats_LocalGroups_Errors),errors.locals);
g_pVarSet->put(GET_WSTR(DCTVS_Stats_Computers_Examined),processed.computers); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Computers_Created),created.computers); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Computers_Replaced),replaced.computers); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Computers_Warnings),warnings.computers); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Computers_Errors),errors.computers);
g_pVarSet->put(GET_WSTR(DCTVS_Stats_Generic_Examined),processed.generic); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Generic_Created),created.generic); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Generic_Replaced),replaced.generic); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Generic_Warnings),warnings.generic); g_pVarSet->put(GET_WSTR(DCTVS_Stats_Generic_Errors),errors.generic); } }
// Gets the domain sid for the specified domain
BOOL // ret- TRUE if successful
GetSidForDomain( LPWSTR DomainName, // in - name of domain to get SID for
PSID * pDomainSid // out- SID for domain, free with FreeSid
){ PSID pSid = NULL; DWORD rc = 0; _bstr_t domctrl; if (DomainName == NULL || DomainName[0] != L'\\' ) { rc = GetAnyDcName4(DomainName, domctrl); } if ( ! rc ) { rc = GetDomainSid(domctrl,&pSid); } (*pDomainSid) = pSid; return ( pSid != NULL);}
//---------------------------------------------------------------------------
// CADsPathName Class
//
// Note that this class was copied from AdsiHelpers.h but I have had trouble
// including it in this file. Therefore using copy which should be removed
// once AdsiHelpers.h is included.
//---------------------------------------------------------------------------
#ifndef CADsPathName
class CADsPathName{ // ADS_DISPLAY_ENUM
// ADS_DISPLAY_FULL = 1
// ADS_DISPLAY_VALUE_ONLY = 2
// ADS_FORMAT_ENUM
// ADS_FORMAT_WINDOWS = 1
// ADS_FORMAT_WINDOWS_NO_SERVER = 2
// ADS_FORMAT_WINDOWS_DN = 3
// ADS_FORMAT_WINDOWS_PARENT = 4
// ADS_FORMAT_X500 = 5
// ADS_FORMAT_X500_NO_SERVER = 6
// ADS_FORMAT_X500_DN = 7
// ADS_FORMAT_X500_PARENT = 8
// ADS_FORMAT_SERVER = 9
// ADS_FORMAT_PROVIDER = 10
// ADS_FORMAT_LEAF = 11
// ADS_SETTYPE_ENUM
// ADS_SETTYPE_FULL = 1
// ADS_SETTYPE_PROVIDER = 2
// ADS_SETTYPE_SERVER = 3
// ADS_SETTYPE_DN = 4
public:
CADsPathName(_bstr_t strPath = _bstr_t(), long lSetType = ADS_SETTYPE_FULL) : m_sp(CLSID_Pathname) { if (strPath.length() > 0) { CheckResult(m_sp->Set(strPath, lSetType)); } }
void Set(_bstr_t strADsPath, long lSetType) { CheckResult(m_sp->Set(strADsPath, lSetType)); }
void SetDisplayType(long lDisplayType) { CheckResult(m_sp->SetDisplayType(lDisplayType)); }
_bstr_t Retrieve(long lFormatType) { BSTR bstr; CheckResult(m_sp->Retrieve(lFormatType, &bstr)); return _bstr_t(bstr, false); }
long GetNumElements() { long l; CheckResult(m_sp->GetNumElements(&l)); return l; }
_bstr_t GetElement(long lElementIndex) { BSTR bstr; CheckResult(m_sp->GetElement(lElementIndex, &bstr)); return _bstr_t(bstr, false); }
void AddLeafElement(_bstr_t strLeafElement) { CheckResult(m_sp->AddLeafElement(strLeafElement)); }
void RemoveLeafElement() { CheckResult(m_sp->RemoveLeafElement()); }
CADsPathName CopyPath() { IDispatch* pdisp; CheckResult(m_sp->CopyPath(&pdisp)); return CADsPathName(IADsPathnamePtr(IDispatchPtr(pdisp, false))); }
_bstr_t GetEscapedElement(long lReserved, _bstr_t strInStr) { BSTR bstr; CheckResult(m_sp->GetEscapedElement(lReserved, strInStr, &bstr)); return _bstr_t(bstr, false); }
long GetEscapedMode() { long l; CheckResult(m_sp->get_EscapedMode(&l)); return l; }
void PutEscapedMode(long l) { CheckResult(m_sp->put_EscapedMode(l)); }
protected:
CADsPathName(const CADsPathName& r) : m_sp(r.m_sp) { }
CADsPathName(IADsPathnamePtr& r) : m_sp(r) { }
void CheckResult(HRESULT hr) { if (FAILED(hr)) { _com_issue_errorex(hr, IUnknownPtr(m_sp), IID_IADsPathname); } }
protected:
IADsPathnamePtr m_sp;};#endif
STDMETHODIMP CAcctRepl::Process( IUnknown * pWorkItemIn // in - VarSet defining account replication job
){ HRESULT hr = S_OK;
try { IVarSetPtr pVarSet = pWorkItemIn;
MCSDCTWORKEROBJECTSLib::IStatusObjPtr pStatus; BOOL bSameForest = FALSE;
HMODULE hMod = LoadLibrary(L"activeds.dll"); if ( hMod == NULL ) { DWORD eNum = GetLastError(); err.SysMsgWrite(ErrE, eNum, DCT_MSG_LOAD_LIBRARY_FAILED_SD, L"activeds.dll", eNum); Mark(L"errors",L"generic"); return HRESULT_FROM_WIN32(eNum); }
ADsGetObject = (ADSGETOBJECT)GetProcAddress(hMod, "ADsGetObject");
g_pVarSet = pVarSet;
try{ pStatus = pVarSet->get(GET_BSTR(DCTVS_StatusObject)); opt.pStatus = pStatus; } catch (...) { // Oh well, keep going
} // Load the options specified by the user including the account information
WCHAR mesg[LEN_Path]; wcscpy(mesg, GET_STRING(IDS_BUILDING_ACCOUNT_LIST)); Progress(mesg); LoadOptionsFromVarSet(pVarSet);
MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); if ( BothWin2K(&opt) ) { hr = pAccess->raw_IsInSameForest(opt.srcDomainDns,opt.tgtDomainDns, (long*)&bSameForest); } if ( SUCCEEDED(hr) ) { opt.bSameForest = bSameForest; }
// We are going to initialize the Extension objects
m_pExt = new CProcessExtensions(pVarSet);
//
// If updating of user rights is specified then create
// instance of user rights component and set the test mode option.
//
if (m_UpdateUserRights) { CheckError(CoCreateInstance(CLSID_UserRights, NULL,CLSCTX_ALL, IID_IUserRights, (void**)&m_pUserRights)); m_pUserRights->put_NoChange(opt.nochange); }
TNodeListSortable newList; if ( opt.expandMemberOf && ! opt.bUndo ) // always expand the member-of property, since we want to update the member-of property for migrated accounts
{ // Expand the containers and the membership
wcscpy(mesg, GET_STRING(IDS_EXPANDING_MEMBERSHIP)); Progress(mesg); // Expand the list to include all the groups that the accounts in this list are members of
newList.CompareSet(&TNodeCompareAccountTypeAndRDN); if ( newList.IsTree() ) newList.ToSorted(); ExpandMembership( &acctList, &opt, &newList, Progress, FALSE); }
if ( opt.expandContainers && !opt.bUndo) { // Expand the containers and the membership
wcscpy(mesg, GET_STRING(IDS_EXPANDING_CONTAINERS)); Progress(mesg); // Expand the list to include all the members of the containers.
acctList.CompareSet(&TNodeCompareAccountTypeAndRDN); ExpandContainers(&acctList, &opt, Progress); }
// Add the newly created list ( if one was created )
if ( opt.expandMemberOf && !opt.bUndo ) { wcscpy(mesg, GET_STRING(IDS_MERGING_EXPANDED_LISTS)); Progress(mesg); // add the new and the old list
acctList.CompareSet(&TNodeCompareAccountTypeAndRDN); for ( TNode * acct = newList.Head(); acct; ) { TNode * temp = acct->Next(); if ( ! acctList.InsertIfNew(acct) ) delete acct; acct = temp; } Progress(L""); } do { // once
// Copy the NT accounts for users, groups and/or computers
if ( pStatus!= NULL && (pStatus->Status & DCT_STATUS_ABORTING) ) break; int res;
if ( opt.bUndo ) res = UndoCopy(&opt,&acctList,&Progress, err,(IStatusObj *)((MCSDCTWORKEROBJECTSLib::IStatusObj *)pStatus),NULL); else res = CopyObj( &opt,&acctList,&Progress, err,(IStatusObj *)((MCSDCTWORKEROBJECTSLib::IStatusObj *)pStatus),NULL); // Close the password log
if ( opt.passwordLog.IsOpen() ) { opt.passwordLog.LogClose(); }
if ( pStatus != NULL && (pStatus->Status & DCT_STATUS_ABORTING) ) break; // Update Rights for user and group accounts
if ( m_UpdateUserRights ) { UpdateUserRights((IStatusObj *)((MCSDCTWORKEROBJECTSLib::IStatusObj *)pStatus)); }
if ( pStatus != NULL && (pStatus->Status & DCT_STATUS_ABORTING) ) break;
// Change of Domain affiliation on computers and optional reboot will be done by local agent
} while (false);
LoadResultsToVarSet(pVarSet);
// Cleanup the account list
if ( acctList.IsTree() ) { acctList.ToSorted(); }
TNodeListEnum e; TAcctReplNode * tnode; TAcctReplNode * tnext;
for ( tnode = (TAcctReplNode *)e.OpenFirst(&acctList) ; tnode ; tnode = tnext ) { tnext = (TAcctReplNode*)e.Next(); acctList.Remove(tnode); delete tnode; } e.Close(); err.LogClose(); Progress(L""); if (m_pExt) delete m_pExt;
g_pVarSet = NULL; if ( hMod ) FreeLibrary(hMod); } catch (_com_error& ce) { hr = ce.Error(); err.SysMsgWrite(ErrS, hr, DCT_MSG_ACCOUNT_REPLICATOR_UNABLE_TO_CONTINUE); } catch (...) { hr = E_UNEXPECTED; err.SysMsgWrite(ErrS, hr, DCT_MSG_ACCOUNT_REPLICATOR_UNABLE_TO_CONTINUE); }
return hr;}
//------------------------------------------------------------------------------
// CopyObj: When source and target domains are both Win2k this function calls
// The 2kobject functions. Other wise it calls the User copy functions.
//------------------------------------------------------------------------------
int CAcctRepl::CopyObj( Options * options, // in -options
TNodeListSortable * acctlist, // in -list of accounts to process
ProgressFn * progress, // in -window to write progress messages to
TError & error, // in -window to write error messages to
IStatusObj * pStatus, // in -status object to support cancellation
void WindowUpdate (void ) // in - window update function
){ BOOL bSameForest = FALSE; long rc; HRESULT hr = S_OK; // if the Source/Target domain is NT4 then use the UserCopy Function. If both domains are Win2K then use
// the CopyObj2K function to do so.
if ( BothWin2K( options ) ) { // Since these are Win2k domains we need to process it with Win2k code.
MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); // First of all we need to find out if they are in the same forest.
HRESULT hr = pAccess->raw_IsInSameForest(options->srcDomainDns,options->tgtDomainDns, (long*)&bSameForest); if ( SUCCEEDED(hr) ) { options->bSameForest = bSameForest; if ( !bSameForest || (options->flags & F_COMPUTERS) ) // always copy the computer accounts
{ // Different forest we need to copy.
rc = CopyObj2K(options, acctlist, progress, pStatus); if (opt.fixMembership) { // Update the group memberships
rc = UpdateGroupMembership(options, acctlist, progress, pStatus); if ( !options->expandMemberOf ) { hr = UpdateMemberToGroups(acctlist, options, FALSE); rc = HRESULT_CODE(hr); } else //if groups migrated, still expand but only for groups
{ hr = UpdateMemberToGroups(acctlist, options, TRUE); rc = HRESULT_CODE(hr); } } //for user or group, migrate the manager\directReports or
//managedBy\managedObjects properties respectively
if ((options->flags & F_USERS) || (options->flags & F_GROUP)) UpdateManagement(acctlist, options); } else { // Within a forest we can move the object around.
rc = MoveObj2K(options, acctlist, progress, pStatus); }
if ( progress ) progress(L""); } else { rc = -1; err.SysMsgWrite(ErrE, hr, DCT_MSG_ACCESS_CHECKER_FAILED_D, hr); Mark(L"errors",L"generic"); } } else { // Create the object.
rc = CopyObj2K(options, acctlist, progress, pStatus); if (opt.fixMembership) { rc = UpdateGroupMembership(options, acctlist, progress, pStatus); if ( !options->expandMemberOf ) { hr = UpdateMemberToGroups(acctlist, options, FALSE); rc = HRESULT_CODE(hr); } else //if groups migrated, still expand but only for groups
{ hr = UpdateMemberToGroups(acctlist, options, TRUE); rc = HRESULT_CODE(hr); } } // Call NT4 Code to update the group memberships
//UpdateNT4GroupMembership(options, acctlist, progress, pStatus, WindowUpdate);
} return rc;}
//------------------------------------------------------------------------------
// BothWin2k: Checks to see if Source and Target domains are both Win2k.
//------------------------------------------------------------------------------
bool CAcctRepl::BothWin2K( // True if both domains are win2k
Options * pOptions //in- options
){ // This function checks for the version on the Source and Target domain. If either one is
// a non Win2K domain then it returns false
bool retVal = true;
if ( (pOptions->srcDomainVer > -1) && (pOptions->tgtDomainVer > -1) ) return ((pOptions->srcDomainVer > 4) && (pOptions->tgtDomainVer > 4)); MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); HRESULT hr; DWORD verMaj, verMin, sp; hr = pAccess->raw_GetOsVersion(pOptions->srcComp, &verMaj, &verMin, &sp);
if ( FAILED(hr) ) { err.SysMsgWrite(ErrE,hr, DCT_MSG_GET_OS_VER_FAILED_SD, pOptions->srcDomain, hr); Mark(L"errors", L"generic"); retVal = false; } else { pOptions->srcDomainVer = verMaj; pOptions->srcDomainVerMinor = verMin; if (verMaj < 5) retVal = false; }
hr = pAccess->raw_GetOsVersion(pOptions->tgtComp, &verMaj, &verMin, &sp); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr,DCT_MSG_GET_OS_VER_FAILED_SD, pOptions->tgtDomain , hr); Mark(L"errors", L"generic"); retVal = false; } else { pOptions->tgtDomainVer = verMaj; pOptions->tgtDomainVerMinor = verMin; if (verMaj < 5) retVal = false; } return retVal;}
int CAcctRepl::CopyObj2K( Options * pOptions, //in -Options that we recieved from the user
TNodeListSortable * acctlist, //in -AcctList of accounts to be copied.
ProgressFn * progress, //in -Progress Function to display messages
IStatusObj * pStatus // in -status object to support cancellation
){ // This function copies the object from Win2K domain to another Win2K domain.
TNodeTreeEnum tenum; TAcctReplNode * acct; IObjPropBuilderPtr pObjProp(__uuidof(ObjPropBuilder)); IVarSetPtr pVarset(__uuidof(VarSet)); IUnknown * pUnk; HRESULT hr; _bstr_t currentType = L""; // TNodeListSortable pMemberOf;
// sort the account list by Source Type\Source Name
acctlist->CompareSet(&TNodeCompareAccountType);
if ( acctlist->IsTree() ) acctlist->ToSorted(); acctlist->SortedToScrambledTree(); acctlist->Sort(&TNodeCompareAccountType); acctlist->Balance();
if ( pOptions->flags & F_AddSidHistory ) { //Need to Add Sid history on the target account. So lets bind it and go from there
g_bAddSidWorks = BindToDS( pOptions ); }
if ( pOptions->flags & F_TranslateProfiles ) { GetBkupRstrPriv((WCHAR*)NULL); GetPrivilege((WCHAR*)NULL,SE_SECURITY_NAME); }
// Get the defaultNamingContext for the source domain
_variant_t var;
// Get an IUnknown pointer to the Varset for passing it around.
hr = pVarset->QueryInterface(IID_IUnknown, (void**)&pUnk);
CTargetPathSet setTargetPath;
for ( acct = (TAcctReplNode *)tenum.OpenFirst(acctlist) ; acct ; acct = (TAcctReplNode *)tenum.Next() ) { if (m_pExt && acct->CallExt()) { hr = m_pExt->Process(acct, pOptions->tgtDomain, pOptions,TRUE); } // We will process accounts only if the corresponding check boxes (for object types to copy) are checked.
if ( !NeedToProcessAccount( acct, pOptions ) ) continue;
// If we are told not to copy the object then we will obey
if ( !acct->CreateAccount() ) continue;
//if the UPN name conflicted, then the UPNUpdate extension set the hr to
//ERROR_OBJECT_ALREADY_EXISTS. If so, set flag for "no change" mode
if (acct->GetHr() == ERROR_OBJECT_ALREADY_EXISTS) { acct->bUPNConflicted = TRUE; acct->SetHr(S_OK); }
// Mark processed object count and update the status display
Mark(L"processed", acct->GetType());
if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
// Create the target object
WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_CREATING_S), acct->GetName()); if ( progress ) progress(mesg);
HRESULT hrCreate = Create2KObj(acct, pOptions, setTargetPath);
acct->SetHr(hrCreate); if ( SUCCEEDED(hrCreate) ) { err.MsgWrite(0, DCT_MSG_ACCOUNT_CREATED_S, acct->GetTargetName()); } else { if ((HRESULT_CODE(hrCreate) == ERROR_OBJECT_ALREADY_EXISTS) ) { ; } else { if ( acct->IsCritical() ) { err.SysMsgWrite(ErrE,ERROR_SPECIAL_ACCOUNT,DCT_MSG_REPLACE_FAILED_SD,acct->GetName(),ERROR_SPECIAL_ACCOUNT); Mark(L"errors", acct->GetType()); } else { if ( HRESULT_CODE(hrCreate) == ERROR_DS_SRC_AND_DST_OBJECT_CLASS_MISMATCH ) { err.MsgWrite(ErrE, DCT_MSG_CANT_REPLACE_DIFFERENT_TYPE_SS, acct->GetTargetPath(), acct->GetSourcePath() ); Mark(L"errors", acct->GetType()); } else { err.SysMsgWrite(ErrE, hrCreate, DCT_MSG_CREATE_FAILED_SSD, acct->GetName(), pOptions->tgtDomain, hrCreate); Mark(L"errors", acct->GetType()); } } } }
if ( acct->WasCreated() ) { // Do we need to add sid history
if ( pOptions->flags & F_AddSidHistory ) { // Global flag tells us if we should try the AddSidHistory because
// for some special cases if it does not work once it will not work
// see the AddSidHistory function for more details.
if ( g_bAddSidWorks ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_ADDING_SIDHISTORY_S), acct->GetName()); if ( progress ) progress(mesg); if (! AddSidHistory( pOptions, acct->GetSourceSam(), acct->GetTargetSam(), pStatus ) ) { Mark(L"errors", acct->GetType()); } // CopySidHistoryProperty(pOptions, acct, pStatus);
} } } }
tenum.Close();
// free memory as set no longer needed
setTargetPath.clear();
bool bWin2k = BothWin2K(pOptions);
//
// Generate a mapping between the source object's distinguished name and the target object's
// distinguished name. This is used to translate distinguished name attributes during copying
// of properties.
//
IVarSetPtr spSourceToTargetDnMap = GenerateSourceToTargetDnMap(acctlist);
for ( acct = (TAcctReplNode *)tenum.OpenFirst(acctlist) ; acct ; acct = (TAcctReplNode *)tenum.Next() ) { if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } // We are told not to copy the properties to the account so we ignore it.
if ( acct->CopyProps() ) { // If the object type is different from the one that was processed prior to this then we need to map properties
if ((!pOptions->nochange) && (_wcsicmp(acct->GetType(),currentType) != 0)) { WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_MAPPING_PROPS_S), acct->GetType()); if ( progress ) progress(mesg); // Set the current type
currentType = acct->GetType(); // Clear the current mapping
pVarset->Clear(); // Get a new mapping
if ( BothWin2K(pOptions) ) { hr = pObjProp->raw_MapProperties(currentType, pOptions->srcDomain, pOptions->srcDomainVer, currentType, pOptions->tgtDomain, pOptions->tgtDomainVer, 0, &pUnk); if (hr == DCT_MSG_PROPERTIES_NOT_MAPPED) { err.MsgWrite(ErrW,DCT_MSG_PROPERTIES_NOT_MAPPED, acct->GetType()); hr = S_OK; } } else hr = S_OK;
if ( FAILED( hr ) ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_PROPERTY_MAPPING_FAILED_SD, (WCHAR*)currentType, hr); Mark(L"errors", currentType); // No properties should be set if mapping fails
pVarset->Clear(); } } // We update the properties if the object was created or it already existed and the replce flag is set.
BOOL bExists = FALSE; if (HRESULT_CODE(acct->GetHr()) == ERROR_OBJECT_ALREADY_EXISTS) bExists = TRUE;
if ( ((SUCCEEDED(acct->GetHr()) && (!bExists)) || ((bExists) && (pOptions->flags & F_REPLACE))) ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_UPDATING_PROPS_S), acct->GetName()); if ( progress ) progress(mesg); // Create the AccountList object and update the list variable
if ( !pOptions->nochange ) { _bstr_t sExcList;
if (pOptions->bExcludeProps) { if (!_wcsicmp(acct->GetType(), s_ClassUser)) sExcList = pOptions->sExcUserProps; else if (!_wcsicmp(acct->GetType(), s_ClassInetOrgPerson)) sExcList = pOptions->sExcInetOrgPersonProps; else if (!_wcsicmp(acct->GetType(), L"group")) sExcList = pOptions->sExcGroupProps; else if (!_wcsicmp(acct->GetType(), L"computer")) sExcList = pOptions->sExcCmpProps; }
//
// If asterisk character is not specified then copy properties using specified
// exclusion list otherwise exclude all properties by not copying any properties.
//
if ((sExcList.length() == 0) || (IsStringInDelimitedString(sExcList, L"*", L',') == FALSE)) { //exclude user's profile path if translate roaming profiles and sIDHistory
//are both not selected
if (((!_wcsicmp(acct->GetType(), s_ClassUser) || !_wcsicmp(acct->GetType(), s_ClassInetOrgPerson))) && (!(pOptions->flags & F_TranslateProfiles)) && (!(pOptions->flags & F_AddSidHistory))) { //if already excluding properties, just add profiles to the list
if (pOptions->bExcludeProps) { //if we already have a list add a , to the end
if (sExcList.length()) sExcList += L",";
//add the profile path to the exclude list
sExcList += L"profilePath"; } else //else turn on the flag and add just profile path to the exclude list
{ //set the flag to indicate we want to exclude something
pOptions->bExcludeProps = TRUE; //add the profile path only to the exclude list
sExcList = L"profilePath"; } }//end if to exclude profile path
// add system exclude attributes
if (pOptions->sExcSystemProps.length()) { if (sExcList.length()) { sExcList += L","; }
sExcList += pOptions->sExcSystemProps;
pOptions->bExcludeProps = TRUE; }
if ( bWin2k ) { //if ask to, exclude any properties desired by the user and create a new varset
if (pOptions->bExcludeProps) { IVarSetPtr pVarsetTemp(__uuidof(VarSet)); IUnknown * pUnkTemp; hr = pVarsetTemp->QueryInterface(IID_IUnknown, (void**)&pUnkTemp); if (SUCCEEDED(hr)) { hr = pObjProp->raw_ExcludeProperties(sExcList, pUnk, &pUnkTemp); }
//
// Only copy properties if exclusion list was successfully created.
// This prevents possibly updating attributes that should not be
// updated. For example, if some attributes used by Exchange were
// updated this could break Exchange functionality.
//
if (SUCCEEDED(hr)) { // Call the win 2k code to copy all but excluded props
hr = pObjProp->raw_CopyProperties( const_cast<WCHAR*>(acct->GetSourcePath()), pOptions->srcDomain, const_cast<WCHAR*>(acct->GetTargetPath()), pOptions->tgtDomain, pUnkTemp, pOptions->pDb, IUnknownPtr(spSourceToTargetDnMap) ); } pUnkTemp->Release(); }//end if asked to exclude
else { // Call the win 2k code to copy all props
hr = pObjProp->raw_CopyProperties( const_cast<WCHAR*>(acct->GetSourcePath()), pOptions->srcDomain, const_cast<WCHAR*>(acct->GetTargetPath()), pOptions->tgtDomain, pUnk, pOptions->pDb, IUnknownPtr(spSourceToTargetDnMap) ); } } else { // Otherwise let the Net APIs do their thing.
hr = pObjProp->raw_CopyNT4Props(const_cast<WCHAR*>(acct->GetSourceSam()), const_cast<WCHAR*>(acct->GetTargetSam()), pOptions->srcComp, pOptions->tgtComp, const_cast<WCHAR*>(acct->GetType()), acct->GetGroupType(), sExcList); } } } else // we are going to assume that copy properties would work
hr = S_OK;
if ( FAILED(hr) ) { if ( (acct->GetStatus() & AR_Status_Special) ) { err.MsgWrite(ErrE,DCT_MSG_FAILED_TO_REPLACE_SPECIAL_ACCT_S,acct->GetTargetSam()); } else { err.SysMsgWrite(ErrE, HRESULT_CODE(hr), DCT_MSG_COPY_PROPS_FAILED_SD, acct->GetTargetName(), hr); } acct->MarkError(); Mark(L"errors", acct->GetType()); } else { if (HRESULT_CODE(acct->GetHr()) == ERROR_OBJECT_ALREADY_EXISTS) { acct->MarkAlreadyThere(); acct->MarkReplaced(); Mark(L"replaced",acct->GetType()); err.MsgWrite(0, DCT_MSG_ACCOUNT_REPLACED_S, acct->GetTargetName()); } } } } // do we need to call extensions. Only if Extension flag is set and the object is copied.
if ((!pOptions->nochange) && (acct->CallExt()) && (acct->WasCreated() || acct->WasReplaced())) { // Let the Extension objects do their thing.
WCHAR mesg[LEN_Path]; wsprintf(mesg,GET_STRING(IDS_RUNNING_EXTS_S), acct->GetName()); if ( progress ) progress(mesg);
// Close the log file if it is open
WCHAR filename[LEN_Path]; err.LogClose(); if (m_pExt) hr = m_pExt->Process(acct, pOptions->tgtDomain, pOptions,FALSE); safecopy (filename,opt.logFile); err.LogOpen(filename,1 /*append*/);
}
// only do these updates for account's we're copying
// and only do updates if the account was actually created
// .. or if the account was replaced,
// or if we intentionally didn't replace the account (as in the group merge case)
if ( acct->CreateAccount() && ( acct->WasCreated() || ( acct->WasReplaced() || !acct->CopyProps() ) ) ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_TRANSLATE_ROAMING_PROFILE_S), acct->GetName()); if ( progress ) progress(mesg);
//Set the new profile if needed
if ( pOptions->flags & F_TranslateProfiles && ((_wcsicmp(acct->GetType(), s_ClassUser) == 0) || (_wcsicmp(acct->GetType(), s_ClassInetOrgPerson) == 0))) { WCHAR tgtProfilePath[MAX_PATH]; GetBkupRstrPriv((WCHAR*)NULL); GetPrivilege((WCHAR*)NULL,SE_SECURITY_NAME); if ( wcslen(acct->GetSourceProfile()) > 0 ) { DWORD ret = TranslateRemoteProfile( acct->GetSourceProfile(), tgtProfilePath, acct->GetSourceSam(), acct->GetTargetSam(), pOptions->srcDomain, pOptions->tgtDomain, pOptions->pDb, pOptions->lActionID, NULL, pOptions->nochange); if ( !ret ) { WCHAR tgtuser[LEN_Path]; USER_INFO_3 * tgtinfo; DWORD nParmErr; wcscpy(tgtuser, acct->GetTargetSam()); // Get information for the target account
long rc = NetUserGetInfo(const_cast<WCHAR *>(pOptions->tgtComp), tgtuser, 3, (LPBYTE *) &tgtinfo);
if (!pOptions->nochange) { // Set the new profile path
tgtinfo->usri3_profile = tgtProfilePath; // Set the information back for the account.
rc = NetUserSetInfo(const_cast<WCHAR *>(pOptions->tgtComp), tgtuser, 3, (LPBYTE)tgtinfo, &nParmErr); NetApiBufferFree((LPVOID) tgtinfo); if (rc) { err.MsgWrite(ErrE, DCT_MSG_SETINFO_FAIL_SD, tgtuser, rc); Mark(L"errors", acct->GetType()); } } } } }
if ( acct->WasReplaced() ) {
// Do we need to add sid history
if ( pOptions->flags & F_AddSidHistory ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(IDS_ADDING_SIDHISTORY_S), acct->GetName()); if ( progress ) progress(mesg);
// Global flag tells us if we should try the AddSidHistory because
// for some special cases if it does not work once it will not work
// see the AddSidHistory function for more details.
if ( g_bAddSidWorks ) { if (! AddSidHistory( pOptions, acct->GetSourceSam(), acct->GetTargetSam(), pStatus ) ) { Mark(L"errors", acct->GetType()); } // CopySidHistoryProperty(pOptions, acct, pStatus);
} }
} wsprintf(mesg, L"", acct->GetName()); if ( progress ) progress(mesg); } }
// Cleanup
pUnk->Release(); tenum.Close(); return 0;}
void CAcctRepl::LoadOptionsFromVarSet(IVarSet * pVarSet){ _bstr_t text; DWORD rc; MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker));
//store the name of the wizard being run
opt.sWizard = pVarSet->get(GET_BSTR(DCTVS_Options_Wizard));
//
// If group mapping and merging is the task then allow distinguished
// name conflicts as the main reason for this task is to merge
// several source groups into one target group.
//
if (opt.sWizard.length() && (_wcsicmp((wchar_t*)opt.sWizard, L"groupmapping") == 0)) { m_bIgnorePathConflict = true; }
// Read General Options
// open log file first, so we'll be sure to get any errors!
text = pVarSet->get(GET_BSTR(DCTVS_Options_Logfile)); safecopy(opt.logFile,(WCHAR*)text);
WCHAR filename[MAX_PATH];
safecopy (filename,opt.logFile);
err.LogOpen(filename,1 /*append*/);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_SidHistoryCredentials_Domain)); safecopy(opt.authDomain ,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_SidHistoryCredentials_UserName)); safecopy(opt.authUser ,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_SidHistoryCredentials_Password)); safecopy(opt.authPassword,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomain)); safecopy(opt.srcDomain,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomain)); safecopy(opt.tgtDomain,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomainDns)); safecopy(opt.srcDomainDns,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomainDns)); safecopy(opt.tgtDomainDns,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomainFlat)); safecopy(opt.srcDomainFlat,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomainFlat)); safecopy(opt.tgtDomainFlat,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceServer)); safecopy(opt.srcComp, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceServerDns)); safecopy(opt.srcCompDns, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_SourceServerFlat)); safecopy(opt.srcCompFlat, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetServer)); safecopy(opt.tgtComp, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetServerDns)); safecopy(opt.tgtCompDns, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_TargetServerFlat)); safecopy(opt.tgtCompFlat, (WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_NoChange)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { opt.nochange = TRUE; } else { opt.nochange = FALSE; }
// Read Account Replicator Options
// initialize
safecopy(opt.prefix, L""); safecopy(opt.suffix, L""); safecopy(opt.globalPrefix, L""); safecopy(opt.globalSuffix, L"");
DWORD flags = 0;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ReplaceExistingAccounts)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { flags |= F_REPLACE; } else { // Prefix/Suffix only apply if the Replace flag is not set.
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_Prefix)); safecopy(opt.prefix,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_Suffix)); safecopy(opt.suffix,(WCHAR*)text); }
// Global flags apply no matter what
text = pVarSet->get(GET_BSTR(DCTVS_Options_Prefix)); safecopy(opt.globalPrefix,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_Options_Suffix)); safecopy(opt.globalSuffix,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyContainerContents)); if ( text == _bstr_t(GET_BSTR(IDS_YES)) ) opt.expandContainers = TRUE; else opt.expandContainers = FALSE;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyMemberOf)); if ( text == _bstr_t(GET_BSTR(IDS_YES)) ) opt.expandMemberOf = TRUE; else opt.expandMemberOf = FALSE;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_FixMembership)); if ( text == _bstr_t(GET_BSTR(IDS_YES)) ) opt.fixMembership = TRUE; else opt.fixMembership = FALSE;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_AddToGroup)); safecopy(opt.addToGroup,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_AddToGroupOnSourceDomain)); safecopy(opt.addToGroupSource,(WCHAR*)text);
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_TranslateRoamingProfiles)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_TranslateProfiles;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyUsers)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_USERS;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyGlobalGroups)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_GROUP;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyComputers)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_COMPUTERS;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyOUs)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_OUS;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyContainerContents)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_COPY_CONT_CONTENT;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_IncludeMigratedAccts)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_COPY_MIGRATED_ACCT;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyLocalGroups)); if (! UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_LGROUP;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_DisableCopiedAccounts)); if (! UStrICmp(text,GET_STRING(IDS_All)) ) flags |= F_DISABLE_ALL; else if (! UStrICmp(text,GET_STRING(IDS_Special)) ) flags |= F_DISABLE_SPECIAL;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_DisableSourceAccounts)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_DISABLESOURCE;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_GenerateStrongPasswords)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_STRONGPW_ALL;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordFile)); if ( text.length() ) { // don't need this anymore, since it is handled by a plug-in
// opt.passwordLog.LogOpen(text,TRUE);
}
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_UpdateUserRights)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { m_UpdateUserRights = TRUE; }
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ReplaceExistingGroupMembers)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_REMOVE_OLD_MEMBERS;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_RemoveExistingUserRights)); if ( ! UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_RevokeOldRights;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_MoveReplacedAccounts)); if ( ! UStrICmp(text,GET_STRING(IDS_YES)) ) flags |= F_MOVE_REPLACED_ACCT;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyComputers)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { flags |= F_MACHINE; }
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_AddSidHistory)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { flags |= F_AddSidHistory; }
opt.flags = flags;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_RenameOnly)); if (! UStrICmp(text,GET_STRING(IDS_YES)) ) { m_RenameOnly = TRUE; }
text = pVarSet->get(GET_BSTR(DCTVS_Options_Undo)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) { // this is an undo operation
opt.bUndo = TRUE; } else { opt.bUndo = FALSE; }
// What undo action are we performing.
if ( opt.bUndo ) { _variant_t var = pVarSet->get(L"UndoAction"); if (var.vt == VT_I4) opt.lUndoActionID = var.lVal; else opt.lUndoActionID = -2; } else { _variant_t var = pVarSet->get(L"ActionID"); if (var.vt == VT_I4) opt.lActionID = var.lVal; else opt.lActionID = -1; }
// Read the password policy from the varset
// We used to get the strong password policy from the target EA Server, so we can generate strong passwords
// that meet the policy.
// we don't do that anymore, since we have removed all depenedencies on EA.
LONG len = 10;
// set the password settings to default values
opt.policyInfo.bEnforce = TRUE;
opt.policyInfo.maxConsecutiveAlpha = (LONG)pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MaxConsecutiveAlpha)); opt.policyInfo.minDigits = (LONG)pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinDigit)); opt.policyInfo.minLower = (LONG)pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinLower)); opt.policyInfo.minUpper = (LONG)pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinUpper)); opt.policyInfo.minSpecial = (LONG)pVarSet->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinSpecial));
HRESULT hrAccess = pAccess->raw_GetPasswordPolicy(opt.tgtDomain,&len); if ( SUCCEEDED(hrAccess) ) { opt.minPwdLength = len;
pVarSet->put(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinLength),len); }
WriteOptionsToLog();
// Build List of Accounts to Copy
// Clear the account list first though
TNodeListEnum e; TAcctReplNode * acct; for ( acct = (TAcctReplNode *)e.OpenFirst(&acctList) ; acct ; acct = (TAcctReplNode *)e.Next() ) { acctList.Remove((TNode*)acct); }
BothWin2K(&opt);
// See if a global operation mask specified.
_variant_t vdwOpMask = pVarSet->get(GET_BSTR(DCTVS_Options_GlobalOperationMask)); if ( vdwOpMask.vt == VT_I4 ) g_dwOpMask = (DWORD)vdwOpMask.lVal;
// Then build the new list expect a list of accounts to copy in the VarSet
if ( ! opt.bUndo ) { rc = PopulateAccountListFromVarSet(pVarSet); if ( rc ) { _com_issue_error(HRESULT_FROM_WIN32(rc)); } }
// If we have an NT5 source domain then we need to fillin the path info
DWORD maj, min, sp; HRESULT hr = pAccess->raw_GetOsVersion(opt.srcComp, &maj, &min, &sp); if (SUCCEEDED(hr)) { // Ask the auxiliarry function to fill in the the Path for the source object if the AcctNode is not filled
for ( acct = (TAcctReplNode *)e.OpenFirst(&acctList) ; acct ; acct = (TAcctReplNode *)e.Next() ) { if ((!acct->IsFilled) && (maj > 4)) { FillPathInfo(acct, &opt); AddPrefixSuffix(acct, &opt); } else if ((maj == 4) && (!_wcsicmp(acct->GetType(),L"computer"))) FillPathInfo(acct, &opt); } }
// Check for incompatible options!
if ( (flags & F_RevokeOldRights) && !m_UpdateUserRights ) { err.MsgWrite(ErrW,DCT_MSG_RIGHTS_INCOMPATIBLE_FLAGS); Mark(L"warnings", "generic"); }
text = pVarSet->get(GET_BSTR(DCTVS_Options_OuPath)); if ( text.length() ) { wcscpy(opt.tgtOUPath, text); }
// intialize the system exclude attributes option
// if not in passed in VarSet then retrieve from database
_variant_t vntSystemExclude = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedSystemProps));
if (V_VT(&vntSystemExclude) == VT_EMPTY) { IVarSetPtr spVarSet(__uuidof(VarSet)); IUnknownPtr spUnknown(spVarSet); IUnknown* punk = spUnknown; opt.pDb->GetSettings(&punk); vntSystemExclude = spVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedSystemProps)); }
opt.sExcSystemProps = vntSystemExclude;
//store the object property exclusion lists in the options structure
opt.sExcUserProps = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedUserProps)); opt.sExcInetOrgPersonProps = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedInetOrgPersonProps)); opt.sExcGroupProps = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedGroupProps)); opt.sExcCmpProps = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludedComputerProps)); text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_ExcludeProps)); if ( !UStrICmp(text,GET_STRING(IDS_YES)) ) opt.bExcludeProps = TRUE; else opt.bExcludeProps = FALSE;}
DWORD CAcctRepl::PopulateAccountListFromVarSet( IVarSet * pVarSet // in - varset containing account list
){ _bstr_t val; long numAccounts; _bstr_t text; DWORD maj, min, sp; PSID pSrcSid = NULL; WCHAR txtSid[200] = L""; DWORD lenTxt = DIM(txtSid); MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); numAccounts = pVarSet->get(GET_BSTR(DCTVS_Accounts_NumItems)); // Set up the account list functionality
acctList.CompareSet(&TNodeCompareNameOnly); if ( acctList.IsTree() ) acctList.ToSorted();
//get the source domain's Sid so we can store it as part of the node
_bstr_t source = pVarSet->get(GET_BSTR(DCTVS_Options_SourceDomain)); GetSidForDomain((WCHAR*)source,&pSrcSid);
for ( int i = 0 ; i < numAccounts ; i++ ) { WCHAR key[LEN_Path]; UCHAR acctName[LEN_Account]; TAcctReplNode * curr = new TAcctReplNode;
if (!curr) return ERROR_NOT_ENOUGH_MEMORY;
if ( opt.pStatus ) { LONG status = 0; HRESULT hr = opt.pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
// The object type must be specified
swprintf(key,GET_STRING(DCTVSFmt_Accounts_Type_D),i); val = pVarSet->get(key); curr->SetType(val); swprintf(key,GET_STRING(DCTVSFmt_Accounts_D),i); text = pVarSet->get(key); if ( ! text.length() ) { // oops, no name specified
// skip this entry and try the next one
err.MsgWrite(ErrW,DCT_MSG_NO_NAME_IN_VARSET_S,key); Mark(L"warnings",L"generic"); delete curr; continue; } //set the source domain's sid
curr->SetSourceSid(pSrcSid);
// Set the operation to the global mask then check if we need to overwrite with the individual setting.
curr->operations = g_dwOpMask;
swprintf(key, GET_STRING(DCTVS_Accounts_D_OperationMask), i); _variant_t vOpMask = pVarSet->get(key); if ( vOpMask.vt == VT_I4 ) curr->operations = (DWORD)vOpMask.lVal; // Get the rest of the info from the VarSet.
if ( ( (text.length() > 7 ) && (_wcsnicmp((WCHAR*) text, L"LDAP://",UStrLen(L"LDAP://")) == 0) ) || ( (text.length() > 8 ) && (_wcsnicmp((WCHAR*)text, L"WinNT://",UStrLen(L"WinNT://")) == 0)) ) { //hmmmm... They are giving use ADsPath. Lets get all the info we can from the object then.
curr->SetSourcePath((WCHAR*) text); HRESULT hr = FillNodeFromPath(curr, &opt, &acctList);
if (SUCCEEDED(hr)) { // Get the target name if one is specified.
swprintf(key,GET_STRING(DCTVSFmt_Accounts_TargetName_D),i); text = pVarSet->get(key);
if ( text.length() ) { // if target name is specified then use that.
curr->SetTargetName((WCHAR*) text); curr->SetTargetSam((WCHAR*) text); }
curr->IsFilled = true; } } else { FillNamingContext(&opt); // if this is a computer account, make sure the trailing $ is included in the name
curr->SetName(text); curr->SetTargetName(text); if ( !UStrICmp(val,L"computer") ) {// if ( ((WCHAR*)text)[text.length() - 1] != L'$' ) //comment out to fix 89513.
text += L"$"; } curr->SetSourceSam(text); curr->SetTargetSam(text); safecopy(acctName,(WCHAR*)text);
// optional target name
swprintf(key,GET_STRING(DCTVSFmt_Accounts_TargetName_D),i); text = pVarSet->get(key); if ( text.length() ) curr->SetTargetName(text);
// HRESULT hr = pAccess->raw_GetOsVersion(opt.srcComp, &maj, &min, &sp);
pAccess->raw_GetOsVersion(opt.srcComp, &maj, &min, &sp); if ( maj < 5 ) AddPrefixSuffix(curr,&opt);
// if this is a computer account, make sure the trailing $ is included in the name
if ( !UStrICmp(val,L"computer") ) { if ( text.length() && ((WCHAR*)text)[text.length() - 1] != L'$' ) text += L"$"; } if ( text.length() ) { if ( ((WCHAR*)text)[text.length() - 1] != L'$' ) text += L"$"; curr->SetTargetSam(text); } curr->IsFilled = false; }
if ( _wcsicmp(val, L"") != 0 ) { acctList.InsertBottom((TNode*)curr); } else { err.MsgWrite(ErrW,DCT_MSG_BAD_ACCOUNT_TYPE_SD,curr->GetName(),val); Mark(L"warnings",L"generic"); delete curr; } }
return 0;}
HRESULT CAcctRepl::UpdateUserRights( IStatusObj * pStatus // in - status object
){ HRESULT hr = S_OK;
if (!opt.bSameForest && !opt.bUndo) { hr = m_pUserRights->OpenSourceServer(_bstr_t(opt.srcComp));
if (SUCCEEDED(hr)) { hr = m_pUserRights->OpenTargetServer(_bstr_t(opt.tgtComp)); }
if (SUCCEEDED(hr)) { m_pUserRights->put_RemoveOldRightsFromTargetAccounts((opt.flags & F_RevokeOldRights) != 0);
if (acctList.IsTree()) { acctList.ToSorted(); }
TNodeListEnum e;
for (TAcctReplNode* acct = (TAcctReplNode*)e.OpenFirst(&acctList) ; acct; acct = (TAcctReplNode *)e.Next()) { if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
if (_wcsicmp(acct->GetType(), L"computer") != 0) // only update rights for users and groups, not computer accounts
{ // if the account wasn't created or replaced, don't bother
if (acct->GetStatus() & (AR_Status_Created | AR_Status_Replaced)) { if ( acct->GetSourceRid() && acct->GetTargetRid() ) { _bstr_t strSourceSid = GenerateSidAsString(&opt, FALSE, acct->GetSourceRid()); _bstr_t strTargetSid = GenerateSidAsString(&opt, TRUE, acct->GetTargetRid());
hr = m_pUserRights->CopyUserRightsWithSids( _bstr_t(acct->GetSourceSam()), strSourceSid, _bstr_t(acct->GetTargetSam()), strTargetSid ); } else { hr = m_pUserRights->CopyUserRights( _bstr_t(acct->GetSourceSam()), _bstr_t(acct->GetTargetSam()) ); }
if (SUCCEEDED(hr)) { err.MsgWrite(0, DCT_MSG_UPDATED_RIGHTS_S, acct->GetTargetName() ); acct->MarkRightsUpdated(); } else { err.SysMsgWrite(ErrE, hr, DCT_MSG_UPDATE_RIGHTS_FAILED_SD, acct->GetTargetName(), hr); acct->MarkError(); Mark(L"errors", acct->GetType()); } } } }
e.Close(); }
Progress(L""); }
return hr;}
//---------------------------------------------------------------------------
// EnumerateAccountRights Method
//
// Synopsis
// Enumerate account rights for specified account. The rights are stored in
// the account node object.
//
// Arguments
// IN bTarget - specifies whether to use the target or source account
// IN pAcct - a pointer to an account node object
//
// Return
// Returns an HRESULT where S_OK indicates success anything else an error.
//---------------------------------------------------------------------------
HRESULT CAcctRepl::EnumerateAccountRights(BOOL bTarget, TAcctReplNode* pAcct){ HRESULT hr;
//
// Retrieve the target or source server name and the target or source
// account RID and generate the account SID as a string.
//
_bstr_t strServer = bTarget ? opt.tgtComp : opt.srcComp; DWORD dwRid = bTarget ? pAcct->GetTargetRid() : pAcct->GetSourceRid(); _bstr_t strSid = GenerateSidAsString(&opt, bTarget, dwRid);
if ((PCWSTR)strServer && (PCWSTR)strSid) { //
// If array of user rights currently exists
// in account node object then destroy array.
//
if (pAcct->psaUserRights) { SafeArrayDestroy(pAcct->psaUserRights); pAcct->psaUserRights = NULL; }
//
// Retrieve array of user rights and save them in account node object.
//
hr = m_pUserRights->GetRightsOfUser(strServer, strSid, &pAcct->psaUserRights); } else { hr = E_OUTOFMEMORY; }
return hr;}
//---------------------------------------------------------------------------
// AddAccountRights Method
//
// Synopsis
// Add account rights to specified account.
//
// Arguments
// IN bTarget - specifies whether to use the target or source account
// IN pAcct - a pointer to an account node object
//
// Return
// Returns an HRESULT where S_OK indicates success anything else an error.
//---------------------------------------------------------------------------
HRESULT CAcctRepl::AddAccountRights(BOOL bTarget, TAcctReplNode* pAcct){ HRESULT hr = S_OK;
if (pAcct->psaUserRights) { //
// Retrieve the target or source server name, the target or source account name
// and the target or source account RID and generate the account SID as a string.
//
_bstr_t strServer = bTarget ? opt.tgtComp : opt.srcComp; _bstr_t strName = bTarget ? pAcct->GetTargetName() : pAcct->GetName(); DWORD dwRid = bTarget ? pAcct->GetTargetRid() : pAcct->GetSourceRid(); _bstr_t strSid = GenerateSidAsString(&opt, bTarget, dwRid);
if ((PCWSTR)strServer && (PCWSTR)strSid) { //
// Add rights to account.
//
hr = m_pUserRights->AddUserRights(strServer, strSid, pAcct->psaUserRights); } else { hr = E_OUTOFMEMORY; }
//
// If rights added successfully then generate messages specifying
// rights granted and that rights were updated for specified account
// otherwise generate message stating failure of rights update.
//
if (SUCCEEDED(hr)) { SAFEARRAY* psaUserRights = pAcct->psaUserRights; BSTR* pbstrRight; hr = SafeArrayAccessData(psaUserRights, (void**)&pbstrRight);
if (SUCCEEDED(hr)) { ULONG ulCount = psaUserRights->rgsabound[0].cElements;
for (ULONG ulIndex = 0; ulIndex < ulCount; ulIndex++) { BSTR bstrRight = pbstrRight[ulIndex]; err.MsgWrite(0, DCT_MSG_RIGHT_GRANTED_SS, bstrRight, (PCWSTR)strName); }
SafeArrayUnaccessData(psaUserRights); }
err.MsgWrite(0, DCT_MSG_UPDATED_RIGHTS_S, (PCWSTR)strName); pAcct->MarkRightsUpdated(); } else { err.SysMsgWrite(ErrE, hr, DCT_MSG_UPDATE_RIGHTS_FAILED_SD, (PCWSTR)strName, hr); pAcct->MarkError(); Mark(L"errors", pAcct->GetType()); } }
return hr;}
//---------------------------------------------------------------------------
// RemoveAccountRights Method
//
// Synopsis
// Remove account rights from specified account.
//
// Arguments
// IN bTarget - specifies whether to use the target or source account
// IN pAcct - a pointer to an account node object
//
// Return
// Returns an HRESULT where S_OK indicates success anything else an error.
//---------------------------------------------------------------------------
HRESULT CAcctRepl::RemoveAccountRights(BOOL bTarget, TAcctReplNode* pAcct){ HRESULT hr = S_OK;
if (pAcct->psaUserRights) { //
// Retrieve the target or source server name, the target or source account name
// and the target or source account RID and generate the account SID as a string.
//
_bstr_t strServer = bTarget ? opt.tgtComp : opt.srcComp; DWORD dwRid = bTarget ? pAcct->GetTargetRid() : pAcct->GetSourceRid(); _bstr_t strSid = GenerateSidAsString(&opt, bTarget, dwRid);
if ((LPCTSTR)strServer && (LPCTSTR)strSid) { //
// Remove rights from account.
//
hr = m_pUserRights->RemoveUserRights(strServer, strSid, pAcct->psaUserRights); } else { hr = E_OUTOFMEMORY; } }
return hr;}
void CAcctRepl::WriteOptionsToLog(){ // This will make it easier to tell if arguments are ignored because they
// were specified in the wrong format, or misspelled, etc.
WCHAR cmdline[1000]; UStrCpy(cmdline ,GET_STRING(IDS_AccountMigration)); if ( opt.nochange ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_WriteChanges_No)); } UStrCpy(cmdline + UStrLen(cmdline),L" "); UStrCpy(cmdline + UStrLen(cmdline),opt.srcDomainFlat); UStrCpy(cmdline + UStrLen(cmdline),L" "); UStrCpy(cmdline + UStrLen(cmdline),opt.tgtDomainFlat); UStrCpy(cmdline + UStrLen(cmdline),L" "); if ( opt.flags & F_USERS ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyUsers_Yes)); } else { UStrCpy(cmdline + UStrLen(cmdline), GET_STRING(IDS_CopyUsers_No)); } UStrCpy(cmdline + UStrLen(cmdline),L" "); if ( opt.flags & F_GROUP ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyGlobalGroups_Yes)); } else { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyGlobalGroups_No)); } UStrCpy(cmdline + UStrLen(cmdline),L" "); if ( opt.flags & F_LGROUP ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyLocalGroups_Yes)); } else { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyLocalGroups_No)); } UStrCpy(cmdline + UStrLen(cmdline),L" "); if ( opt.flags & F_MACHINE ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyComputers_Yes)); } else { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_CopyComputers_No)); } UStrCpy(cmdline + UStrLen(cmdline),L" "); if ( opt.flags & F_REPLACE ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_ReplaceExisting_Yes)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } if ( opt.flags & F_DISABLE_ALL ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_DisableAll_Yes)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } else if ( opt.flags & F_DISABLE_SPECIAL ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_DisableSpecial_Yes)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } if ( opt.flags & F_DISABLESOURCE ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_DisableSourceAccounts_Yes)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } if ( opt.flags & F_STRONGPW_ALL ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_StrongPwd_All)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } else if ( opt.flags & F_STRONGPW_SPECIAL ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_StrongPwd_Special)); UStrCpy(cmdline + UStrLen(cmdline),L" "); } if ( *opt.addToGroup ) { UStrCpy(cmdline + UStrLen(cmdline),GET_STRING(IDS_AddToGroup)); UStrCpy(cmdline + UStrLen(cmdline),opt.addToGroup); UStrCpy(cmdline + UStrLen(cmdline),L" "); } err.MsgWrite(0,DCT_MSG_GENERIC_S,cmdline);}
void CAcctRepl::LoadResultsToVarSet( IVarSet * pVarSet // i/o - VarSet
){ _bstr_t text;
text = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CSVResultFile)); if ( text.length() ) { CommaDelimitedLog results;
if ( results.LogOpen((WCHAR*)text,FALSE) ) { // Write the results to a comma-separated file
// as SrcName,TgtName,AccountType,Status, srcRid, tgtRid
// This file can be used by ST as input.
TNodeListEnum e; TAcctReplNode * tnode;
if ( acctList.IsTree() ) { acctList.ToSorted(); } for ( tnode = (TAcctReplNode *)e.OpenFirst(&acctList) ; tnode ; tnode = (TAcctReplNode *)e.Next() ) { results.MsgWrite(L"%s,%s,%lx,%lx,%lx,%lx",tnode->GetName(),tnode->GetTargetSam(), tnode->GetType(),tnode->GetStatus(),tnode->GetSourceRid(),tnode->GetTargetRid()); } e.Close(); results.LogClose(); } else { err.MsgWrite(ErrE,DCT_MSG_FAILED_TO_WRITE_ACCOUNT_STATS_S,text); Mark(L"errors", "generic"); } } long level = pVarSet->get(GET_BSTR(DCTVS_Results_ErrorLevel)); if ( level < err.GetMaxSeverityLevel() ) { pVarSet->put(GET_BSTR(DCTVS_Results_ErrorLevel),(LONG)err.GetMaxSeverityLevel()); }}
IADsGroup * GetWellKnownTargetGroup(long groupID,Options * pOptions){ IADsGroup * pGroup = NULL; HRESULT hr; PSID pSid; WCHAR strSid[LEN_Path]; WCHAR sPath[LEN_Path]; CLdapConnection c;
// Get the SID for the Domain Computers group
pSid = GetWellKnownSid(groupID,pOptions,TRUE); if ( pSid ) { c.BytesToString((LPBYTE)pSid,strSid,GetLengthSid(pSid));
swprintf(sPath,L"LDAP://%ls/<SID=%ls>",pOptions->tgtDomain,strSid); hr = ADsGetObject(sPath,IID_IADsGroup,(void**)&pGroup); FreeSid(pSid); }
return pGroup;}
void PadCnName(WCHAR * sTarget){ if (sTarget == NULL) _com_issue_error(E_INVALIDARG);
// escape character
const WCHAR ESCAPE_CHARACTER = L'\\'; // characters that need escaping for RDN format
static WCHAR SPECIAL_CHARACTERS[] = L"\"#+,;<=>\\";
// copy old name
WCHAR szOldName[LEN_Path]; DWORD dwArraySizeOfszOldName = sizeof(szOldName)/sizeof(szOldName[0]); if (wcslen(sTarget) >= dwArraySizeOfszOldName) _com_issue_error(HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER)); wcscpy(szOldName, sTarget);
WCHAR* pchNew = sTarget;
// for each character in old name...
for (WCHAR* pchOld = szOldName; *pchOld; pchOld++) { // if special character...
if (wcschr(SPECIAL_CHARACTERS, *pchOld)) { // then add escape character
*pchNew++ = ESCAPE_CHARACTER; }
// add character
*pchNew++ = *pchOld; }
// null terminate new name
*pchNew = L'\0';}
//------------------------------------------------------------------------------
// Create2KObj: Creates a Win2K object. This code uses LDAP to create a new
// object of specified type in the specified container.
// If any information is incorrect or If there are any access
// problems then it simply returns the Failed HRESULT.
//------------------------------------------------------------------------------
HRESULT CAcctRepl::Create2KObj( TAcctReplNode * pAcct, //in -TNode with account information
Options * pOptions, //in -Options set by the user.
CTargetPathSet& setTargetPath ){ // This function creates a Win2K object.
IADsPtr pAdsSrc; IADsPtr pAds; c_array<WCHAR> achAdsPath(LEN_Path); DWORD nPathLen = LEN_Path; c_array<WCHAR> achSubPath(LEN_Path); _bstr_t strClass; HRESULT hr; c_array<WCHAR> achTarget(LEN_Path); _variant_t varT; _bstr_t strName; IADsContainerPtr pCont; IDispatchPtr pDisp; c_array<WCHAR> achPref(LEN_Path); c_array<WCHAR> achSuf(LEN_Path);
// Get the name of the class for the source object so we can use that to create the new object.
strClass = pAcct->GetType();
if (!strClass) { return E_FAIL; }
// check if the sourceAdsPath, for LDAP paths only, is correct before creating this object on the target. If not fail now.
if (!wcsncmp(L"LDAP://", pAcct->GetSourcePath(), 7)) { wcsncpy(achAdsPath, pAcct->GetSourcePath(), nPathLen-1); hr = ADsGetObject(achAdsPath, IID_IADs, (void**)&pAdsSrc); if (FAILED(hr)) { err.SysMsgWrite(ErrE,hr, DCT_MSG_LDAP_CALL_FAILED_SD, (WCHAR*)achAdsPath, hr); Mark(L"errors", pAcct->GetType()); return hr; } }
// Now that we have the classname we can go ahead and create an object in the target domain.
// First we need to get IAdsContainer * to the domain.
wcscpy(achSubPath, pOptions->tgtOUPath); if ( !wcsncmp(L"LDAP://", achSubPath, 7) ) StuffComputerNameinLdapPath(achAdsPath, nPathLen, achSubPath, pOptions); else MakeFullyQualifiedAdsPath(achAdsPath, nPathLen, achSubPath, pOptions->tgtComp, pOptions->tgtNamingContext);
hr = ADsGetObject(achAdsPath, IID_IADsContainer, (void**)&pCont); if ( FAILED(hr) ) { if ( firstTime ) { err.SysMsgWrite(ErrE,hr,DCT_MSG_CONTAINER_NOT_FOUND_SSD, pOptions->tgtOUPath, pOptions->tgtDomain, hr); firstTime = false; Mark(L"errors", pAcct->GetType()); } if ( _wcsicmp(strClass, L"computer") == 0 ) { MakeFullyQualifiedAdsPath(achAdsPath, nPathLen, L"CN=Computers", pOptions->tgtDomain, pOptions->tgtNamingContext); hr = ADsGetObject(achAdsPath, IID_IADsContainer, (void**)&pCont); } else { MakeFullyQualifiedAdsPath(achAdsPath, nPathLen, L"CN=Users", pOptions->tgtDomain, pOptions->tgtNamingContext); hr = ADsGetObject(achAdsPath, IID_IADsContainer, (void**)&pCont); } if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_DEFAULT_CONTAINER_NOT_FOUND_SD, (WCHAR*)achAdsPath, hr); Mark(L"errors", pAcct->GetType()); return (hr); } }
// Call the create method on the container.
wcscpy(achTarget, pAcct->GetTargetName());
// In case of the NT4 source domain the source and the target name have no CN= so we need
// to add this to the target name. The target name from the group mapping wizard also needs a "CN="
// added to the target name.
if ((pOptions->srcDomainVer < 5) || (!_wcsicmp(strClass, L"computer")) || (!_wcsicmp((WCHAR*)pOptions->sWizard, L"groupmapping"))) { c_array<WCHAR> achTemp(LEN_Path); wcscpy(achTemp, pAcct->GetTargetName()); PadCnName(achTemp); // if the CN part is not there add it.
if ( _wcsicmp(strClass, L"organizationalUnit") == 0 ) wsprintf(achTarget, L"OU=%s", (WCHAR*)achTemp); else wsprintf(achTarget, L"CN=%s", (WCHAR*)achTemp); pAcct->SetTargetName(achTarget); }
// we need to truncate CN name to less that 64 characters
for ( DWORD z = 0; z < wcslen(achTarget); z++ ) { if ( achTarget[z] == L'=' ) break; } if ( z < wcslen(achTarget) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTarget, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTarget+z+1); }
// The CN for the account could be greater than 64 we need to truncate it.
c_array<WCHAR> achTempCn(LEN_Path);
// if class is inetOrgPerson...
if (_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) { // retrieve naming attribute
SNamingAttribute naNamingAttribute;
if (SUCCEEDED(GetNamingAttribute(pOptions->tgtDomainDns, s_ClassInetOrgPerson, naNamingAttribute))) { if (long(wcslen(achSuf)) > naNamingAttribute.nMaxRange) { err.MsgWrite(ErrE, DCT_MSG_RDN_LENGTH_GREATER_THAN_MAX_RANGE_S, pAcct->GetTargetName()); Mark(L"errors", pAcct->GetType()); return HRESULT_FROM_WIN32(ERROR_DS_CONSTRAINT_VIOLATION); } }
wcscpy(achTempCn, achSuf); } else if ( wcslen(achSuf) > 64 ) { if ( wcslen(pOptions->globalSuffix) ) { // in case of a global suffix we need to remove the suffix and then truncate the account and then readd the suffix.
achSuf[wcslen(achSuf) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 64 - wcslen(pOptions->globalSuffix); wcsncpy(achTempCn, achSuf, truncate); achTempCn[truncate] = L'\0'; if (wcslen(pOptions->globalSuffix)) wcscat(achTempCn, pOptions->globalSuffix); err.MsgWrite(1, DCT_MSG_TRUNCATE_CN_SS, pAcct->GetTargetName(), (WCHAR*)achTempCn); } else wcscpy(achTempCn, achSuf);
wsprintf(achTarget, L"%s%s", (WCHAR*)achPref, (WCHAR*)achTempCn); pAcct->SetTargetName(achTarget);
// even for a local group the object type of the group has to be a local group
if ( !_wcsicmp(strClass, L"lgroup") ) { strClass = L"group"; }
// Call the create method on the container.
wcscpy(achTarget, pAcct->GetTargetName()); hr = pCont->Create(strClass, _bstr_t(achTarget), &pDisp); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr,DCT_MSG_CREATE_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, hr); Mark(L"errors", pAcct->GetType()); return hr; } // Get the IADs interface to get the path to newly created object.
pAds = pDisp; if ( pAds == NULL ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_GET_IADS_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, E_NOINTERFACE); Mark(L"errors", pAcct->GetType()); return hr; }
// if object class is inetOrgPerson and the naming attribute is not cn then...
if ((_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) && (_wcsicmp(achPref, L"cn=") != 0)) { // retrieve the source cn attribute and set the target cn attribute
// the cn attribute is a mandatory attribute and therefore
// must be set before attempting to create the object
_bstr_t strCN(L"cn"); VARIANT var; VariantInit(&var);
hr = pAdsSrc->Get(strCN, &var);
if (SUCCEEDED(hr)) { pAds->Put(strCN, var); VariantClear(&var); } }
// Set the Target Account Sam name if not an OU.
wstring strTargetSam = pAcct->GetTargetSam();
// check if the $ is at the end of the SAM name for computer accounts.
if ( !_wcsicmp(strClass, L"computer") ) { // also make sure the target SAM name is not too long
if ( strTargetSam.length() > MAX_COMPUTERNAME_LENGTH + 1 ) { strTargetSam[MAX_COMPUTERNAME_LENGTH] = 0; } if (strTargetSam[strTargetSam.length()-1] != L'$') { strTargetSam += L"$"; pAcct->SetTargetSam(strTargetSam.c_str()); } }
varT = strTargetSam.c_str();
if ( _wcsicmp(strClass, L"organizationalUnit") != 0) // organizational unit has no sam account name
hr = pAds->Put(L"sAMAccountName", varT);
if ( _wcsicmp(strClass, L"group") == 0 ) { varT = _variant_t(pAcct->GetGroupType()); if ( pOptions->srcDomainVer < 5 ) { // all NT4 accounts are security accounts but they tell us that they are Dist accts so lets set them straight.
varT.lVal |= 0x80000000; } hr = pAds->Put(L"groupType", varT); } else if ((_wcsicmp(strClass, s_ClassUser) == 0) || (_wcsicmp(strClass, s_ClassInetOrgPerson) == 0)) { if (pAdsSrc == NULL) { ADsGetObject(const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADs, (void**)&pAdsSrc); }
if (pAdsSrc) { // Get the source profile path and store it in the path
_variant_t var;
// Don't know why it is different for WinNT to ADSI
if ( pOptions->srcDomainVer > 4 ) hr = pAdsSrc->Get(L"profilePath", &var); else hr = pAdsSrc->Get(L"profile", &var);
if ( SUCCEEDED(hr)) { pAcct->SetSourceProfile((WCHAR*) V_BSTR(&var)); } } }
// In no change mode we do not call the set info.
if ( !pOptions->nochange ) { hr = pAds->SetInfo(); if ( FAILED(hr) ) { if (HRESULT_CODE(hr) == ERROR_OBJECT_ALREADY_EXISTS) { //
// check if object DN is conflicting with
// another object that is currently being migrated
//
BSTR bstrPath = 0;
if (SUCCEEDED(pAds->get_ADsPath(&bstrPath))) { pAcct->SetTargetPath(_bstr_t(bstrPath, false));
if (DoTargetPathConflict(setTargetPath, pAcct)) { return hr; } }
if ( wcslen(pOptions->prefix) > 0 ) { c_array<WCHAR> achTgt(LEN_Path); c_array<WCHAR> achTempSam(LEN_Path); _variant_t varStr;
// Here I am adding a prefix and then lets see if we can setinfo that way
// find the '=' sign
wcscpy(achTgt, pAcct->GetTargetName()); for ( DWORD z = 0; z < wcslen(achTgt); z++ ) { if ( achTgt[z] == L'=' ) break; } if ( z < wcslen(achTgt) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTgt, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTgt+z+1); }
// The CN for the account could be greater than 64 we need to truncate it.
// if class is inetOrgPerson...
if (_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) { SNamingAttribute naNamingAttribute;
if (SUCCEEDED(GetNamingAttribute(pOptions->tgtDomainDns, s_ClassInetOrgPerson, naNamingAttribute))) { if (long(wcslen(achSuf) + wcslen(pOptions->prefix)) > naNamingAttribute.nMaxRange) { wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, pOptions->prefix, (WCHAR*)achSuf); err.MsgWrite(ErrE, DCT_MSG_RDN_LENGTH_GREATER_THAN_MAX_RANGE_S, (WCHAR*)achTgt); Mark(L"errors", pAcct->GetType()); return HRESULT_FROM_WIN32(ERROR_DS_CONSTRAINT_VIOLATION); } }
wcscpy(achTempCn, achSuf); } else if ( wcslen(achSuf) + wcslen(pOptions->prefix) > 64 ) { int truncate = 64 - wcslen(pOptions->prefix); wcsncpy(achTempCn, achSuf, truncate); achTempCn[truncate] = L'\0'; err.MsgWrite(1, DCT_MSG_TRUNCATE_CN_SS, pAcct->GetTargetName(), (WCHAR*)achTempCn); } else wcscpy(achTempCn, achSuf); // Remove the \ if it is escaping the space
if ( achTempCn[0] == L'\\' && achTempCn[1] == L' ' ) { wstring str = achTempCn + 1; wcscpy(achTempCn, str.c_str()); } // Build the target string with the Prefix
wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, pOptions->prefix, (WCHAR*)achTempCn);
pAcct->SetTargetName(achTgt);
// Create the object in the container
hr = pCont->Create(strClass, _bstr_t(achTgt), &pDisp); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr,DCT_MSG_CREATE_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, hr); Mark(L"errors", pAcct->GetType()); return hr; } // Get the IADs interface to get the path to newly created object.
hr = pDisp->QueryInterface(IID_IADs, (void**)&pAds); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_GET_IADS_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, hr); Mark(L"errors", pAcct->GetType()); return hr; }
// if object class is inetOrgPerson and the naming attribute is not cn then...
if ((_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) && (_wcsicmp(achPref, L"cn=") != 0)) { // retrieve the source cn attribute and set the target cn attribute
// the cn attribute is a mandatory attribute and therefore
// must be set before attempting to create the object
_bstr_t strCN(L"cn"); VARIANT var; VariantInit(&var);
hr = pAdsSrc->Get(strCN, &var);
if (SUCCEEDED(hr)) { pAds->Put(strCN, var); VariantClear(&var); } }
// truncate to allow prefix/suffix to fit in 20 characters.
int resLen = wcslen(pOptions->prefix) + wcslen(pAcct->GetTargetSam()); if ( !_wcsicmp(pAcct->GetType(), L"computer") ) { // Computer name can be only 15 characters long + $
if ( resLen > MAX_COMPUTERNAME_LENGTH + 1 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; }
int truncate = MAX_COMPUTERNAME_LENGTH + 1 - wcslen(pOptions->prefix) - wcslen(pOptions->globalSuffix); if ( truncate < 1 ) truncate = 1; wcsncpy(achTempSam, achTruncatedSam, truncate - 1); achTempSam[truncate-1] = L'\0'; // Dont forget the $ sign and terminate string.
wcscat(achTempSam, pOptions->globalSuffix); wcscat(achTempSam, L"$"); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the prefix
wsprintf(achTgt, L"%s%s", pOptions->prefix,(WCHAR*)achTempSam); } else if ((_wcsicmp(pAcct->GetType(), s_ClassUser) == 0) || (_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson) == 0)) { if ( resLen > 20 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 20 - wcslen(pOptions->prefix) - wcslen(pOptions->globalSuffix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, achTruncatedSam, truncate); achTempSam[truncate] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the prefix
wsprintf(achTgt, L"%s%s", pOptions->prefix, (WCHAR*)achTempSam); } else wsprintf(achTgt, L"%s%s", pOptions->prefix,pAcct->GetTargetSam());
pAcct->SetTargetSam(achTgt); varStr = achTgt; pAds->Put(L"sAMAccountName", varStr); if ( _wcsicmp(strClass, L"group") == 0 ) { varT = _variant_t(pAcct->GetGroupType()); if ( pOptions->srcDomainVer < 5 ) { // all NT4 accounts are security accounts but they tell us that they are Dist accts so lets set them straight.
varT.lVal |= 0x80000000; } hr = pAds->Put(L"groupType", varT); } hr = pAds->SetInfo(); if ( SUCCEEDED(hr) ) { Mark(L"created", strClass); pAcct->MarkCreated(); BSTR sTgtPath = 0; HRESULT temphr = pAds->get_ADsPath(&sTgtPath); if ( SUCCEEDED(temphr) ) { pAcct->SetTargetPath(_bstr_t(sTgtPath, false)); setTargetPath.insert(pAcct); } else pAcct->SetTargetPath(L""); } else if ( HRESULT_CODE(hr) == ERROR_OBJECT_ALREADY_EXISTS ) { //
// check if object DN is conflicting with
// another object that is currently being migrated
//
BSTR bstrPath = 0;
if (SUCCEEDED(pAds->get_ADsPath(&bstrPath))) { pAcct->SetTargetPath(_bstr_t(bstrPath, false));
if (DoTargetPathConflict(setTargetPath, pAcct)) { return hr; } }
pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_PREF_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); } else { pAcct->MarkError(); err.SysMsgWrite(ErrE, hr, DCT_MSG_CREATE_FAILED_SSD, pAcct->GetTargetSam(), pOptions->tgtOUPath, hr); Mark(L"errors",pAcct->GetType()); } } else if ( wcslen(pOptions->suffix) > 0 ) { c_array<WCHAR> achTgt(LEN_Path); c_array<WCHAR> achTempSam(LEN_Path); _variant_t varStr; wcscpy(achTgt, pAcct->GetTargetName()); for ( DWORD z = 0; z < wcslen(achTgt); z++ ) { if ( achTgt[z] == L'=' ) break; } if ( z < wcslen(achTgt) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTgt, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTgt+z+1); }
// The CN for the account could be greater than 64 we need to truncate it.
// if class is inetOrgPerson...
if (_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) { SNamingAttribute naNamingAttribute;
if (SUCCEEDED(GetNamingAttribute(pOptions->tgtDomainDns, s_ClassInetOrgPerson, naNamingAttribute))) { if (long(wcslen(achSuf) + wcslen(pOptions->suffix)) > naNamingAttribute.nMaxRange) { wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, (WCHAR*)achSuf, pOptions->suffix); err.MsgWrite(ErrE, DCT_MSG_RDN_LENGTH_GREATER_THAN_MAX_RANGE_S, (WCHAR*)achTgt); Mark(L"errors", pAcct->GetType()); return HRESULT_FROM_WIN32(ERROR_DS_CONSTRAINT_VIOLATION); } }
wcscpy(achTempCn, achSuf); } else if ( wcslen(achSuf) + wcslen(pOptions->suffix) + wcslen(pOptions->globalSuffix) > 64 ) { if ( wcslen(pOptions->globalSuffix) ) { // in case of a global suffix we need to remove the suffix and then truncate the account and then readd the suffix.
achSuf[wcslen(achSuf) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 64 - wcslen(pOptions->suffix) - wcslen(pOptions->globalSuffix); wcsncpy(achTempCn, achSuf, truncate); achTempCn[truncate] = L'\0'; wcscat(achTempCn, pOptions->globalSuffix); err.MsgWrite(1, DCT_MSG_TRUNCATE_CN_SS, pAcct->GetTargetName(), (WCHAR*)achSuf); } else wcscpy(achTempCn, achSuf);
// Remove the trailing space \ escape sequence
wcscpy(achTgt, achTempCn); for ( int i = wcslen(achTgt)-1; i >= 0; i-- ) { if ( achTgt[i] != L' ' ) break; }
if ( achTgt[i] == L'\\' ) { WCHAR * pTemp = &achTgt[i]; *pTemp = 0; wcscat(achPref, achTgt); wcscpy(achSuf, pTemp+1); } else { wcscat(achPref, achTgt); wcscpy(achSuf, L""); } wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, (WCHAR*)achSuf, pOptions->suffix); pAcct->SetTargetName(achTgt);
// Create the object in the container
hr = pCont->Create(strClass, _bstr_t(achTgt), &pDisp); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr,DCT_MSG_CREATE_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, hr); Mark(L"errors", pAcct->GetType()); return hr; } // Get the IADs interface to get the path to newly created object.
hr = pDisp->QueryInterface(IID_IADs, (void**)&pAds); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_GET_IADS_FAILED_SSD, pAcct->GetTargetName(), pOptions->tgtOUPath, hr); Mark(L"errors", pAcct->GetType()); return hr; }
// if object class is inetOrgPerson and the naming attribute is not cn then...
if ((_wcsicmp(strClass, s_ClassInetOrgPerson) == 0) && (_wcsicmp(achPref, L"cn=") != 0)) { // retrieve the source cn attribute and set the target cn attribute
// the cn attribute is a mandatory attribute and therefore
// must be set before attempting to create the object
_bstr_t strCN(L"cn"); VARIANT var; VariantInit(&var);
hr = pAdsSrc->Get(strCN, &var);
if (SUCCEEDED(hr)) { pAds->Put(strCN, var); VariantClear(&var); } }
// truncate to allow prefix/suffix to fit in valid length
int resLen = wcslen(pOptions->suffix) + wcslen(pAcct->GetTargetSam()); if ( !_wcsicmp(pAcct->GetType(), L"computer") ) { // Computer name can be only 15 characters long + $
if ( resLen > MAX_COMPUTERNAME_LENGTH + 1 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = MAX_COMPUTERNAME_LENGTH + 1 - wcslen(pOptions->suffix) - wcslen(pOptions->globalSuffix); if ( truncate < 1 ) truncate = 1; wcsncpy(achTempSam, achTruncatedSam, truncate - 1); achTempSam[truncate-1] = L'\0'; // Re add the global suffix after the truncation.
wcscat(achTempSam, pOptions->globalSuffix); wcscat(achTempSam, L"$"); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the suffix taking into account the $ sign
if ( achTempSam[wcslen(achTempSam) - 1] == L'$' ) achTempSam[wcslen(achTempSam) - 1] = L'\0'; wsprintf(achTgt, L"%s%s$", (WCHAR*)achTempSam, pOptions->suffix); } else if ((_wcsicmp(pAcct->GetType(), s_ClassUser) == 0) || (_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson) == 0)) { if ( resLen > 20 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 20 - wcslen(pOptions->suffix) - wcslen(pOptions->globalSuffix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, achTruncatedSam, truncate); achTempSam[truncate] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the suffix.
wsprintf(achTgt, L"%s%s", (WCHAR*)achTempSam, pOptions->suffix); } else wsprintf(achTgt, L"%s%s", pAcct->GetTargetSam(), pOptions->suffix);
pAcct->SetTargetSam(achTgt); varStr = achTgt;
pAds->Put(L"sAMAccountName", varStr); if ( _wcsicmp(strClass, L"group") == 0 ) { varT = _variant_t(pAcct->GetGroupType()); if ( pOptions->srcDomainVer < 5 ) { // all NT4 accounts are security accounts but they tell us that they are Dist accts so lets set them straight.
varT.lVal |= 0x80000000; } hr = pAds->Put(L"groupType", varT); } hr = pAds->SetInfo(); if ( SUCCEEDED(hr) ) { Mark(L"created", strClass); pAcct->MarkCreated(); BSTR sTgtPath = 0; HRESULT temphr = pAds->get_ADsPath(&sTgtPath); if ( SUCCEEDED(temphr) ) { pAcct->SetTargetPath(_bstr_t(sTgtPath, false)); setTargetPath.insert(pAcct); } else pAcct->SetTargetPath(L""); } else if ( HRESULT_CODE(hr) == ERROR_OBJECT_ALREADY_EXISTS ) { //
// check if object DN is conflicting with
// another object that is currently being migrated
//
BSTR bstrPath = 0;
if (SUCCEEDED(pAds->get_ADsPath(&bstrPath))) { pAcct->SetTargetPath(_bstr_t(bstrPath, false));
if (DoTargetPathConflict(setTargetPath, pAcct)) { return hr; } }
pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_PREF_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); } else { pAcct->MarkError(); err.SysMsgWrite(ErrE, hr, DCT_MSG_CREATE_FAILED_SSD, pAcct->GetTargetSam(), pOptions->tgtOUPath, hr); Mark(L"errors",pAcct->GetType()); } } else { if (pOptions->flags & F_REPLACE) { c_array<WCHAR> achPath9(LEN_Path); SAFEARRAY * pszColNames = NULL; BSTR HUGEP * pData; LPWSTR sData[] = { L"ADsPath", L"profilePath", L"objectClass" }; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); IEnumVARIANT * pEnumMem = NULL; _variant_t var; DWORD dwFetch; HRESULT temphr; int nElt = DIM(sData); SAFEARRAYBOUND bd = { nElt, 0 }; BOOL bIsCritical = FALSE; BOOL bIsDifferentType = FALSE;
// Since the object already exists we need to get the ADsPath to the object and update the acct structure
// Set up the query and the path
wstring strPath = L"LDAP://"; strPath += pOptions->tgtComp+2; strPath += L"/"; strPath += pOptions->tgtNamingContext; wstring sTempSamName = pAcct->GetTargetSam(); if ( sTempSamName[0] == L' ' ) { sTempSamName = L"\\20" + sTempSamName.substr(1); } wstring sQuery = L"(sAMAccountName=" + sTempSamName + L")";
temphr = pQuery->raw_SetQuery(_bstr_t(strPath.c_str()), _bstr_t(pOptions->tgtDomainDns), _bstr_t(sQuery.c_str()), ADS_SCOPE_SUBTREE, FALSE); if ( FAILED(temphr) ) { return temphr; }
// Set up the columns so we get the ADsPath of the object.
pszColNames = ::SafeArrayCreate(VT_BSTR, 1, &bd); temphr = ::SafeArrayAccessData(pszColNames, (void HUGEP **)&pData); if ( FAILED(temphr) ) { SafeArrayDestroy(pszColNames); return temphr; } for ( long i = 0; i < nElt; i++ ) { pData[i] = SysAllocString(sData[i]); } temphr = ::SafeArrayUnaccessData(pszColNames); if ( FAILED(temphr) ) { ::SafeArrayDestroy(pszColNames); return temphr; } temphr = pQuery->raw_SetColumns(pszColNames); if ( FAILED(temphr) ) { ::SafeArrayDestroy(pszColNames); return temphr; } // Time to execute the plan.
temphr = pQuery->raw_Execute(&pEnumMem); if ( FAILED(temphr) ) { ::SafeArrayDestroy(pszColNames); return temphr; } ::SafeArrayDestroy(pszColNames); temphr = pEnumMem->Next(1, &var, &dwFetch); if ( temphr == S_OK ) { // This would only happen if the member existed in the target domain.
// We now have a Variant containing an array of variants so we access the data
_variant_t * pVar; _bstr_t sConfName = pAcct->GetTargetName(); _bstr_t sOldCont; pszColNames = V_ARRAY(&var); SafeArrayAccessData(pszColNames, (void HUGEP **)&pVar); wcscpy(achAdsPath, (WCHAR*)pVar[0].bstrVal); pAcct->SetTargetPath(achAdsPath);
// Check if the object we are about to replace is of the same type.
if ( _wcsicmp(pAcct->GetType(), (WCHAR*) pVar[2].bstrVal) ) bIsDifferentType = TRUE;
SafeArrayUnaccessData(pszColNames); IADsPtr pAdsNew; temphr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetTargetPath()), IID_IADs, (void**)&pAdsNew); if ( SUCCEEDED(temphr) ) { //see if critical
_variant_t varCritical; temphr = pAdsNew->Get(L"isCriticalSystemObject", &varCritical); if (SUCCEEDED(temphr)) { bIsCritical = V_BOOL(&varCritical) == -1 ? TRUE : FALSE; } //get the name
BSTR sTgtName = NULL; temphr = pAdsNew->get_Name(&sTgtName); if ( SUCCEEDED(temphr) ) sConfName = _bstr_t(sTgtName, false);
//get the parent container of the conflicting object
BSTR sTgtCont = NULL; temphr = pAdsNew->get_Parent(&sTgtCont); if ( SUCCEEDED(temphr) ) sOldCont = _bstr_t(sTgtCont, false); }
if ( bIsDifferentType ) { // Since the source and target accounts are of different types we do not want to replace these.
hr = HRESULT_FROM_WIN32(ERROR_DS_SRC_AND_DST_OBJECT_CLASS_MISMATCH); } //else if not critical then move the account
else if ( !bIsCritical ) { //if user selected to move that account into the user-specified OU, then move it
if (pOptions->flags & F_MOVE_REPLACED_ACCT) { temphr = pCont->MoveHere(const_cast<WCHAR*>(pAcct->GetTargetPath()), const_cast<WCHAR*>(pAcct->GetTargetName()), &pDisp); //if move failed due to CN conflict, do not migrate
if ( FAILED(temphr) ) { // Retrieve distinguished names of object and container from path.
CADsPathName pathname; pathname.Set(pAcct->GetTargetPath(), ADS_SETTYPE_FULL); _bstr_t strObjectPath = pathname.Retrieve(ADS_FORMAT_X500_DN); pathname.Set(pOptions->tgtOUPath, ADS_SETTYPE_FULL); _bstr_t strContainerPath = pathname.Retrieve(ADS_FORMAT_X500_DN);
// Log error and mark account so that no further operations are
// performed for this account.
err.SysMsgWrite(ErrE, hr, DCT_MSG_MOVE_FAILED_RDN_CONFLICT_SS, (LPCTSTR)strObjectPath, (LPCTSTR)strContainerPath); Mark(L"errors", pAcct->GetType()); pAcct->operations = 0; pAcct->MarkError();
return temphr; } } else //else try to rename the CN of the object (I'll use the same MoveHere API)
{ IADsContainerPtr pOldCont; temphr = ADsGetObject(sOldCont, IID_IADsContainer, (void**)&pOldCont); if (SUCCEEDED(temphr)) { temphr = pOldCont->MoveHere(const_cast<WCHAR*>(pAcct->GetTargetPath()), const_cast<WCHAR*>(pAcct->GetTargetName()), &pDisp); } //if failed to rename the CN, do not migrate
if ( FAILED(temphr) ) { // The CN rename failed due to conflicting CN in this container
err.MsgWrite(ErrE, DCT_MSG_CN_RENAME_CONFLICT_SSS, (WCHAR*)sConfName, pAcct->GetTargetName(), (WCHAR*)sOldCont); Mark(L"errors", pAcct->GetType()); //if we couldn't rename the CN, change the error code so we don't continue migrating this user
if ((HRESULT_CODE(temphr) == ERROR_OBJECT_ALREADY_EXISTS)) temphr = HRESULT_FROM_WIN32(ERROR_DS_INVALID_DN_SYNTAX); return temphr; } }
// Get the new location of the object.
BSTR sNewPath; temphr = pDisp->QueryInterface(IID_IADs, (void**)&pAdsNew); if ( FAILED(temphr) ) { return temphr; } temphr = pAdsNew->get_ADsPath(&sNewPath); if ( FAILED(temphr) ) { return temphr; } // And store that in the target path
pAcct->SetTargetPath((WCHAR*) sNewPath); SysFreeString(sNewPath); setTargetPath.insert(pAcct);
// If the account is a group account and the Replace Existing members flag is set then we need to
// remove all the members of this group.
if ( (_wcsicmp(L"group", pAcct->GetType()) == 0 ) && (pOptions->flags & F_REMOVE_OLD_MEMBERS) ) RemoveMembers(pAcct, pOptions);
pAcct->MarkAlreadyThere(); pAcct->MarkReplaced(); } else { //if this is a special account that we need to mark as such
if (bIsCritical) { pAcct->MarkCritical(); hr = HRESULT_FROM_WIN32(ERROR_SPECIAL_ACCOUNT); } } } else { // Sam Account name is not in the target domain and we have a conflict see if it is a CN conf
DWORD nPathLen = LEN_Path; c_array<WCHAR> achPath(LEN_Path); IADs * pAdsNew = NULL;
// Build the path to the target object
MakeFullyQualifiedAdsPath(achPath9, nPathLen, pOptions->tgtOUPath, pOptions->tgtDomain, pOptions->tgtNamingContext); WCHAR * pRelativeTgtOUPath = wcschr(achPath9 + UStrLen(L"LDAP://") + 2,L'/');
if ( pRelativeTgtOUPath ) { *pRelativeTgtOUPath = 0; swprintf(achPath,L"%ls/%ls,%ls",(WCHAR*)achPath9,pAcct->GetTargetName(),pRelativeTgtOUPath+1); }
temphr = ADsGetObject(achPath, IID_IADs, (void**) &pAdsNew); if ( SUCCEEDED(temphr) ) { // Object with that CN exists so we use it
BSTR sTgtPath; HRESULT temphr = pAdsNew->get_ADsPath(&sTgtPath); if (SUCCEEDED(temphr)) pAcct->SetTargetPath(sTgtPath); else pAcct->SetTargetPath(L""); // Check if the object we are about to replace is of the same type.
BSTR sClass; temphr = pAdsNew->get_Class(&sClass); if ((SUCCEEDED(temphr)) && (!_wcsicmp(pAcct->GetType(), (WCHAR*)sClass))) bIsDifferentType = FALSE; else bIsDifferentType = TRUE;
_variant_t varCritical; temphr = pAdsNew->Get(L"isCriticalSystemObject", &varCritical); if (SUCCEEDED(temphr)) bIsCritical = V_BOOL(&varCritical) == -1 ? TRUE : FALSE;
//if the source and target accounts are of different types we do not want to replace these.
if (bIsDifferentType) { hr = HRESULT_FROM_WIN32(ERROR_DS_SRC_AND_DST_OBJECT_CLASS_MISMATCH); } //else if not critical then fix the SAM name and other related chores
else if ( !bIsCritical ) { //get the old Target Account Sam name
_variant_t varOldSAM = pAcct->GetTargetSam(); temphr = pAdsNew->Get(L"sAMAccountName", &varOldSAM); // Set the Target Account Sam name
_variant_t varSAM = pAcct->GetTargetSam(); temphr = pAdsNew->Put(L"sAMAccountName", varSAM); if (SUCCEEDED(temphr)) temphr = pAdsNew->SetInfo(); if ( FAILED(temphr) ) { // The SAM rename failed due to conflicting SAM, do not migrate
err.MsgWrite(ErrE, DCT_MSG_SAM_RENAME_CONFLICT_SS, (WCHAR*)(varOldSAM.bstrVal), pAcct->GetTargetSam()); Mark(L"errors", pAcct->GetType()); return temphr; }
setTargetPath.insert(pAcct);
// If the account is a group account and the Replace Existing members flag is set then we need to
// remove all the members of this group.
if ( (_wcsicmp(L"group", pAcct->GetType()) == 0 ) && (pOptions->flags & F_REMOVE_OLD_MEMBERS) ) RemoveMembers(pAcct, pOptions);
pAcct->MarkAlreadyThere(); pAcct->MarkReplaced(); } else { //if this is a special account that we need to mark as such
if (bIsCritical) { pAcct->MarkCritical(); hr = HRESULT_FROM_WIN32(ERROR_SPECIAL_ACCOUNT); } } } else { // This should only happen if the replace fails because the object that already has
// this SAM Account Name is a special Win2K builtin object or container
// One example of this problem is "Service".
pAcct->SetStatus(pAcct->GetStatus()|AR_Status_Special); err.SysMsgWrite(ErrE,ERROR_SPECIAL_ACCOUNT,DCT_MSG_REPLACE_FAILED_SD,pAcct->GetName(),ERROR_SPECIAL_ACCOUNT); Mark(L"errors", pAcct->GetType()); } } pEnumMem->Release(); } else { pAcct->MarkAlreadyThere(); err.MsgWrite(ErrW,DCT_MSG_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"warnings",pAcct->GetType());
// retrieve target path for account
// fix group membership expects target path to be set
// even for conflicting objects that were not replaced
HRESULT hrPath = pCont->GetObject(strClass, _bstr_t(achTarget), &pDisp);
if (SUCCEEDED(hrPath)) { BSTR bstr; IADsPtr spObject(pDisp); hrPath = spObject->get_ADsPath(&bstr);
if (SUCCEEDED(hrPath)) { pAcct->SetTargetPath(_bstr_t(bstr, false)); setTargetPath.insert(pAcct); } } } } } } else { Mark(L"created", pAcct->GetType()); pAcct->MarkCreated(); BSTR sTgtPath = NULL; HRESULT temphr = pAds->get_ADsPath(&sTgtPath); if ( SUCCEEDED(temphr) ) { pAcct->SetTargetPath(sTgtPath); SysFreeString(sTgtPath); setTargetPath.insert(pAcct); } else pAcct->SetTargetPath(L"");
// Add computers to
if ( !_wcsicmp(strClass,L"computer") ) { IADsGroupPtr pGroup = GetWellKnownTargetGroup(DOMAIN_COMPUTERS,pOptions); if ( pGroup ) { temphr = pGroup->Add(SysAllocString(pAcct->GetTargetPath())); if ( SUCCEEDED(temphr) ) { // if we successfully added the computer to Domain computers, now set Domain Computers as
// the primary group
temphr = pAds->Put(L"primaryGroupID",_variant_t(LONG(515))); if ( SUCCEEDED(temphr) ) { temphr = pAds->SetInfo(); } if ( SUCCEEDED(hr) ) { // if this worked, now we can remove the computer from Domain Users
pGroup = GetWellKnownTargetGroup(DOMAIN_USERS,pOptions); if ( pGroup ) { temphr = pGroup->Remove(SysAllocString(pAcct->GetTargetPath())); } } } } } } } else { // This is the No change mode. All we need to do here is to see if there might be a collision.
c_array<WCHAR> achPath(LEN_Path); c_array<WCHAR> achPath9(LEN_Path); DWORD nPathLen = LEN_Path; c_array<WCHAR> achPathTmp(LEN_Path); IADsPtr pAdsNew; BOOL bConflict = FALSE;
/* see if the CN conflicts */ // Build the path to the target object
MakeFullyQualifiedAdsPath(achPath9, nPathLen, pOptions->tgtOUPath, pOptions->tgtDomain, pOptions->tgtNamingContext); WCHAR * pRelativeTgtOUPath = wcschr(achPath9 + UStrLen(L"LDAP://") + 2,L'/'); if ( pRelativeTgtOUPath ) { *pRelativeTgtOUPath = 0; swprintf(achPathTmp,L"%ls/%ls,%ls",(WCHAR*)achPath9,pAcct->GetTargetName(),pRelativeTgtOUPath+1); }
//
// check if object DN is conflicting with
// another object that is currently being migrated
//
pAcct->SetTargetPath(achPathTmp);
if (DoTargetPathConflict(setTargetPath, pAcct)) { return HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); }
HRESULT temphr = ADsGetObject(achPathTmp, IID_IADs, (void**) &pAdsNew); if (SUCCEEDED(temphr)) { bConflict = TRUE; } /* if no CN conflict, see if the SAM conflicts */ if (!bConflict) { hr = LookupAccountInTarget(pOptions, const_cast<WCHAR*>(pAcct->GetTargetSam()), achPath); if ( hr == S_OK ) bConflict = TRUE; }
if (!bConflict) { // There is no such account on the target. We can go ahead and assume that it would have worked.
hr = S_OK; Mark(L"created", pAcct->GetType()); pAcct->MarkCreated();
//if the UPN conflicted, post a message
if (pAcct->bUPNConflicted) err.MsgWrite(ErrE, DCT_MSG_UPN_CONF, pAcct->GetTargetSam()); } else { bConflict = FALSE; //reset the conflict flag
// there is a conflict. See if we need to add prefix or suffix. Or simply replace the account.
if ( wcslen(pOptions->prefix) > 0 ) { // Prefix was specified so we need to try that.
c_array<WCHAR> achTgt(LEN_Path); _variant_t varStr;
// Here I am adding a prefix and then lets see if we can setinfo that way
// find the '=' sign
wcscpy(achTgt, pAcct->GetTargetName()); for ( DWORD z = 0; z < wcslen(achTgt); z++ ) { if ( achTgt[z] == L'=' ) break; } if ( z < wcslen(achTgt) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTgt, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTgt+z+1); }
// Build the target string with the Prefix
wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, pOptions->prefix, (WCHAR*)achSuf); pAcct->SetTargetName(achTgt);
// Build the target SAM name with the prefix.
wsprintf(achTgt, L"%s%s", pOptions->prefix, pAcct->GetTargetSam()); pAcct->SetTargetSam(achTgt);
//see if the CN still conflicts
swprintf(achPathTmp,L"%ls/%ls,%ls",(WCHAR*)achPath9,pAcct->GetTargetName(),pRelativeTgtOUPath+1);
//
// check if object DN is conflicting with
// another object that is currently being migrated
//
pAcct->SetTargetPath(achPathTmp);
if (DoTargetPathConflict(setTargetPath, pAcct)) { return HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); }
temphr = ADsGetObject(achPathTmp, IID_IADs, (void**) &pAdsNew); if (SUCCEEDED(temphr)) { bConflict = TRUE; } //if no CN conflict, see if the SAM name conflicts
if (!bConflict) { hr = LookupAccountInTarget(pOptions, const_cast<WCHAR*>(pAcct->GetTargetSam()), achPath); if ( hr == S_OK ) bConflict = TRUE; }
if (!bConflict) { hr = 0; Mark(L"created", strClass); pAcct->MarkCreated(); } else { hr = HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); }
//if the UPN conflicted, post a message
if (pAcct->bUPNConflicted) err.MsgWrite(ErrE, DCT_MSG_UPN_CONF, pAcct->GetTargetSam()); } else if ( wcslen(pOptions->suffix) > 0 ) { // Suffix was specified so we will try that.
c_array<WCHAR> achTgt(LEN_Path); _variant_t varStr; // Here I am adding a prefix and then lets see if we can setinfo that way
wsprintf(achTgt, L"%s%s", pAcct->GetTargetName(), pOptions->suffix); // Build the target SAM name with the prefix.
wsprintf(achTgt, L"%s%s", pAcct->GetTargetSam(), pOptions->suffix); pAcct->SetTargetSam(achTgt);
//see if the CN still conflicts
swprintf(achPathTmp,L"%ls/%ls,%ls",(WCHAR*)achPath9,pAcct->GetTargetName(),pRelativeTgtOUPath+1);
//
// check if object DN is conflicting with
// another object that is currently being migrated
//
pAcct->SetTargetPath(achPathTmp);
if (DoTargetPathConflict(setTargetPath, pAcct)) { return HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); }
temphr = ADsGetObject(achPathTmp, IID_IADs, (void**) &pAdsNew); if (SUCCEEDED(temphr)) { bConflict = TRUE; } //if no CN conflict, see if the SAM name conflicts
if (!bConflict) { hr = LookupAccountInTarget(pOptions, const_cast<WCHAR*>(pAcct->GetTargetSam()), achPath); if ( hr == S_OK ) bConflict = TRUE; }
if (!bConflict) { hr = 0; Mark(L"created", strClass); pAcct->MarkCreated(); } else { hr = HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); }
//if the UPN conflicted, post a message
if (pAcct->bUPNConflicted) err.MsgWrite(ErrE, DCT_MSG_UPN_CONF, pAcct->GetTargetSam()); } else if (pOptions->flags & F_REPLACE) { // Replace the account.
hr = HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); } else { // The account is already there and we really cant do anything about it. So tell the user.
hr = HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); } }
pAcct->SetTargetPath(achPathTmp); setTargetPath.insert(pAcct); }
return hr;}
//----------------------------------------------------------------------------
// DoTargetPathConflict
//
// Checks if object's target distinguished name conflicts with another object
// that is currently being migrated and has already been processed.
//
// If a conflict is detected the account node's operations bits are cleared to
// prevent any further processing of this object and an error message is
// logged.
//----------------------------------------------------------------------------
bool CAcctRepl::DoTargetPathConflict(CTargetPathSet& setTargetPath, TAcctReplNode* pAcct){ bool bConflict = false;
//
// If path conflicts are not to be ignored then check for a path conflict.
//
if (m_bIgnorePathConflict == false) { CTargetPathSet::iterator it = setTargetPath.find(pAcct);
if (it != setTargetPath.end()) { pAcct->operations = 0;
err.MsgWrite( ErrW, DCT_MSG_OBJECT_RDN_CONFLICT_WITH_OTHER_CURRENT_OBJECT_SSS, pAcct->GetSourcePath(), pAcct->GetTargetName(), (*it)->GetSourcePath() );
Mark(L"errors", pAcct->GetType());
bConflict = true; } }
return bConflict;}
// GetNamingAttribute Method
HRESULT CAcctRepl::GetNamingAttribute(LPCTSTR pszServer, LPCTSTR pszClass, SNamingAttribute& rNamingAttribute){ HRESULT hr = S_OK;
try { if (pszServer == NULL) _com_issue_error(E_INVALIDARG);
wstring strClass = pszClass;
CNamingAttributeMap::iterator it = m_mapNamingAttribute.find(strClass);
if (it != m_mapNamingAttribute.end()) { rNamingAttribute = it->second; } else { WCHAR szADsPath[LEN_Path]; DWORD dwArraySizeOfszADsPath = sizeof(szADsPath)/sizeof(szADsPath[0]);
// bind to rootDSE
IADsPtr spRootDSE; if (wcslen(L"LDAP://") + wcslen(pszServer) + wcslen(L"/rootDSE") >= dwArraySizeOfszADsPath) _com_issue_error(HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER)); wcscpy(szADsPath, L"LDAP://"); wcscat(szADsPath, pszServer); wcscat(szADsPath, L"/rootDSE"); CheckError(ADsGetObject(szADsPath, __uuidof(IADs), (VOID**)&spRootDSE));
// get schema naming context
VARIANT var; CheckError(spRootDSE->Get(_bstr_t(L"schemaNamingContext"), &var)); _bstr_t strSchemaNamingContext = _variant_t(var, false);
// bind to schema's directory search interface
IDirectorySearchPtr spSearch; wcscpy(szADsPath, L"LDAP://"); wcscat(szADsPath, strSchemaNamingContext); CheckError(ADsGetObject(szADsPath, __uuidof(IDirectorySearch), (VOID**)&spSearch));
// search for inetOrgPerson class and retrieve rDNAttID attribute
ADS_SEARCH_HANDLE ashSearch = NULL; LPWSTR pszAttributes[] = { L"rDNAttID" };
CheckError(spSearch->ExecuteSearch( L"(&(objectClass=classSchema)(lDAPDisplayName=inetOrgPerson)(!isDefunct=TRUE))", pszAttributes, 1, &ashSearch ));
if (ashSearch) { wstring strAttribute;
hr = spSearch->GetFirstRow(ashSearch);
if (SUCCEEDED(hr)) { ADS_SEARCH_COLUMN ascColumn; hr = spSearch->GetColumn(ashSearch, L"rDNAttID", &ascColumn);
if (SUCCEEDED(hr)) { if ((ascColumn.dwADsType == ADSTYPE_CASE_IGNORE_STRING) && (ascColumn.dwNumValues == 1)) { strAttribute = ascColumn.pADsValues->CaseIgnoreString; }
spSearch->FreeColumn(&ascColumn); } }
spSearch->CloseSearchHandle(ashSearch);
if (strAttribute.empty() == false) { // get attribute's minimum and maximum range values
wcscpy(szADsPath, L"LDAP://"); wcscat(szADsPath, pszServer); wcscat(szADsPath, L"/schema/"); wcscat(szADsPath, strAttribute.c_str());
IADsPropertyPtr spProperty;
CheckError(ADsGetObject(szADsPath, __uuidof(IADsProperty), (VOID**)&spProperty));
long lMinRange; long lMaxRange;
CheckError(spProperty->get_MinRange(&lMinRange)); CheckError(spProperty->get_MaxRange(&lMaxRange));
// set naming attribute info
rNamingAttribute.nMinRange = lMinRange; rNamingAttribute.nMaxRange = lMaxRange; rNamingAttribute.strName = strAttribute;
// save naming attribute and range values in cache
m_mapNamingAttribute.insert(CNamingAttributeMap::value_type(strClass, SNamingAttribute(lMinRange, lMaxRange, strAttribute))); } else { hr = E_FAIL; } } else { hr = E_FAIL; } } } catch (_com_error& ce) { hr = ce.Error(); }
return hr;}
void VariantSidToString(_variant_t & varSid){ if ( varSid.vt == VT_BSTR ) { return; } else if ( varSid.vt == ( VT_ARRAY | VT_UI1) ) { // convert the array of bits to a string
CLdapConnection c; LPBYTE pByte = NULL; WCHAR str[LEN_Path];
SafeArrayAccessData(varSid.parray,(void**)&pByte); c.BytesToString(pByte,str,GetLengthSid(pByte)); SafeArrayUnaccessData(varSid.parray); varSid = SysAllocString(str);
} else { varSid.ChangeType(VT_BSTR); }}
HRESULT CAcctRepl::UpdateGroupMembership( Options * pOptions, //in -Options set by the user
TNodeListSortable * acctlist, //in -List of all accounts being copied
ProgressFn * progress, //in -Progress update
IStatusObj * pStatus //in -Status update
){ IVarSetPtr pVs(__uuidof(VarSet)); MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); WCHAR sTgtPath[LEN_Path]; IIManageDBPtr pDB = pOptions->pDb; IUnknown* pUnk = NULL; TNodeTreeEnum tenum; HRESULT hr = S_OK; DWORD ret = 0; bool bFoundGroups = false; WCHAR sDomain[LEN_Path]; DWORD grpType = 0;
IUnknownPtr spUnknown(pVs); pUnk = spUnknown;
// sort the account list by Source Type\Source Sam Name
if ( acctlist->IsTree() ) acctlist->ToSorted(); acctlist->SortedToScrambledTree(); acctlist->Sort(&TNodeCompareAccountSam); acctlist->Balance();
for (TAcctReplNode* acct = (TAcctReplNode *)tenum.OpenFirst(acctlist) ; acct ; acct = (TAcctReplNode *)tenum.Next()) { if ( !acct->ProcessMem() ) continue; if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
// Since the list is sorted by account type we can continue to ignore everything till we get to the
// group type and once it is found and processed the rest of types can be ignored
if ( _wcsicmp(acct->GetType(), L"group") != 0 ) { if ( !bFoundGroups ) continue; else break; } else { bFoundGroups = true; }
// If we are here this must be a group type so tell the progrss function what we are doing
WCHAR mesg[LEN_Path]; bool bGotPrimaryGroups = false;
wsprintf(mesg, GET_STRING(IDS_UPDATING_GROUP_MEMBERSHIPS_S), acct->GetName()); if ( progress ) progress(mesg);
if ( acct->CreateAccount() && (!acct->WasCreated() && !acct->WasReplaced()) ) // if the account was not copied then why should we even process it?
// Bad idea. We need to process the account membership because the group may have been previously copied and
// in this run we simply need to update the membership. Changing the expansion code to mark the account as created.
// that should fix the problem.
continue;
if ( !_wcsicmp(acct->GetType(), L"group") && *acct->GetTargetPath() ) { IADsGroupPtr spSourceGroup; IADsGroupPtr spTargetGroup; IADsMembersPtr spMembers; IEnumVARIANTPtr spEnum;
err.MsgWrite(0, DCT_MSG_PROCESSING_GROUP_MEMBER_S, (WCHAR*) acct->GetTargetName()); if ( !pOptions->nochange ) { hr = ADsGetObject(const_cast<WCHAR*>(acct->GetTargetPath()), IID_IADsGroup, (void**) &spTargetGroup); if (FAILED(hr)) { err.SysMsgWrite(ErrE, hr, DCT_MSG_OBJECT_NOT_FOUND_SSD, acct->GetTargetPath(), pOptions->tgtDomain, hr ); Mark(L"errors", acct->GetType()); continue; // we cant possibly do any thing without the source group
} } else hr = S_OK;
if ( spTargetGroup ) { VARIANT var; VariantInit(&var); hr = spTargetGroup->Get(L"groupType", &var); if (SUCCEEDED(hr)) grpType = long(_variant_t(var, false)); }
hr = ADsGetObject(const_cast<WCHAR*>(acct->GetSourcePath()), IID_IADsGroup, (void**) &spSourceGroup); if (FAILED(hr)) { err.SysMsgWrite(ErrE, 0, DCT_MSG_OBJECT_NOT_FOUND_SSD, acct->GetSourcePath(), pOptions->srcDomain, hr ); Mark(L"errors", acct->GetType()); continue; // we cant possibly do any thing for this group without the target group
}
// Now we get the members interface.
hr = spSourceGroup->Members(&spMembers);
// Ask for an enumeration of the members
if ( SUCCEEDED(hr) ) hr = spMembers->get__NewEnum((IUnknown **)&spEnum);
// If unable to retrieve enumerator then generate error message.
if (FAILED(hr)) { err.SysMsgWrite(ErrE, hr, DCT_MSG_UNABLE_TO_ENUM_MEMBERS_S, acct->GetSourcePath()); Mark(L"errors", acct->GetType()); continue; }
VARIANT varMembers; VariantInit(&varMembers);
// Now enumerate through all the objects in the Group
while ( SUCCEEDED(spEnum->Next(1, &varMembers, &ret)) ) { _variant_t vntMembers(varMembers, false); IADsPtr spADs; _bstr_t strClass; _bstr_t strPath; _bstr_t strSam; PSID pSid = NULL;
// Check if user wants to abort the operation
if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } // If no values are returned that means we are done with all members
if ( ret == 0 || vntMembers.vt == VT_EMPTY) { if ( bGotPrimaryGroups ) break; else { // Go through and add all the users that have this group as their primary group.
bGotPrimaryGroups = true;
//
// It is only necessary to query objects that have their primary group ID equal to the
// current group for W2K and later as NT4 required that the account be a member of the
// global group in order to set the primary group ID equal to the group. As the members
// of the group have already been queried it would be redundant to query for objects
// that have their primary group ID equal to the current group.
//
if (pOptions->srcDomainVer >= 5) { hr = GetThePrimaryGroupMembers(pOptions, const_cast<WCHAR*>(acct->GetSourceSam()), &spEnum); if (SUCCEEDED(hr)) continue; else break; } else { break; } } }
// Depending on what we are looking at we get two variant types. In case of members we get
// IDispatch pointer in a variant. In case of primary group members we get variant(bstr) array
// So we need to branch here depending on what we get
if ( bGotPrimaryGroups ) { // first element is the ADsPath of the object so use that to get the object and continue
if ( vntMembers.vt == (VT_ARRAY | VT_VARIANT) ) { SAFEARRAY * pArray = vntMembers.parray; VARIANT * pDt;
hr = SafeArrayAccessData(pArray, (void**) &pDt); if (SUCCEEDED(hr)) { if ( pDt[0].vt == VT_BSTR ) hr = ADsGetObject((WCHAR*)pDt[0].bstrVal, IID_IADs, (void**) &spADs); else hr = E_FAIL; SafeArrayUnaccessData(pArray); } vntMembers.Clear(); } else hr = E_FAIL; } else { // We have a dispatch pointer in the VARIANT so we will get the IADs pointer to it and
// then get the ADs path to that object and then remove it from the group
spADs = IDispatchPtr(vntMembers);
if (spADs) { hr = S_OK; } else { hr = E_FAIL; } }
if ( SUCCEEDED(hr) ) { BSTR bstr = NULL; hr = spADs->get_ADsPath(&bstr); if ( SUCCEEDED(hr) ) { strPath = _bstr_t(bstr, false);
// Parse out the domain name from the WinNT path.
if ( !wcsncmp(L"WinNT://", (WCHAR*)strPath, 8) ) { //Grab the domain name from the WinNT path.
WCHAR sTemp[LEN_Path]; WCHAR * p = strPath; wcscpy(sTemp, p+8); p = wcschr(sTemp, L'/'); if ( p ) *p = L'\0'; else { //we have the path in this format "WinNT://S-1-5....."
// in this case we need to get the SID and then try and get its domain and account name
PSID pSid = NULL; WCHAR sName[255]; DWORD rc = 1;
pSid = SidFromString(sTemp); if ( pSid ) { rc = GetName(pSid, sName, sTemp); if ( !rc ) { // Give it a winnt path. This way we get the path that we can use
strPath = _bstr_t(L"WinNT://") + sTemp + _bstr_t(L"/") + sName; } FreeSid(pSid); }
if ( rc ) { // Log a message that we cant resolve this guy
err.SysMsgWrite(ErrE, rc, DCT_MSG_PATH_NOT_RESOLVED_SD, sTemp, rc); Mark("errors", acct->GetType()); continue; } } wcscpy(sDomain, sTemp); } else { // Get the domain name from the LDAP path. Convert domain name to the NETBIOS name.
_bstr_t strDomainDns = GetDomainDNSFromPath(strPath);
if (strDomainDns.length()) { safecopy(sDomain, (WCHAR*)strDomainDns); } else { hr = E_FAIL; } } }
if ( SUCCEEDED(hr) ) { if ( !(acct->GetGroupType() & ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP) ) { // Global/Universal groups are easy all we have to do is use the path we got back and get the info from that object
BSTR bstr = NULL; hr = spADs->get_Class(&bstr); if (SUCCEEDED(hr)) strClass = _bstr_t(bstr, false); else strClass = L""; VARIANT var; VariantInit(&var); hr = spADs->Get(L"samAccountName", &var); if ( SUCCEEDED(hr) ) strSam = _variant_t(var, false); else { // make sure it is a WinNT:// path
if ( !wcsncmp((WCHAR*)strPath, L"WinNT://", 8) ) { BSTR bstr = NULL; hr = spADs->get_Name(&bstr); if (SUCCEEDED(hr)) strSam = _bstr_t(bstr, false); } } //if universal group change domain if foreign security principal
if ((acct->GetGroupType() & ADS_GROUP_TYPE_UNIVERSAL_GROUP)) { _bstr_t sTempDomain = GetDomainOfMigratedForeignSecPrincipal(spADs, strPath); if (sTempDomain.length()) wcscpy(sDomain, sTempDomain); } } else { // Local group we need to get the SID LDAP path and then use that to add the account to the group.
WCHAR sSidDomain[LEN_Path]; WCHAR sSidPath[LEN_Path]; WCHAR sSamName[LEN_Path];
if ( pSid ) { FreeSid(pSid); pSid = NULL; }
hr = BuildSidPath(spADs, sSidPath, sSamName, sSidDomain, pOptions,&pSid);
if (SUCCEEDED(hr)) { _bstr_t sTempDomain = GetDomainOfMigratedForeignSecPrincipal(spADs, strPath); if (sTempDomain.length()) wcscpy(sDomain, sTempDomain); strPath = sSidPath; strSam = sSamName; } else { err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_ADD_TO_GROUP_SSD, (WCHAR*)strPath, acct->GetTargetName(), hr); Mark(L"warnings", acct->GetType()); } } } }
if ( SUCCEEDED(hr) ) { // Now that we have the SamAccountname and the path we can lookup the info from the DB
hr = pDB->GetAMigratedObject(strSam, sDomain, pOptions->tgtDomain, &pUnk); if ( pOptions->nochange ) { WCHAR targetPath[LEN_Path]; // in this case the account was not really copied so we need to make sure that we
// we include the accounts that would have been added if this was a true migration.
Lookup p; p.pName = strSam; p.pType = strClass; TAcctReplNode * pNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountName, &p); if (pNode) { pVs->put(L"MigratedObjects.TargetSamName", _variant_t(pNode->GetTargetSam()));
BuildTargetPath(pNode->GetTargetName(), pOptions->tgtOUPath, targetPath); pVs->put(L"MigratedObjects.TargetAdsPath", _variant_t(targetPath)); hr = S_OK; } } if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs);
// Since we have previously copied the account we can simply add the one that we copied.
_bstr_t strTargetPath = pVs->get(L"MigratedObjects.TargetAdsPath"); if ( strTargetPath.length() ) { if ( !pOptions->nochange ) hr = spTargetGroup->Add(strTargetPath); else hr = S_OK;
if ( SUCCEEDED(hr) ) { err.MsgWrite(0, DCT_MSG_ADDED_TO_GROUP_S, (WCHAR*)strTargetPath);
//if this is not a global group, remove the source account from the group, if there
if (!pOptions->nochange && !(acct->GetGroupType() & ADS_GROUP_TYPE_GLOBAL_GROUP)) RemoveSourceAccountFromGroup(spTargetGroup, pVs, pOptions); } else { hr = BetterHR(hr); switch ( HRESULT_CODE(hr) ) { case NERR_UserNotFound: case 0x5000: err.SysMsgWrite(0, hr, DCT_MSG_MEMBER_NONEXIST_SS, (WCHAR *)strTargetPath, acct->GetTargetName(), hr); break; default: { err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_ADD_TO_GROUP_SSD, (WCHAR *)strTargetPath, acct->GetTargetName(), hr); Mark(L"warnings", acct->GetType()); } } } } } else { // We have not migrated the accounts from source domain to the target domain.
// so we now have to branch for different group types.
WCHAR domain[LEN_Path]; DWORD cbDomain = DIM(domain); SID_NAME_USE use;
if ( grpType & ADS_GROUP_TYPE_GLOBAL_GROUP ) { // For the global groups we simply say that account has not been migrated.
err.MsgWrite(0, DCT_MSG_MEMBER_NONEXIST_SS, (WCHAR*)strSam, acct->GetTargetName()); } else { //Process local/universal groups ( can add objects from non-target domains )
// 1. See if we have migrated this account to some other domain.
// 2. Is the Source accounts SID valid here (trust) if so add that.
// 3. See if we can find an account with the same name in the target.
// if any of these operations yield a valid account then just add it.
// we are going to lookup migrated objects table to find migration of this object
// from source domain to any other domain.
hr = pDB->raw_GetAMigratedObjectToAnyDomain(strSam, sDomain, &pUnk); if ( hr == S_OK ) { // we have migrated the object to some other domain. So we will get the path to that object and try to add it to the group
// it may fail if there is no trust/forest membership of the target domain and the domain that this object resides in.
_bstr_t strTargetPath = pVs->get(L"MigratedObjects.TargetAdsPath"); if ( strTargetPath.length() ) { // Since the object is in a different domain, we will have to get the SID of the object,
// and use that for the Add
IADsPtr spAds; _variant_t varSid;
hr = ADsGetObject(strTargetPath,IID_IADs,(void**)&spAds); if ( SUCCEEDED(hr) ) { VARIANT var; VariantInit(&var); hr = spAds->Get(L"objectSid",&var); if (SUCCEEDED(hr)) varSid = _variant_t(var, false); spAds.Release(); } if ( SUCCEEDED(hr) ) { // Make sure the SID we got was in string format
VariantSidToString(varSid); UStrCpy(sTgtPath,L"LDAP://<SID="); UStrCpy(sTgtPath + UStrLen(sTgtPath),varSid.bstrVal); UStrCpy(sTgtPath + UStrLen(sTgtPath),L">");
if ( !pOptions->nochange ) hr = spTargetGroup->Add(sTgtPath); else hr = S_OK; }
if ( SUCCEEDED(hr) ) { err.MsgWrite(0, DCT_MSG_ADDED_TO_GROUP_S, (WCHAR*)strTargetPath);
//remove the source account from the group, if there
if (!pOptions->nochange) { RemoveSourceAccountFromGroup(spTargetGroup, pVs, pOptions); } } else { hr = BetterHR(hr); if ( HRESULT_CODE(hr) == NERR_UserExists ) { err.MsgWrite(0,DCT_MSG_USER_IN_GROUP_SS,(WCHAR*)strTargetPath,acct->GetTargetName()); } else if ( HRESULT_CODE(hr) == NERR_UserNotFound ) { err.SysMsgWrite(0, hr, DCT_MSG_MEMBER_NONEXIST_SS, (WCHAR*)strTargetPath, acct->GetTargetName(), hr); } else { // message for the generic failure case
err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_ADD_TO_GROUP_SSD, (WCHAR*)strTargetPath, acct->GetTargetName(), hr); Mark(L"warnings", acct->GetType()); } } } } else { // we have never migrated this account. So we will try to add the original account to the target domain.
// This would work if the target domain and the domain where this object is satisfy the requirements of
// forest membership/ trusts imposed by Universal/Local groups respectively.
// Get the sid of the source account
_variant_t varSid;
// check whether the target domain knows this sid
// Before we try to add, make sure the target domain knows this account
WCHAR name[LEN_Path]; DWORD lenName = DIM(name); cbDomain = DIM(domain);
if ( grpType & ADS_GROUP_TYPE_UNIVERSAL_GROUP ) { // in case of the Universal group we need to make sure that domains are in
// the same forest. We will use access checker for this
BOOL bIsSame = FALSE; _bstr_t sSrcDomainDNS = GetDomainDNSFromPath(strPath); hr = pAccess->raw_IsInSameForest(pOptions->tgtDomainDns, sSrcDomainDNS, (long*)&bIsSame);
if ( SUCCEEDED(hr) && bIsSame ) { // We have accounts that are in same forest so we can simply add the account.
if ( !pOptions->nochange ) hr = spTargetGroup->Add(strPath); else hr = S_OK;
if ( SUCCEEDED(hr) ) { WCHAR sWholeName[LEN_Path]; wcscpy(sWholeName, sSrcDomainDNS); wcscat(sWholeName, L"\\"); wcscat(sWholeName, !strSam ? L"" : strSam); err.MsgWrite(0, DCT_MSG_ADDED_TO_GROUP_S, sWholeName); } else { hr = BetterHR(hr); err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_ADD_TO_GROUP_SSD, (WCHAR*) strSam, acct->GetTargetName(), hr); Mark(L"warnings", acct->GetType()); } } else { err.MsgWrite(ErrW, DCT_MSG_CANNOT_ADD_OBJECTS_NOT_IN_FOREST_TO_GROUP_SS, (WCHAR*)strSam, acct->GetTargetName()); Mark(L"warnings", acct->GetType()); } } else { if ( !pOptions->nochange ) hr = spTargetGroup->Add(strPath); else hr = S_OK;
// In case of local groups If we know the SID in the target domain then we can simply
// add that account to the target group
if ( LookupAccountSid(pOptions->tgtComp,pSid,name,&lenName,domain,&cbDomain,&use) ) { WCHAR sWholeName[LEN_Path]; wcscpy(sWholeName, domain); wcscat(sWholeName, L"\\"); wcscat(sWholeName, !strSam ? L"" : strSam); err.MsgWrite(0, DCT_MSG_ADDED_TO_GROUP_S, sWholeName); } else { // log the fact that the SID could not be resolved in the target domain
// this will happen when the target domain does not trust the source domain
WCHAR sWholeName[LEN_Path]; wcscpy(sWholeName, sDomain); wcscat(sWholeName, L"\\"); wcscat(sWholeName, !strSam ? L"" : strSam); err.MsgWrite(0, DCT_MSG_CANNOT_RESOLVE_SID_IN_TARGET_SS, sWholeName, acct->GetTargetName(), HRESULT_FROM_WIN32(GetLastError())); } } } } // if group type
} // if not migrated to the target domain.
} // if can get to the member.
if( pSid ) FreeSid(pSid); } //while
} }
return hr;}
HRESULT CAcctRepl::LookupAccountInTarget(Options * pOptions, WCHAR * sSam, WCHAR * sPath){ if ( pOptions->tgtDomainVer < 5 ) { // for NT4 we can just build the path and send it back.
wsprintf(sPath, L"WinNT://%s/%s", pOptions->tgtDomain, sSam); return S_OK; } // Use the net object enumerator to lookup the account in the target domain.
INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); IEnumVARIANT * pEnum = NULL; SAFEARRAYBOUND bd = { 1, 0 }; SAFEARRAY * pszColNames; BSTR HUGEP * pData = NULL; LPWSTR sData[] = { L"aDSPath" }; WCHAR sQuery[LEN_Path]; WCHAR sDomPath[LEN_Path]; DWORD ret = 0; _variant_t var, varVal; HRESULT hr = S_OK;
wsprintf(sDomPath, L"LDAP://%s/%s", pOptions->tgtDomainDns, pOptions->tgtNamingContext); WCHAR sTempSamName[LEN_Path]; wcscpy(sTempSamName, sSam); if ( sTempSamName[0] == L' ' ) { WCHAR sTemp[LEN_Path]; wsprintf(sTemp, L"\\20%s", sTempSamName + 1); wcscpy(sTempSamName, sTemp); } wsprintf(sQuery, L"(sAMAccountName=%s)", sTempSamName);
hr = pQuery->raw_SetQuery(sDomPath, pOptions->tgtDomain, sQuery, ADS_SCOPE_SUBTREE, FALSE);
// Set up the columns that we want back from the query ( in this case we need SAM accountname )
pszColNames = ::SafeArrayCreate(VT_BSTR, 1, &bd); hr = ::SafeArrayAccessData(pszColNames, (void HUGEP **)&pData); if ( SUCCEEDED(hr) ) pData[0] = SysAllocString(sData[0]);
if ( SUCCEEDED(hr) ) hr = ::SafeArrayUnaccessData(pszColNames);
if ( SUCCEEDED(hr) ) hr = pQuery->raw_SetColumns(pszColNames);
// Time to execute the plan.
if ( SUCCEEDED(hr) ) hr = pQuery->raw_Execute(&pEnum);
if ( SUCCEEDED(hr) ) { // if this worked that means we can only have one thing in the result.
if ( (pEnum->Next(1, &var, &ret) == S_OK) && ( ret > 0 ) ) { SAFEARRAY * pArray = var.parray; long ndx = 0; hr = SafeArrayGetElement(pArray,&ndx,&varVal); if ( SUCCEEDED(hr) ) wcscpy(sPath, (WCHAR*)varVal.bstrVal); else hr = HRESULT_FROM_WIN32(NERR_UserNotFound); } else hr = HRESULT_FROM_WIN32(NERR_UserNotFound); } if ( pEnum ) pEnum->Release(); return hr;}
//----------------------------------------------------------------------------
// RemoveMembers : This function enumerates through all the members of the
// given group and removes them one at a time.
//----------------------------------------------------------------------------
HRESULT CAcctRepl::RemoveMembers( TAcctReplNode * pAcct, //in- AccountReplicator Node with the Account info
Options * pOptions //in- Options set by the user.
)
{ IADsMembers * pMem = NULL; IADs * pAds = NULL; IADsGroup * pGrp = NULL; // IUnknown * pUnk;
IEnumVARIANT * pVar = NULL; IDispatch * pDisp = NULL; DWORD ret = 0; _variant_t var; WCHAR * sPath;
// First we make sure that this is really a group otherwise we ignore it.
if (_wcsicmp((WCHAR*)pAcct->GetType(),L"group")) return S_OK;
// Lets get a IADsGroup * to the group object.
HRESULT hr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetTargetPath()), IID_IADsGroup, (void **) &pGrp);
// Now we get the members interface.
if ( SUCCEEDED(hr) ) hr = pGrp->Members(&pMem);
// Ask for an enumeration of the members
if ( SUCCEEDED(hr) ) hr = pMem->get__NewEnum((IUnknown **)&pVar);
// Now enumerate through all the objects in the Group and for each one remove it from the group
while ( SUCCEEDED(pVar->Next(1, &var, &ret)) ) { // If no values are returned that means we are done with all members so break out of this loop
if ( ret == 0 ) break;
// We hace a dispatch pointer in the VARIANT so we will get the IADs pointer to it and
// then get the ADs path to that object and then remove it from the group
pDisp = V_DISPATCH(&var); hr = pDisp->QueryInterface(IID_IADs, (void**) &pAds);
if ( SUCCEEDED(hr) ) hr = pAds->get_ADsPath(&sPath); if ( pAds ) pAds->Release(); if ( SUCCEEDED(hr) ) { _bstr_t bstrPath(sPath); if ( !pOptions->nochange ) hr = pGrp->Remove(bstrPath); } var.Clear(); } if ( pMem ) pMem->Release(); if ( pGrp ) pGrp->Release(); if ( pVar ) pVar->Release(); return hr;}
//----------------------------------------------------------------------------
// FillPathInfo : This function looks up the ADs path from the source domain
// for a given SAMAccountName
//----------------------------------------------------------------------------
bool CAcctRepl::FillPathInfo( TAcctReplNode * pAcct, //in- AccountReplicator Node with the Account info
Options * pOptions //in- Options set by the user.
){ wstring sPath; _bstr_t sTgtPath; // Fill the naming context for the domains. If the Naming context does not work then it is not a Win2kDomain
// so we need to stop right here.
if ( wcslen(pOptions->srcNamingContext) == 0 ) FillNamingContext(pOptions);
if ( wcslen(pOptions->srcNamingContext) == 0 ) { // this is probably an NT 4 source domain
// construct the source path
if ( ! *pAcct->GetSourcePath() ) { sPath = L"WinNT://"; sPath += pOptions->srcDomain; sPath += L"/"; sPath += pAcct->GetName(); pAcct->SetSourcePath(sPath.c_str()); } return true; }
WCHAR strName[LEN_Path]; wcscpy(strName, pAcct->GetName()); // Check if the Name field is a LDAP sub path or not. If we have LDAP subpath then we
// call the AcctReplFullPath function to fillup the path information.
if ( (wcslen(strName) > 3) && (strName[2] == (L'=')) ) { AcctReplFullPath(pAcct, pOptions); return true; }
INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); HRESULT hr; LPWSTR sData[] = { L"ADsPath", L"distinguishedName", L"name", L"profilePath", L"groupType" }; long nElt = DIM(sData); BSTR * pData; SAFEARRAY * psaColNames; IEnumVARIANTPtr pEnum; _variant_t var; DWORD dwFetch;
// We are going to update all fields that we know about
// Set the LDAP path to the whole domain and then the query to the SAMAccountname
sPath = L"LDAP://"; sPath += pOptions->srcDomain; sPath += L"/"; sPath += pOptions->srcNamingContext;
wstring sTempSamName = pAcct->GetSourceSam();
if (sTempSamName[0] == L' ') { sTempSamName = L"\\20" + sTempSamName.substr(1); }
wstring strQuery = L"(sAMAccountName=" + sTempSamName + L")";
// Set the enumerator query
hr = pQuery->raw_SetQuery( _bstr_t(sPath.c_str()), _bstr_t(pOptions->srcDomain), _bstr_t(strQuery.c_str()), ADS_SCOPE_SUBTREE, FALSE );
if (SUCCEEDED(hr)) { // Create a safearray of columns we need from the enumerator.
SAFEARRAYBOUND bd = { nElt, 0 }; psaColNames = ::SafeArrayCreate(VT_BSTR, 1, &bd);
if (psaColNames) { hr = ::SafeArrayAccessData(psaColNames, (void**)&pData); } else { hr = E_OUTOFMEMORY; }
if ( SUCCEEDED(hr) ) { for( long i = 0; i < nElt; i++) { pData[i] = SysAllocString(sData[i]); } hr = ::SafeArrayUnaccessData(psaColNames); }
if (SUCCEEDED(hr)) { // Set the columns on the enumerator object.
hr = pQuery->raw_SetColumns(psaColNames); }
if (psaColNames) { SafeArrayDestroy(psaColNames); } }
if (SUCCEEDED(hr)) { // Now execute.
hr = pQuery->raw_Execute(&pEnum); }
if (SUCCEEDED(hr)) { // We should have recieved only one value. So we will get the value and set it into the Node.
VARIANT varTemp; VariantInit(&varTemp); hr = pEnum->Next(1, &varTemp, &dwFetch); var = _variant_t(varTemp, false); }
if ( SUCCEEDED(hr) && ( var.vt & VT_ARRAY) ) { // This would only happen if the member existed in the target domain.
// We now have a Variant containing an array of variants so we access the data
SAFEARRAY* psa = V_ARRAY(&var); VARIANT* pVar; SafeArrayAccessData(psa, (void**)&pVar); // Get the AdsPath first
sTgtPath = pVar[0].bstrVal; if (sTgtPath.length() > 0) { // Set the source Path in the Account node
pAcct->SetSourcePath(sTgtPath);
// Then we get the distinguishedName to get the prefix string
sTgtPath = V_BSTR(&pVar[1]);
// We also get the name value to set the target name
if (V_BSTR(&pVar[2])) { pAcct->SetName(V_BSTR(&pVar[2])); pAcct->SetTargetName(V_BSTR(&pVar[2])); }
// We also get the profile path so we can translate it
if (V_BSTR(&pVar[3])) { pAcct->SetTargetProfile(V_BSTR(&pVar[3])); }
if ( pVar[4].vt == VT_I4 ) { // We have the object type property so lets set it.
pAcct->SetGroupType(pVar[4].lVal); } SafeArrayUnaccessData(psa); return true; } else { //There is no account with this SAM name in this domain
err.SysMsgWrite(ErrE, 2, DCT_MSG_PATH_NOT_FOUND_SS, pAcct->GetName(), pOptions->tgtDomain); Mark(L"errors", pAcct->GetType()); SafeArrayUnaccessData(psa); }
}
return false;}
//--------------------------------------------------------------------------
// AcctReplFullPath : Fills up Account node when the account information
// coming in is a LDAP sub path.
//--------------------------------------------------------------------------
bool CAcctRepl::AcctReplFullPath( TAcctReplNode * pAcct, //in- AccountReplicator Node with the Account info
Options * pOptions //in- Options set by the user.
){ WCHAR sName[LEN_Path]; WCHAR sPath[LEN_Path]; IADs * pAds; _variant_t var;
// Build a full path and save it to the Account node
wsprintf(sPath, L"LDAP://%s/%s,%s", pOptions->srcDomain, pAcct->GetName(), pOptions->srcNamingContext); pAcct->SetSourcePath(sPath);
// Do the same for Target account.
wcscpy(sName, pAcct->GetTargetName()); if ( !wcslen(sName) ) { // Since Target name not specified we will go ahead and use the source name as the target name,
wcscpy(sName, pAcct->GetName()); pAcct->SetTargetName(sName); }
// Build a full path from the sub path
/* wsprintf(sPath, L"LDAP://%s/%s,%s", pOptions->tgtDomain, sName, pOptions->tgtNamingContext);
pAcct->SetTargetPath(sPath);*/ // Lets try and get the SAM name for the source account
HRESULT hr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADs, (void**) &pAds); if ( FAILED(hr)) return false;
hr = pAds->Get(L"sAMAccountName", &var); pAds->Release(); if ( SUCCEEDED(hr) ) pAcct->SetSourceSam((WCHAR*)var.bstrVal);
// SAM account name for the target account
// Since we are here we have a LDAP sub path. So we can copy string from 3rd character to end of line or
// till the first ','
wcscpy(sName, pAcct->GetTargetName()); WCHAR * p = wcschr(sName, L','); int ndx = wcslen(sName); if ( p ) { // There is a , So we can find how many characters that is by subtracting two pointers
ndx = (int)(p - sName); } ndx -= 3; // We are going to ignore the first three characters
// Copy from third character on to the , or End of line this is going to be the SAM name for target
wcsncpy(sPath, sName + 3, ndx); sPath[ndx] = 0; // Truncate it.
pAcct->SetTargetSam(sPath);
return true;}
//--------------------------------------------------------------------------
// NeedToProcessAccount : This function tells us if the user has set the
// options to copy certain types of accounts.
//--------------------------------------------------------------------------
BOOL CAcctRepl::NeedToProcessAccount( TAcctReplNode * pAcct, //in- AccountReplicator Node with the Account info
Options * pOptions //in- Options set by the user.
){ if ((_wcsicmp(pAcct->GetType(), s_ClassUser) == 0) || (_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson) == 0)) return (pOptions->flags & F_USERS); else if ( _wcsicmp(pAcct->GetType(), L"group") == 0) return ((pOptions->flags & F_GROUP) || (pOptions->flags & F_LGROUP)); else if ( _wcsicmp(pAcct->GetType(), L"computer") == 0) return pOptions->flags & F_COMPUTERS; else if ( _wcsicmp(pAcct->GetType(), L"organizationalUnit") == 0) return pOptions->flags & F_OUS; else { err.MsgWrite(0,DCT_MSG_SKIPPING_OBJECT_TYPE_SS,pAcct->GetName(),pAcct->GetType()); return false; }}
// Compares the DC=...,DC=com part of two ads paths to determine if the objects
// are in the same domain.
BOOL CompareDCPath(WCHAR const * sPath, WCHAR const * sPath2){ WCHAR * p1 = NULL, * p2 = NULL; p1 = wcsstr(sPath, L"DC="); p2 = wcsstr(sPath2, L"DC=");
if ( p1 && p2 ) return !_wcsicmp(p1, p2); else return FALSE;}
_bstr_t PadDN(_bstr_t sDN){ _bstr_t retVal = sDN; int offset = 0; WCHAR sLine[LEN_Path]; WCHAR sOut[LEN_Path];
safecopy(sLine, (WCHAR*) sDN);
for ( DWORD i = 0; i < wcslen(sLine); i++ ) { if ( sLine[i] == L'/' ) { sOut[i + offset] = L'\\'; offset++; } sOut[i + offset] = sLine[i]; } sOut[i+offset] = 0; retVal = sOut; return retVal;}
//--------------------------------------------------------------------------
// ExpandContainers : Adds all the members of a container/group to the
// account list recursively.
//--------------------------------------------------------------------------
BOOL CAcctRepl::ExpandContainers( TNodeListSortable *acctlist, //in- Accounts being processed
Options *pOptions, //in- Options specified by the user
ProgressFn *progress //in- Show status
){ TAcctReplNode * pAcct; IEnumVARIANT * pEnum; HRESULT hr; _variant_t var; DWORD dwf; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); LPWSTR sCols[] = { L"member" }; LPWSTR sCols1[] = { L"ADsPath" }; int nElt = DIM(sCols); SAFEARRAY * cols; SAFEARRAY * vals; SAFEARRAY * multiVals; SAFEARRAYBOUND bd = { nElt, 0 }; BSTR HUGEP * pData = NULL;// _bstr_t * pBstr = NULL;
_variant_t * pDt = NULL; _variant_t * pVar = NULL; _variant_t vx; _bstr_t sCont, sQuery; _bstr_t sPath; _bstr_t sSam; _bstr_t sType; _bstr_t sName; _bstr_t sTgtName; DWORD dwMaj, dwMin, dwSP;// IIManageDBPtr pDb(__uuidof(IManageDB));
IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk; long lgrpType; WCHAR sAcctType[LEN_Path]; WCHAR mesg[LEN_Path]; WCHAR sSourcePath[LEN_Path]; bool bExpanded = true;
pVs->QueryInterface(IID_IUnknown, (void **) &pUnk); MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); // Change from a tree to a sorted list
if ( acctlist->IsTree() ) acctlist->ToSorted();
// Check the domain type for the source domain.
hr = pAccess->raw_GetOsVersion(pOptions->srcComp, &dwMaj, &dwMin, &dwSP); if (FAILED(hr)) return FALSE;
if ( dwMaj < 5 ) { while ( bExpanded ) { bExpanded = false; pAcct = (TAcctReplNode *)acctlist->Head(); while (pAcct) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
// If we have already expanded the account then we dont need to process it again.
if ( pAcct->bExpanded ) { pAcct = (TAcctReplNode *) pAcct->Next(); continue; }
//Set the flag to say that we expanded something.
bExpanded = true; pAcct->bExpanded = true;
if ( UStrICmp(pAcct->GetType(), L"group") || UStrICmp(pAcct->GetType(), L"lgroup") ) { // Build the column array
cols = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData(cols, (void HUGEP **) &pData); for ( int i = 0; i < nElt; i++) pData[i] = SysAllocString(sCols1[i]); SafeArrayUnaccessData(cols); // Build the NT4 recognizable container name
sCont = _bstr_t(pAcct->GetName()) + L",CN=GROUPS"; sQuery = L""; // ignored.
// Query the information
hr = pQuery->raw_SetQuery(sCont, pOptions->srcDomain, sQuery, ADS_SCOPE_SUBTREE, TRUE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(cols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&pEnum); if (FAILED(hr)) return FALSE;
while (pEnum->Next(1, &var, &dwf) == S_OK) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } vals = var.parray; // Get the first column which is the name of the object.
SafeArrayAccessData(vals, (void HUGEP**) &pDt); sPath = pDt[0]; SafeArrayUnaccessData(vals);
// Enumerator returns empty strings which we need to ignore.
if ( sPath.length() > 0 ) { // Look if we have migrated the group
if ( pOptions->flags & F_COPY_MIGRATED_ACCT ) // We want to copy it again even if it was already copied.
hr = S_FALSE; else hr = pOptions->pDb->raw_GetAMigratedObject(sPath, pOptions->srcDomain, pOptions->tgtDomain, &pUnk);
if ( hr != S_OK ) { if ( !IsBuiltinAccount(pOptions, (WCHAR*)sPath) ) { // We don't care about the objects that we have migrated because they will be picked up automatically
// Find the type of this account.
if ( GetNt4Type(pOptions->srcComp, (WCHAR*) sPath, sAcctType) ) { // Expand the containers and the membership
wsprintf(mesg, GET_STRING(IDS_EXPANDING_ADDING_SS) , pAcct->GetName(), (WCHAR*) sPath); Progress(mesg); TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetName((WCHAR*)sPath); pNode->SetTargetName((WCHAR*)sPath); pNode->SetSourceSam((WCHAR*)sPath); pNode->SetTargetSam((WCHAR*)sPath); pNode->SetType(sAcctType); if ( !UStrICmp(sAcctType,L"group") ) { // in NT4, only global groups can be members of other groups
pNode->SetGroupType(2); } //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid()); // build a source WinNT path
wsprintf(sSourcePath, L"WinNT://%s/%s", pOptions->srcDomain, (WCHAR*)sPath); pNode->SetSourcePath(sSourcePath);
if (acctlist->InsertIfNew(pNode)) { WCHAR szSam[LEN_Path]; wcscpy(szSam, pNode->GetTargetSam()); TruncateSam(szSam, pNode, pOptions, acctlist); pNode->SetTargetSam(szSam); AddPrefixSuffix(pNode, pOptions); } else { delete pNode; } } else { wsprintf(mesg,GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sPath); Progress(mesg); } } else { err.MsgWrite(ErrW, DCT_MSG_IGNORING_BUILTIN_S, (WCHAR*)sPath); Mark("warnings", pAcct->GetType()); } } else { wsprintf(mesg, GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sPath); Progress(mesg); } } } pEnum->Release(); var.Clear(); } pAcct = (TAcctReplNode *) pAcct->Next(); } } pUnk->Release(); return TRUE; }
// If we are here that means that we are dealing with Win2k
while ( bExpanded ) { bExpanded = false; // Go through the list of accounts and expand them one at a time
pAcct = (TAcctReplNode *)acctlist->Head(); while (pAcct) { // If we have already expanded the account then we dont need to process it again.
if ( pAcct->bExpanded ) { pAcct = (TAcctReplNode *) pAcct->Next(); continue; }
//Set the flag to say that we expanded something.
bExpanded = true; pAcct->bExpanded = true;
if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } DWORD scope = 0; sCont = pAcct->GetSourcePath(); sQuery = L"(objectClass=*)"; if ( wcslen(pAcct->GetSourceSam()) == 0 ) { scope = ADS_SCOPE_SUBTREE; // Build the column array
cols = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData(cols, (void HUGEP **) &pData); for ( int i = 0; i < nElt; i++) pData[i] = SysAllocString(sCols1[i]); SafeArrayUnaccessData(cols); } else { scope = ADS_SCOPE_BASE; // Build the column array
cols = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData(cols, (void HUGEP **) &pData); for ( int i = 0; i < nElt; i++) pData[i] = SysAllocString(sCols[i]); SafeArrayUnaccessData(cols); } hr = pQuery->raw_SetQuery(sCont, pOptions->srcDomain, sQuery, scope, TRUE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(cols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&pEnum); if (FAILED(hr)) return FALSE;
while (pEnum->Next(1, &var, &dwf) == S_OK) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } vals = var.parray; // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); vx = pDt[0]; SafeArrayUnaccessData(vals);
if ( vx.vt == VT_BSTR ) { // We got back a BSTR which could be the value that we are looking for
sPath = V_BSTR(&vx); // Enumerator returns empty strings which we need to ignore.
if ( sPath.length() > 0 ) { if ( GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions) && CompareDCPath((WCHAR*)sPath, pAcct->GetSourcePath())) { if ( pOptions->flags & F_COPY_MIGRATED_ACCT ) hr = S_FALSE; else hr = pOptions->pDb->raw_GetAMigratedObject(sSam, pOptions->srcDomain, pOptions->tgtDomain, &pUnk);
if ( hr != S_OK ) { // We don't care about the objects that we have migrated because they will be picked up automatically
if ( _wcsicmp((WCHAR*) sType, L"computer") != 0 ) { TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetSourceSam((WCHAR*)sSam); pNode->SetTargetSam((WCHAR*)sSam); pNode->SetName((WCHAR*)sName); pNode->SetTargetName((WCHAR*)sTgtName); pNode->SetType((WCHAR*)sType); pNode->SetSourcePath((WCHAR*)sPath); pNode->SetGroupType(lgrpType); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid());
if (acctlist->InsertIfNew(pNode)) { WCHAR szSam[LEN_Path]; TruncateSam(szSam, pNode, pOptions, acctlist); pNode->SetTargetSam(szSam); AddPrefixSuffix(pNode, pOptions); } else { delete pNode; }
wsprintf(mesg, GET_STRING(IDS_EXPANDING_ADDING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } else { wsprintf(mesg, GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } } else { wsprintf(mesg, GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } } } // continue;
}
// if (! ( vx.vt & VT_ARRAY ) )
// continue;
if ( vx.vt & VT_ARRAY ) // We must have got an Array of multivalued properties
multiVals = vx.parray; else { // We need to also process the accounts that have this group as its primary group.
SAFEARRAYBOUND bd = { 0, 0 }; multiVals = SafeArrayCreate(VT_VARIANT, 1, &bd); } AddPrimaryGroupMembers(pOptions, multiVals, const_cast<WCHAR*>(pAcct->GetTargetSam()));
// Access the BSTR elements of this variant array
SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } _bstr_t sDN = _bstr_t(pVar[dw]); sDN = PadDN(sDN);
sPath = _bstr_t(L"LDAP://") + _bstr_t(pOptions->srcDomain) + _bstr_t(L"/") + sDN; if ( GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions) && CompareDCPath((WCHAR*)sPath, pAcct->GetSourcePath())) { if ( pOptions->flags & F_COPY_MIGRATED_ACCT ) hr = S_FALSE; else hr = pOptions->pDb->raw_GetAMigratedObject(sSam, pOptions->srcDomain, pOptions->tgtDomain, &pUnk);
if ( hr != S_OK ) { // We don't care about the objects that we have migrated because they will be picked up automatically
if ( _wcsicmp((WCHAR*) sType, L"computer") != 0 ) { TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetSourceSam((WCHAR*)sSam); pNode->SetTargetSam((WCHAR*)sSam); pNode->SetName((WCHAR*)sName); pNode->SetTargetName((WCHAR*)sTgtName); pNode->SetType((WCHAR*)sType); pNode->SetSourcePath((WCHAR*)sPath); pNode->SetGroupType(lgrpType); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid());
if (acctlist->InsertIfNew(pNode)) { WCHAR szSam[LEN_Path]; wcscpy(szSam, sSam); TruncateSam(szSam, pNode, pOptions, acctlist); pNode->SetTargetSam(szSam); AddPrefixSuffix(pNode, pOptions); } else { delete pNode; }
wsprintf(mesg, GET_STRING(IDS_EXPANDING_ADDING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } else { wsprintf(mesg, GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } } else { wsprintf(mesg, GET_STRING(IDS_EXPANDING_IGNORING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(mesg); } } } SafeArrayUnaccessData(multiVals); } pEnum->Release(); var.Clear(); pAcct = (TAcctReplNode*)pAcct->Next(); } } pUnk->Release(); return TRUE;}
//--------------------------------------------------------------------------
// IsContainer : Checks if the account in question is a container type
// if it is then it returns a IADsContainer * to it.
//--------------------------------------------------------------------------
BOOL CAcctRepl::IsContainer(TAcctReplNode *pNode, IADsContainer **ppCont){ HRESULT hr; hr = ADsGetObject(const_cast<WCHAR*>(pNode->GetSourcePath()), IID_IADsContainer, (void**)ppCont); return SUCCEEDED(hr);}
BOOL CAcctRepl::GetSamFromPath(_bstr_t sPath, _bstr_t& sSam, _bstr_t& sType, _bstr_t& sSrcName, _bstr_t& sTgtName, long& grpType, Options * pOptions){ HRESULT hr; IADsPtr pAds; BOOL bIsCritical = FALSE; BOOL rc = TRUE;
sSam = L""; // Get the object so we can ask the questions from it.
hr = ADsGetObject((WCHAR*)sPath, IID_IADs, (void**)&pAds); if ( FAILED(hr) ) return FALSE;
if ( SUCCEEDED(hr)) { VARIANT var; VariantInit(&var); hr = pAds->Get(L"isCriticalSystemObject", &var); if ( SUCCEEDED(hr) ) { // This will only succeed for the Win2k objects.
bIsCritical = (V_BOOL(&var) == VARIANT_TRUE) ? TRUE : FALSE; VariantClear(&var); } else { // This must be a NT4 account. We need to get the SID and check if
// it's RID belongs to the BUILTIN rids.
hr = pAds->Get(L"objectSID", &var); if ( SUCCEEDED(hr) ) { SAFEARRAY * pArray = V_ARRAY(&var); PSID pSid; hr = SafeArrayAccessData(pArray, (void**)&pSid); if ( SUCCEEDED(hr) ) { PUCHAR ucCnt = GetSidSubAuthorityCount(pSid); DWORD * rid = (DWORD *) GetSidSubAuthority(pSid, (*ucCnt)-1); bIsCritical = BuiltinRid(*rid); if ( bIsCritical ) { BSTR sName; hr = pAds->get_Name(&sName); bIsCritical = CheckBuiltInWithNTApi(pSid, (WCHAR*)sName, pOptions); SysFreeString(sName); } hr = SafeArrayUnaccessData(pArray); } VariantClear(&var); } } }
// Get the class from the object. If it is a container/ou class then it will not have a SAM name so put the CN= or OU= into the list
BSTR bstr = 0; hr = pAds->get_Class(&bstr); if ( FAILED(hr) ) rc = FALSE;
if ( rc ) { sType = _bstr_t(bstr, false); if (UStrICmp((WCHAR*) sType, L"organizationalUnit") == 0) { bstr = 0; hr = pAds->get_Name(&bstr); sSrcName = _bstr_t(L"OU=") + _bstr_t(bstr, false); sTgtName = sSrcName; sSam = L""; if ( FAILED(hr) ) rc = FALSE; } else if (UStrICmp((WCHAR*) sType, L"container") == 0) { bstr = 0; hr = pAds->get_Name(&bstr); sSrcName = _bstr_t(L"CN=") + _bstr_t(bstr, false); sTgtName = sSrcName; sSam = L""; if ( FAILED(hr) ) rc = FALSE; } else { bstr = 0; hr = pAds->get_Name(&bstr); sSrcName = _bstr_t(bstr, false);
//if the name includes a '/', then we have to get the escaped version from the path
//due to a bug in W2K.
if (wcschr((WCHAR*)sSrcName, L'/')) { _bstr_t sCNName = GetCNFromPath(sPath); if (sCNName.length() != 0) sSrcName = sCNName; }
// if inter-forest migration and source object is an InetOrgPerson then...
if ((pOptions->bSameForest == FALSE) && (_wcsicmp(sType, s_ClassInetOrgPerson) == 0)) { //
// must use the naming attribute of the target forest
//
// retrieve naming attribute for this class in target forest
SNamingAttribute naNamingAttribute;
if (FAILED(GetNamingAttribute(pOptions->tgtDomainDns, s_ClassInetOrgPerson, naNamingAttribute))) { err.MsgWrite(ErrE, DCT_MSG_CANNOT_GET_NAMING_ATTRIBUTE_SS, s_ClassInetOrgPerson, pOptions->tgtDomainDns); Mark(L"errors", sType); return FALSE; }
_bstr_t strNamingAttribute(naNamingAttribute.strName.c_str());
// retrieve source attribute value
VARIANT var; VariantInit(&var);
if (FAILED(pAds->Get(strNamingAttribute, &var))) { err.MsgWrite(ErrE, DCT_MSG_CANNOT_GET_SOURCE_ATTRIBUTE_REQUIRED_FOR_NAMING_SSS, naNamingAttribute.strName.c_str(), sPath, pOptions->tgtDomainDns); Mark(L"errors", sType); return FALSE; }
// set target naming attribute value from source attribute value
sTgtName = strNamingAttribute + L"=" + _bstr_t(_variant_t(var, false)); } else { // else set target name equal to source name
sTgtName = sSrcName; }
VARIANT var; VariantInit(&var); hr = pAds->Get(L"sAMAccountName", &var); if ( FAILED(hr)) rc = FALSE; sSam = _variant_t(var, false); if ( UStrICmp((WCHAR*) sType, L"group") == 0) { // we need to get and set the group type
pAds->Get(L"groupType", &var); if ( SUCCEEDED(hr)) grpType = _variant_t(var, false); } } if ( bIsCritical ) { // Builtin account so we are going to ignore this account.
//Don't log this message in IntraForest because we do mess with it
// Also if it is a Domain Users group we add the migrated objects to it by default.
if ( !pOptions->bSameForest && _wcsicmp((WCHAR*) sSam, pOptions->sDomUsers)) { err.MsgWrite(ErrW, DCT_MSG_IGNORING_BUILTIN_S, (WCHAR*)sPath); Mark(L"warnings", (WCHAR*) sType); } rc = FALSE; } }
return rc;}
//-----------------------------------------------------------------------------
// ExpandMembership : This method expands the account list to encorporate the
// groups that contain the members in the account list.
//-----------------------------------------------------------------------------
BOOL CAcctRepl::ExpandMembership( TNodeListSortable *acctlist, //in- Accounts being processed
Options *pOptions, //in- Options specified by the user
TNodeListSortable *pNewAccts, //out-The newly Added accounts.
ProgressFn *progress, //in- Show status
BOOL bGrpsOnly, //in- Expand for groups only
BOOL bAnySourceDomain //in- include groups from any domain (fix group membership)
){ TAcctReplNode * pAcct; HRESULT hr = S_OK; _variant_t var; MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); DWORD dwMaj, dwMin, dwSP; IVarSetPtr pVs(__uuidof(VarSet)); PSID pSid = NULL; SID_NAME_USE use; DWORD dwNameLen = LEN_Path; DWORD dwDomName = LEN_Path; c_array<WCHAR> achDomain(LEN_Path); c_array<WCHAR> achDomUsers(LEN_Path); BOOL rc = FALSE; long lgrpType; c_array<WCHAR> achMesg(LEN_Path);
IUnknownPtr spUnknown(pVs); IUnknown* pUnk = spUnknown;
// Change from a tree to a sorted list
if ( acctlist->IsTree() ) acctlist->ToSorted();
// Get the Domain Users group name
pSid = GetWellKnownSid(DOMAIN_USERS, pOptions,FALSE); if ( pSid ) { // since we have the well known SID now we can get its name
if ( ! LookupAccountSid(pOptions->srcComp, pSid, achDomUsers, &dwNameLen, achDomain, &dwDomName, &use) ) hr = HRESULT_FROM_WIN32(GetLastError()); else wcscpy(pOptions->sDomUsers, achDomUsers); FreeSid(pSid); }
// Check the domain type for the source domain.
if ( SUCCEEDED(hr) ) hr = pAccess->raw_GetOsVersion(pOptions->srcComp, &dwMaj, &dwMin, &dwSP); if ( SUCCEEDED(hr)) { if ( dwMaj < 5 ) { // NT4 objects we need to use NT API to get the groups that this account is a member of.
LPGROUP_USERS_INFO_0 pBuf = NULL; DWORD dwLevel = 0; DWORD dwPrefMaxLen = 0xFFFFFFFF; DWORD dwEntriesRead = 0; DWORD dwTotalEntries = 0; NET_API_STATUS nStatus; c_array<WCHAR> achGrpName(LEN_Path); _bstr_t strType; BOOL bBuiltin; long numGroups = 0;
//get a varset of previously migrated groups (we will need this if any accounts being migrated are groups
hr = pOptions->pDb->raw_GetMigratedObjectByType(-1, _bstr_t(L""), _bstr_t(L"group"), &pUnk); if ( SUCCEEDED(hr) ) { //get the num of objects in the varset
numGroups = pVs->get(L"MigratedObjects"); }
m_IgnoredGrpMap.clear(); //clear the ignored group map used to optimize group fixup
//for each account, enumerate its membership in any previously migrated groups
for ( pAcct = (TAcctReplNode*)acctlist->Head(); pAcct; pAcct = (TAcctReplNode*)pAcct->Next()) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
//if user
if (!_wcsicmp(pAcct->GetType(), s_ClassUser) || !_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson)) { //User object
nStatus = NetUserGetGroups(pOptions->srcComp, pAcct->GetName(), 0, (LPBYTE*)&pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries ); if (nStatus == NERR_Success) { for ( DWORD i = 0; i < dwEntriesRead; i++ ) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
//see if this group is in the acctlist and successfully migrated. If so, then we
//should not need to add this to the list.
Lookup p; p.pName = pBuf[i].grui0_name; strType = L"group"; p.pType = strType; TAcctReplNode * pFindNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountName, &p); if (pFindNode && (pFindNode->WasCreated() || pFindNode->WasReplaced()) && (bGrpsOnly)) continue;
//if we are doing group membership fixup, see if this group
//is already in the new list we are creating. If so, just add this member to the
//member map for this group node. This will save us the waste of
//recalculating all the fields and save on memory.
pFindNode = NULL; if ((!pOptions->expandMemberOf) || ((pOptions->expandMemberOf) && (bGrpsOnly))) { pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountName, &p); if (pFindNode) { pFindNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); continue; } }
//we also want to avoid the slow code below if we are expanding users' groups for inclusion
//in the migration and that group has already been added to the new list by another user
pFindNode = NULL; if ((pOptions->expandMemberOf) && (!bGrpsOnly)) { //if already included by another user, move on to the next group for this user
pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountName, &p); if (pFindNode) continue; }
//if this group has already been placed in the ignore map, continue on to
//the next group
CGroupNameMap::iterator itGroupNameMap; itGroupNameMap = m_IgnoredGrpMap.find(pBuf[i].grui0_name); //if found, continue with the next group
if (itGroupNameMap != m_IgnoredGrpMap.end()) continue;
bBuiltin = IsBuiltinAccount(pOptions, pBuf[i].grui0_name); // Ignore the Domain users group.
if ( (_wcsicmp(pBuf[i].grui0_name, achDomUsers) != 0) && !bBuiltin) { wsprintf(achMesg, GET_STRING(IDS_EXPANDING_GROUP_ADDING_SS), pAcct->GetName(), pBuf[i].grui0_name); Progress(achMesg); // This is the global group type by default
strType = L"group"; // Get the name of the group and add it to the list if it does not already exist in the list.
wcscpy(achGrpName, pBuf[i].grui0_name);
TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; // Source name stays as is
pNode->SetName(achGrpName); pNode->SetSourceSam(achGrpName); pNode->SetType(strType); pNode->SetGroupType(2); pNode->SetTargetName(achGrpName); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid()); // Look if we have migrated the group
hr = pOptions->pDb->raw_GetAMigratedObject(achGrpName, pOptions->srcDomain, pOptions->tgtDomain, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs);
var = pVs->get(L"MigratedObjects.SourceAdsPath"); pNode->SetSourcePath(var.bstrVal); //Get the target name and assign that to the node
var = pVs->get(L"MigratedObjects.TargetSamName"); pNode->SetTargetSam(V_BSTR(&var)); pNode->SetTargetName(V_BSTR(&var)); // Get the path too
var = pVs->get(L"MigratedObjects.TargetAdsPath"); pNode->SetTargetPath(V_BSTR(&var)); // Get the type too
var = pVs->get(L"MigratedObjects.Type"); strType = V_BSTR(&var); pNode->SetType(strType);
//if they dont want to copy migrated objects, or they do but it was .
if (!(pOptions->flags & F_COPY_MIGRATED_ACCT)) { pNode->operations = 0; pNode->operations |= OPS_Process_Members; // Since the account has already been created we should go ahead and mark it created
// so that the processing of group membership can continue.
pNode->MarkCreated(); } //else if already migrated, mark already there so that we fix group membership whether we migrate the group or not
else { if (pOptions->flags & F_REPLACE) pNode->operations |= OPS_Process_Members; else pNode->operations = OPS_Create_Account | OPS_Process_Members | OPS_Copy_Properties; // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNode->MarkAlreadyThere(); }
if ( !pOptions->expandMemberOf ) { // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNewAccts->Insert((TNode *) pNode); } } else { // account has not been previously copied so we will set it up
if ( pOptions->expandMemberOf ) { TruncateSam(achGrpName, pNode, pOptions, acctlist); pNode->SetTargetSam(achGrpName); FillPathInfo(pNode,pOptions); AddPrefixSuffix(pNode, pOptions); } else { //if containing group has not been migrated, and was not to be migrated in this operation
//then we should add it to the ignore map in case it contains other objects currently
//being migrated.
m_IgnoredGrpMap.insert(CGroupNameMap::value_type((WCHAR*)achGrpName, strType)); delete pNode; } } if ( pOptions->expandMemberOf ) { if ( ! pNewAccts->InsertIfNew((TNode*) pNode) ) delete pNode; } }
if (bBuiltin) { // BUILTIN account error message
err.MsgWrite(ErrW, DCT_MSG_IGNORING_BUILTIN_S, pBuf[i].grui0_name); Mark(L"warnings", pAcct->GetType()); } }//end for each group
}//if got groups
if (pBuf != NULL) NetApiBufferFree(pBuf);
// Process local groups
pBuf = NULL; dwLevel = 0; dwPrefMaxLen = 0xFFFFFFFF; dwEntriesRead = 0; dwTotalEntries = 0; DWORD dwFlags = 0 ; nStatus = NetUserGetLocalGroups(pOptions->srcComp, pAcct->GetName(), 0, dwFlags, (LPBYTE*)&pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries ); if (nStatus == NERR_Success) { for ( DWORD i = 0; i < dwEntriesRead; i++ ) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
//see if this group is in the acctlist and successfully migrated. If so, then we
//should not need to add this to the list.
Lookup p; p.pName = pBuf[i].grui0_name; strType = L"group"; p.pType = strType; TAcctReplNode * pFindNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountName, &p); if (pFindNode && (pFindNode->WasCreated() || pFindNode->WasReplaced()) && (bGrpsOnly)) continue;
//if we are doing group membership fixup, see if this group
//is already in the new list we are creating. If so, just add this member to the
//member map for this group node. This will save us the waste of
//recalculating all the fields and save on memory.
pFindNode = NULL; if ((!pOptions->expandMemberOf) || ((pOptions->expandMemberOf) && (bGrpsOnly))) { pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountName, &p); if (pFindNode) { pFindNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); continue; } }
//we also want to avoid the slow code below if we are expanding users' groups for inclusion
//in the migration and that group has already been added to the new list by another user
pFindNode = NULL; if ((pOptions->expandMemberOf) && (!bGrpsOnly)) { //if already included by another user, move on to the next group for this user
pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountName, &p); if (pFindNode) continue; }
//if this group has already been placed in the ignore map, continue on to
//the next group
CGroupNameMap::iterator itGroupNameMap; itGroupNameMap = m_IgnoredGrpMap.find(pBuf[i].grui0_name); //if found, continue with the next group
if (itGroupNameMap != m_IgnoredGrpMap.end()) continue;
if (!IsBuiltinAccount(pOptions, pBuf[i].grui0_name)) { strType = L"group"; // Get the name of the group and add it to the list if it does not already exist in the list.
wcscpy(achGrpName, pBuf[i].grui0_name); wsprintf(achMesg, GET_STRING(IDS_EXPANDING_GROUP_ADDING_SS), pAcct->GetName(), (WCHAR*)achGrpName); Progress(achMesg); TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetName(achGrpName); pNode->SetSourceSam(achGrpName); pNode->SetType(strType); pNode->SetGroupType(4); pNode->SetTargetName(achGrpName); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid()); // Look if we have migrated the group
hr = pOptions->pDb->raw_GetAMigratedObject(achGrpName, pOptions->srcDomain, pOptions->tgtDomain, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs);
var = pVs->get(L"MigratedObjects.SourceAdsPath"); pNode->SetSourcePath(var.bstrVal); //Get the target name and assign that to the node
var = pVs->get(L"MigratedObjects.TargetSamName"); pNode->SetTargetName(V_BSTR(&var)); pNode->SetTargetSam(V_BSTR(&var)); // Get the path too
var = pVs->get(L"MigratedObjects.TargetAdsPath"); pNode->SetTargetPath(V_BSTR(&var)); // Get the type too
var = pVs->get(L"MigratedObjects.Type"); strType = V_BSTR(&var); //if they dont want to copy migrated objects, or they do but it was .
if (!(pOptions->flags & F_COPY_MIGRATED_ACCT)) { pNode->operations = 0; pNode->operations |= OPS_Process_Members; // Since the account has already been created we should go ahead and mark it created
// so that the processing of group membership can continue.
pNode->MarkCreated(); } //else if already migrated, mark already there so that we fix group membership whether we migrate the group or not
else { if (pOptions->flags & F_REPLACE) pNode->operations |= OPS_Process_Members; else pNode->operations = OPS_Create_Account | OPS_Process_Members | OPS_Copy_Properties; // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNode->MarkAlreadyThere(); }
pNode->SetType(strType); pNode->SetGroupType(4); if ( !pOptions->expandMemberOf ) { // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNewAccts->Insert((TNode *) pNode); } }//if migrated
else { // account has not been previously copied so we will set it up
if ( pOptions->expandMemberOf ) { TruncateSam(achGrpName, pNode, pOptions, acctlist); pNode->SetTargetSam(achGrpName); FillPathInfo(pNode,pOptions); AddPrefixSuffix(pNode, pOptions); } else { //if containing group has not been migrated, and was not to be migrated in this operation
//then we should add it to the ignore map in case it contains other objects currently
//being migrated.
m_IgnoredGrpMap.insert(CGroupNameMap::value_type((WCHAR*)achGrpName, strType)); delete pNode; } } if ( pOptions->expandMemberOf ) { if ( ! pNewAccts->InsertIfNew((TNode*) pNode) ) { delete pNode; } } }//end if not built-in
else { // BUILTIN account error message
err.MsgWrite(ErrW, DCT_MSG_IGNORING_BUILTIN_S, pBuf[i].grui0_name); Mark(L"warnings", pAcct->GetType()); } }//for each local group
}//if any local groups
if (pBuf != NULL) NetApiBufferFree(pBuf); }//end if user and should expand
//if global group, expand membership of previously migrated groups (don't need
//to enumerate groups which local groups are members of since they cannot be
//placed in another group)
if ((!_wcsicmp(pAcct->GetType(), L"group")) && (pAcct->GetGroupType() & 2)) { //for each previously migrated group, check for account as member
for (long ndx = 0; ndx < numGroups; ndx++) { _bstr_t tgtAdsPath = L""; WCHAR text[MAX_PATH]; IADsGroupPtr pGrp; VARIANT_BOOL bIsMem = VARIANT_FALSE; _variant_t var;
//check for abort
if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
/* since global groups cannot contain other groups on NT4, universal
groups did not exist on NT4.0, and both cannot contain members outside the forest, we can ignore them */ //get this previously migrated group's type
swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_Type)); _bstr_t sMOTGrpType = pVs->get(text); if ((!wcscmp((WCHAR*)sMOTGrpType, L"ggroup")) || (!wcscmp((WCHAR*)sMOTGrpType, L"ugroup"))) continue;
//get this previously migrated group's target ADSPath
swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_TargetAdsPath)); tgtAdsPath = pVs->get(text); if (!tgtAdsPath.length()) break; //connect to the previously migrated target group
hr = ADsGetObject(tgtAdsPath, IID_IADsGroup, (void**)&pGrp); if (FAILED(hr)) continue; //get that group's type
hr = pGrp->Get(L"groupType", &var); //if that previously migrated group is a local group, see if this
//account is a member
if ((SUCCEEDED(hr)) && (var.lVal & 4)) { //get the source object's sid from the migrate objects table
//(source AdsPath will not work)
WCHAR strSid[MAX_PATH]; WCHAR strRid[MAX_PATH]; DWORD lenStrSid = DIM(strSid); GetTextualSid(pAcct->GetSourceSid(), strSid, &lenStrSid); _bstr_t sSrcDmSid = strSid; _ltow((long)(pAcct->GetSourceRid()), strRid, 10); _bstr_t sSrcRid = strRid; if ((!sSrcDmSid.length()) || (!sSrcRid.length())) continue;
//build an LDAP path to the src object in the group
_bstr_t sSrcSid = sSrcDmSid + _bstr_t(L"-") + sSrcRid; _bstr_t sSrcLDAPPath = L"LDAP://"; sSrcLDAPPath += _bstr_t(pOptions->tgtComp + 2); sSrcLDAPPath += L"/CN="; sSrcLDAPPath += sSrcSid; sSrcLDAPPath += L",CN=ForeignSecurityPrincipals,"; sSrcLDAPPath += pOptions->tgtNamingContext; //got the source LDAP path, now see if that account is in the group
hr = pGrp->IsMember(sSrcLDAPPath, &bIsMem); //if it is a member, then add this groups to the list
if (SUCCEEDED(hr) && bIsMem) { _bstr_t sTemp; //create a new node to add to the list
swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_SourceSamName)); sTemp = pVs->get(text); wsprintf(achMesg, GET_STRING(IDS_EXPANDING_GROUP_ADDING_SS), pAcct->GetName(), (WCHAR*)sTemp); Progress(achMesg); TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetName(sTemp); pNode->SetSourceSam(sTemp); pNode->SetTargetName(sTemp); pNode->SetGroupType(4); pNode->SetTargetPath(tgtAdsPath); swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_TargetSamName)); sTemp = pVs->get(text); pNode->SetTargetSam(sTemp); swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_SourceDomainSid)); sTemp = pVs->get(text); pNode->SetSourceSid(SidFromString((WCHAR*)sTemp)); swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_SourceAdsPath)); sTemp = pVs->get(text); pNode->SetSourcePath(sTemp); swprintf(text,L"MigratedObjects.%ld.%s",ndx,GET_STRING(DB_Type)); sTemp = pVs->get(text); pNode->SetType(sTemp); if ( !(pOptions->flags & F_COPY_MIGRATED_ACCT)) { // Since the account already exists we can tell it just to update group memberships
pNode->operations = 0; pNode->operations |= OPS_Process_Members; // Since the account has already been created we should go ahead and mark it created
// so that the processing of group membership can continue.
pNode->MarkCreated(); } // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNewAccts->Insert((TNode *) pNode); }//end if local group has as member
}//end if local group
}//end for each group
}//end if global group
}//for each account in the list
m_IgnoredGrpMap.clear(); //clear the ignored group map used to optimize group fixup
}//end if NT 4.0 objects
else { // Win2k objects so we need to go to active directory and query the memberOf field of each of these objects and update the
// list.
INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); LPWSTR sCols[] = { L"memberOf" }; int nCols = DIM(sCols); SAFEARRAYBOUND bd = { nCols, 0 }; wstring strQuery; DWORD dwf = 0;
//
// In order to determine if an object is a member of a universal group outside of the source domain
// it is necessary to query the memberOf attribute of the member in the global catalog. Querying
// this attribute in the source domain only returns universal groups that are in the source domain.
//
// Only if universal groups have been migrated is it necessary to query the global catalog therefore
// will query the migrated objects table to determine if any universal groups have been migrated. If
// universal groups have been migrated then set query global catalog to true.
//
bool bQueryGlobalCatalog = false; _bstr_t strGlobalCatalogServer;
IVarSetPtr spUniversalGroups(__uuidof(VarSet)); IUnknownPtr spunkUniversalGroups(spUniversalGroups); IUnknown* punkUniversalGroups = spunkUniversalGroups;
HRESULT hrUniversalGroups = pOptions->pDb->raw_GetMigratedObjectByType( -1L, _bstr_t(L""), _bstr_t(L"ugroup"), &punkUniversalGroups );
if (SUCCEEDED(hrUniversalGroups)) { long lCount = spUniversalGroups->get(L"MigratedObjects");
if (lCount > 0) { //
// If able to retrieve name of global catalog server in source forest
// then set query global catalog to true otherwise log error message
// as ADMT will be unable to fix-up group memberships for universal
// groups that are outside of the source domain.
//
DWORD dwError = GetGlobalCatalogServer4(pOptions->srcDomain, strGlobalCatalogServer);
if ((dwError == ERROR_SUCCESS) && (strGlobalCatalogServer.length() > 0)) { bQueryGlobalCatalog = true; } else { err.SysMsgWrite(ErrW, HRESULT_FROM_WIN32(dwError), DCT_MSG_UNABLE_TO_QUERY_GROUPS_IN_GLOBAL_CATALOG_SERVER_S, pOptions->srcDomain); } } }
spunkUniversalGroups.Release(); spUniversalGroups.Release();
m_IgnoredGrpMap.clear(); //clear the ignored group map used to optimize group fixup
for ( pAcct = (TAcctReplNode*)acctlist->Head(); pAcct; pAcct = (TAcctReplNode*)pAcct->Next()) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } // Get the Accounts Primary group. This is not in the memberOf property for some reason.(Per Richard Ault in Firstwave NewsGroup)
IADsPtr spADs; _variant_t varRid; _bstr_t sPath; _bstr_t sSam; _bstr_t sType; _bstr_t sName; _bstr_t sTgtName;
hr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADs, (void**)&spADs); if ( SUCCEEDED(hr)) { VARIANT var; VariantInit(&var); hr = spADs->Get(L"primaryGroupID", &var); varRid = _variant_t(var, false); spADs.Release(); } if ( SUCCEEDED(hr) ) { c_array<WCHAR> achSam(LEN_Path); c_array<WCHAR> achAcctName(LEN_Path); DWORD cbName = LEN_Path; SID_NAME_USE sidUse; // Get the SID from the RID
PSID sid = GetWellKnownSid(varRid.lVal, pOptions); // Lookup the sAMAccountNAme from the SID
if ( LookupAccountSid(pOptions->srcComp, sid, achAcctName, &cbName, achDomain, &dwDomName, &sidUse) ) { //see if this group was not migrated due to a conflict, if so then
//we need to fix up this membership
bool bInclude = true; Lookup p; p.pName = (WCHAR*)sSam; p.pType = (WCHAR*)sType; TAcctReplNode * pFindNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountName, &p); if (pFindNode && (pFindNode->WasCreated() || pFindNode->WasReplaced()) && (bGrpsOnly)) bInclude = false;
// We have the SAM Account name for the Primary group so lets Fill the node and add it to the list.
// Ignore in case of the Domain Users group.
if ( varRid.lVal != DOMAIN_GROUP_RID_USERS) { TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetName(achAcctName); pNode->SetTargetName(achAcctName); pNode->SetSourceSam(achAcctName); wcscpy(achSam, achAcctName); TruncateSam(achSam, pNode, pOptions, acctlist); pNode->SetTargetSam(achSam); pNode->SetType(L"group"); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid()); AddPrefixSuffix(pNode, pOptions); FillPathInfo(pNode, pOptions); // See if the object is migrated
hr = pOptions->pDb->raw_GetAMigratedObject(achAcctName, pOptions->srcDomain, pOptions->tgtDomain, &pUnk); if ( hr == S_OK ) { if ((!(pOptions->expandMemberOf) || ((pOptions->expandMemberOf) && ((!(pOptions->flags & F_COPY_MIGRATED_ACCT)) || (bInclude)))) || (!_wcsicmp(pAcct->GetType(), L"group"))) { VerifyAndUpdateMigratedTarget(pOptions, pVs);
// Get the target name
sSam = pVs->get(L"MigratedObjects.TargetSamName"); pNode->SetTargetSam(sSam); // Also Get the Ads path
sPath = pVs->get(L"MigratedObjects.TargetAdsPath"); pNode->SetTargetPath(sPath); //set the target name based on the target adspath
pNode->SetTargetName(GetCNFromPath(sPath)); // Since the account is already copied we only want it to update its Group memberships
if (!(pOptions->flags & F_COPY_MIGRATED_ACCT)) { pNode->operations = 0; pNode->operations |= OPS_Process_Members; // Since the account has already been created we should go ahead and mark it created
// so that the processing of group membership can continue.
pNode->MarkCreated(); } else if (bInclude)//else if already migrated, mark already there so that we fix group membership whether we migrate the group or not
{ if (pOptions->flags & F_REPLACE) pNode->operations |= OPS_Process_Members; else pNode->operations = OPS_Create_Account | OPS_Process_Members | OPS_Copy_Properties; pNode->MarkAlreadyThere(); }
if ((!pOptions->expandMemberOf) || (!_wcsicmp(pAcct->GetType(), L"group")) || (bInclude)) { // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNewAccts->Insert((TNode *) pNode); } } } else if ( !pOptions->expandMemberOf ) { delete pNode; } if (( pOptions->expandMemberOf ) && (_wcsicmp(pAcct->GetType(), L"group"))) { if ( ! pNewAccts->InsertIfNew(pNode) ) delete pNode; } } } if ( sid ) FreeSid(sid); }
//
// If the global catalog needs to be queried then two queries will be performed otherwise
// only one query will be performed in the source domain.
//
// The first iteration queries the memberOf attribute of the object in the source domain
// to retrieve the local, global and universal groups in the source domain that the object
// is a member of.
//
// The second iteration queries the memberOf attribute of the object in the global catalog
// to retrieve all of the universal groups in the forest that the object is a member of.
//
// Note that if the global catalog is in the source domain that the second query will retrieve
// all of the groups in the source domain again. Also the second query will always return
// universal groups from the source domain that have already been retrieved during the first
// query. Duplicate groups are not added to the list.
//
int cQuery = bQueryGlobalCatalog ? 2 : 1;
for (int nQuery = 0; nQuery < cQuery; nQuery++) { IEnumVARIANTPtr spEnum;
// Build query stuff
strQuery = L"(&(sAMAccountName="; strQuery += pAcct->GetSourceSam();
if (!_wcsicmp(pAcct->GetType(), s_ClassUser)) strQuery += L")(objectCategory=Person)(objectClass=user))"; else if (!_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson)) strQuery += L")(objectCategory=Person)(objectClass=inetOrgPerson))"; else strQuery += L")(objectCategory=Group))";
SAFEARRAY* psaCols = SafeArrayCreate(VT_BSTR, 1, &bd); BSTR* pData; SafeArrayAccessData(psaCols, (void**)&pData); for ( int i = 0; i < nCols; i++ ) pData[i] = SysAllocString(sCols[i]); SafeArrayUnaccessData(psaCols);
//
// Query the source domain on the first iteration then
// query the global catalog on the second iteration.
//
_bstr_t strContainer;
if (nQuery == 0) { strContainer = pAcct->GetSourcePath(); } else { //
// Constuct an ADsPath from the source object's ADsPath by specifying
// the GC provider instead of the LDAP provider and specifying the
// forest DNS name for the server instead of the source domain name.
//
// The forest DNS name must be specified so that the entire forest
// may be queried otherwise only the specified domain is queried.
//
BSTR bstr = NULL;
IADsPathnamePtr spOldPathname(CLSID_Pathname);
spOldPathname->Set(_bstr_t(pAcct->GetSourcePath()), ADS_SETTYPE_FULL);
IADsPathnamePtr spNewPathname(CLSID_Pathname);
// specify global catalog
spNewPathname->Set(_bstr_t(L"GC"), ADS_SETTYPE_PROVIDER);
// specify the source global catalog server
spNewPathname->Set(strGlobalCatalogServer, ADS_SETTYPE_SERVER);
// specify source object DN
spOldPathname->Retrieve(ADS_FORMAT_X500_DN, &bstr); spNewPathname->Set(_bstr_t(bstr, false), ADS_SETTYPE_DN);
// retrieve ADsPath to source object in global catalog
spNewPathname->Retrieve(ADS_FORMAT_X500, &bstr); strContainer = _bstr_t(bstr, false); }
// Tell the object to run the query and report back to us
hr = pQuery->raw_SetQuery(strContainer, _bstr_t(pOptions->srcDomain), _bstr_t(strQuery.c_str()), ADS_SCOPE_BASE, TRUE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(psaCols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&spEnum); if (FAILED(hr)) return FALSE; SafeArrayDestroy(psaCols);
VARIANT var; VariantInit(&var);
while (spEnum->Next(1, &var, &dwf) == S_OK) { _variant_t varMain(var, false);
if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } SAFEARRAY * vals = V_ARRAY(&varMain); // Get the VARIANT Array out
VARIANT* pDt; SafeArrayAccessData(vals, (void**) &pDt); _variant_t vx = pDt[0]; SafeArrayUnaccessData(vals); if ( vx.vt & VT_ARRAY ) { // We must have got an Array of multivalued properties
// Access the BSTR elements of this variant array
SAFEARRAY * multiVals = vx.parray; VARIANT* pVar; SafeArrayAccessData(multiVals, (void**) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
_bstr_t sDN = _bstr_t(V_BSTR(&pVar[dw])); sDN = PadDN(sDN);
sPath = _bstr_t(L"LDAP://") + _bstr_t(pOptions->srcDomainDns) + _bstr_t(L"/") + sDN; //see if the RDN of this group is in the acctlist. If so, then we should not need
//to add this to the list. I will do a find based on path and not name even though the
//list is sorted by name. This should be fine since the list is not in tree form.
Lookup p; p.pName = (WCHAR*)sPath; sType = L"group"; p.pType = (WCHAR*)sType; TAcctReplNode * pFindNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountRDN, &p); if (pFindNode && (pFindNode->WasCreated() || pFindNode->WasReplaced()) && ((bGrpsOnly) || (pOptions->expandContainers))) continue;
//this group has already been placed in the ignore map, continue on to
//the next group
CGroupNameMap::iterator itGroupNameMap; itGroupNameMap = m_IgnoredGrpMap.find(sPath); //if found, continue with the next group
if (itGroupNameMap != m_IgnoredGrpMap.end()) continue; //if we are doing group membership fixup, see if the RDN of this group
//is already in the new list we are creating. If so, just add this member to the
//member map for this group node. This will save us the waste of
//recalculating all the fields and save on memory. (The compare is done based on the RDN which should
//be fine since this list is a tree sorted based on type and RDN)
pFindNode = NULL; if ((!pOptions->expandMemberOf) || ((pOptions->expandMemberOf) && (bGrpsOnly))) { pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountRDN, &p); if (pFindNode) { pFindNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); continue; } }
//we also want to avoid the slow code below if we are expanding users' groups for inclusion
//in the migration and that group has already been added to the new list by another user
pFindNode = NULL; if ((pOptions->expandMemberOf) && (!bGrpsOnly)) { //if already included by another user, move on to the next group for this user
pFindNode = (TAcctReplNode *) pNewAccts->Find(&TNodeFindAccountRDN, &p); if (pFindNode) continue; } if ((bAnySourceDomain || CompareDCPath(sPath, pAcct->GetSourcePath())) && GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions)) { _bstr_t strSourceDomain;
if (bAnySourceDomain) { if (CompareDCPath(sPath, pAcct->GetSourcePath())) { strSourceDomain = pOptions->srcDomain; } else { strSourceDomain = GetDomainDNSFromPath(sPath); } } else { strSourceDomain = pOptions->srcDomain; }
//see if this group was not migrated due to a conflict, if so then
//we need to fix up this membership
bool bInclude = true; p.pName = (WCHAR*)sSam; p.pType = (WCHAR*)sType; TAcctReplNode * pFindNode = (TAcctReplNode *) acctlist->Find(&TNodeFindAccountName, &p); if (pFindNode && (pFindNode->WasCreated() || pFindNode->WasReplaced()) && (bGrpsOnly)) bInclude = false;
// Ignore the Domain users group and group already being migrated
if ((_wcsicmp(sSam, achDomUsers) != 0) && (bInclude)) { wsprintf(achMesg, GET_STRING(IDS_EXPANDING_GROUP_ADDING_SS), pAcct->GetName(), (WCHAR*) sSam); Progress(achMesg); TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return FALSE; pNode->SetName(sName); pNode->SetTargetName(sTgtName); pNode->SetType(sType); pNode->SetSourcePath(sPath); pNode->SetSourceSam(sSam); c_array<WCHAR> achSam(LEN_Path); wcscpy(achSam, sSam); TruncateSam(achSam, pNode, pOptions, acctlist); pNode->SetTargetSam(achSam); //Get the source domain sid from the user
pNode->SetSourceSid(pAcct->GetSourceSid()); AddPrefixSuffix(pNode, pOptions); pNode->SetGroupType(lgrpType); // See if the object is migrated
hr = pOptions->pDb->raw_GetAMigratedObject((WCHAR*)sSam, strSourceDomain, pOptions->tgtDomain, &pUnk); if ( hr == S_OK ) { if ((!(pOptions->expandMemberOf) || ((pOptions->expandMemberOf) && ((!(pOptions->flags & F_COPY_MIGRATED_ACCT)) || (bInclude)))) || (!_wcsicmp(pAcct->GetType(), L"group"))) { VerifyAndUpdateMigratedTarget(pOptions, pVs);
// Get the target name
sSam = pVs->get(L"MigratedObjects.TargetSamName"); pNode->SetTargetSam(sSam); // Also Get the Ads path
sPath = pVs->get(L"MigratedObjects.TargetAdsPath"); pNode->SetTargetPath(sPath); //set the target name based on the target adspath
pNode->SetTargetName(GetCNFromPath(sPath)); // Since the account is already copied we only want it to update its Group memberships
if (!(pOptions->flags & F_COPY_MIGRATED_ACCT)) { pNode->operations = 0; pNode->operations |= OPS_Process_Members; // Since the account has already been created we should go ahead and mark it created
// so that the processing of group membership can continue.
pNode->MarkCreated(); } else if (bInclude)//else if already migrated, mark already there so that we fix group membership whether we migrate the group or not
{ if (pOptions->flags & F_REPLACE) pNode->operations |= OPS_Process_Members; else pNode->operations = OPS_Create_Account | OPS_Process_Members | OPS_Copy_Properties; pNode->MarkAlreadyThere(); }
if ((!pOptions->expandMemberOf) || (!_wcsicmp(pAcct->GetType(), L"group")) || (bInclude)) { // We need to add the account to the list with the member map set so that we can add the
// member to the migrated group
pNode->mapGrpMember.insert(CGroupMemberMap::value_type(pAcct->GetSourceSam(), pAcct->GetType())); pNewAccts->Insert((TNode *) pNode); pNode = NULL; } } } else if ( ! pOptions->expandMemberOf ) { //if containing group has not been migrated, and was not to be migrated in this operation
//then we should add it to the ignore map in case it contains other objects currently
//being migrated. Store the path as the key so we don't have to call GetSamFromPath to
//see if we should ignore.
m_IgnoredGrpMap.insert(CGroupNameMap::value_type(sPath, sSam)); delete pNode; pNode = NULL; } if (pNode) { if (( pOptions->expandMemberOf ) && (_wcsicmp(pAcct->GetType(), L"group"))) { if (! pNewAccts->InsertIfNew(pNode) ) delete pNode; } else { delete pNode; } } } } } SafeArrayUnaccessData(multiVals); } } } }//for each object being migrated
m_IgnoredGrpMap.clear(); //clear the ignored group map used to optimize group fixup
} rc = TRUE; }
return rc;}
HRESULT CAcctRepl::BuildSidPath( IADs * pAds, //in- pointer to the object whose sid we are retrieving.
WCHAR * sSidPath, //out-path to the LDAP://<SID=###> object
WCHAR * sSam, //out-Sam name of the object
WCHAR * sDomain, //out-Domain name where this object resides.
Options * pOptions, //in- Options
PSID * ppSid //out- pointer to the binary SID
){ HRESULT hr = S_OK; DWORD cbName = LEN_Path, cbDomain = LEN_Path; PSID sid = NULL; SID_NAME_USE use; _variant_t var;
if (!pAds) return E_POINTER;
// Get the object's SID
hr = pAds->Get(_bstr_t(L"objectSid"), &var);
if ( SUCCEEDED(hr) ) { sid = SafeCopySid((PSID)var.parray->pvData);
if (sid) { if (LookupAccountSid(pOptions->srcComp, sid, sSam, &cbName, sDomain, &cbDomain, &use)) { //
// If SID type is domain then the object has the same name as the domain. There is
// a known issue with the WinNT provider where the ObjectSid attribute is returned
// incorrectly for objects that have the same name as the the domain. The WinNT
// provider code passes only the account name to LookupAccountName and not the
// complete NT4 format name which includes the domain. Therefore LookupAccountName
// correctly returns the SID for the domain and not the account.
//
// This situation is detected by looking at the SID type which will be domain in
// this case. If this is the case then retrieve the correct account SID by using the
// complete NT4 account name format. The SAM name is filled in from the path.
//
if (use == SidTypeDomain) { //
// Retrieve path of object.
//
BSTR bstr = NULL; hr = pAds->get_ADsPath(&bstr);
if (SUCCEEDED(hr)) { //
// Retrieve only name component of path.
//
CADsPathName pnPathName(_bstr_t(bstr, false), ADS_SETTYPE_FULL); _bstr_t strName = pnPathName.Retrieve(ADS_FORMAT_LEAF);
if ((PCWSTR)strName) { //
// The name component is the SAM name.
//
wcsncpy(sSam, strName, LEN_Path); sSam[LEN_Path - 1] = L'\0';
//
// Construct the complete NT4 name.
//
_bstr_t strNT4Name = sDomain; strNT4Name += _T("\\"); strNT4Name += strName;
//
// Get size of buffer required for SID.
//
DWORD cbSid = 0; cbDomain = LEN_Path;
LookupAccountName( pOptions->srcComp, strNT4Name, NULL, &cbSid, sDomain, &cbDomain, &use );
//
// The last error should be insufficient buffer size.
//
DWORD dwError = GetLastError();
if (dwError == ERROR_INSUFFICIENT_BUFFER) { // Create buffer for SID.
var.Clear(); var.parray = SafeArrayCreateVector(VT_UI1, 0, cbSid);
if (var.parray) { var.vt = VT_ARRAY|VT_UI1; cbDomain = LEN_Path;
//
// Retrieve correct account SID.
//
BOOL bLookup = LookupAccountName( pOptions->srcComp, strNT4Name, var.parray->pvData, &cbSid, sDomain, &cbDomain, &use );
if (bLookup) { FreeSid(sid); sid = SafeCopySid((PSID)var.parray->pvData); } else { DWORD dwError = GetLastError(); hr = HRESULT_FROM_WIN32(dwError); } } else { hr = E_OUTOFMEMORY; } } else { hr = HRESULT_FROM_WIN32(dwError); } } else { hr = E_FAIL; } } }
if (SUCCEEDED(hr)) { //
// Construct SID path string.
//
VariantSidToString(var); _bstr_t strSid = var;
if ((PCWSTR)strSid) { wcscpy(sSidPath, L"LDAP://<SID="); wcscat(sSidPath, (PCWSTR)strSid); wcscat(sSidPath, L">"); } else { hr = E_FAIL; } } } else { DWORD dwError = GetLastError(); hr = HRESULT_FROM_WIN32(dwError); } } else { DWORD dwError = GetLastError(); hr = HRESULT_FROM_WIN32(dwError); } }
if ( SUCCEEDED(hr) ) { (*ppSid) = sid; } else { if (sid) { FreeSid(sid); }
(*ppSid) = NULL; }
return hr;}
BOOL CAcctRepl::CanMoveInMixedMode(TAcctReplNode *pAcct,TNodeListSortable * acctlist, Options * pOptions){ HRESULT hr = S_OK; BOOL ret = TRUE; IADsGroup * pGroup = NULL; IADsMembers * pMembers = NULL; IEnumVARIANT * pEnum = NULL; IDispatch * pDisp = NULL; IADs * pAds = NULL; _bstr_t sSam; _variant_t vSam; BSTR sClass; IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL;
pVs->QueryInterface(IID_IUnknown, (void**)&pUnk); // in case of a global group we need to check if we have/are migrating all the members. If we
// are then we can move it and if not then we need to use the parallel group theory.
if ( pAcct->GetGroupType() & 2 ) { // This is a global group. What we need to do now is to see if we have/will migrate all its members.
// First enumerate the members.
hr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADsGroup, (void**)&pGroup);
if ( SUCCEEDED(hr) ) hr = pGroup->Members(&pMembers);
if (SUCCEEDED(hr)) hr = pMembers->get__NewEnum((IUnknown**)&pEnum);
if ( SUCCEEDED(hr) ) { _variant_t var; DWORD fetch = 0; while ( pEnum->Next(1, &var, &fetch) == S_OK ) { // Get the sAMAccount name from the object so we can do the lookups
pDisp = V_DISPATCH(&var); hr = pDisp->QueryInterface(IID_IADs, (void**)&pAds);
if (SUCCEEDED(hr)) hr = pAds->Get(L"sAMAccountName", &vSam);
if (SUCCEEDED(hr)) hr = pAds->get_Class(&sClass);
if ( SUCCEEDED(hr)) { sSam = vSam; // To see if we will migrate all its members check the account list.
Lookup lup; lup.pName = (WCHAR*) sSam; lup.pType = (WCHAR*) sClass;
TAcctReplNode * pNode = (TAcctReplNode*)acctlist->Find(&TNodeFindAccountName, &lup); if ( !pNode ) { // This member is not in the account list therefore cannot move this group.
ret = FALSE; err.MsgWrite(0,DCT_MSG_CANNOT_MOVE_GG_FROM_MIXED_MODE_SS,pAcct->GetSourceSam(),(WCHAR*)sSam); break; } } } if ( pEnum ) pEnum->Release(); if ( pAds ) pAds->Release(); if ( pGroup ) pGroup->Release(); if ( pMembers ) pMembers->Release(); } } else // Local groups can be moved, if all of their members are removed first
ret = TRUE;
return ret;}
HRESULT CAcctRepl::CheckClosedSetGroups( Options * pOptions, // in - options for the migration
TNodeListSortable * pAcctList, // in - list of accounts to migrate
ProgressFn * progress, // in - progress function to display progress messages
IStatusObj * pStatus // in - status object to support cancellation
){ HRESULT hr = S_OK; TNodeListEnum e; TAcctReplNode* pAcct;
if ( pAcctList->IsTree() ) pAcctList->ToSorted();
for ( pAcct = (TAcctReplNode*)e.OpenFirst(pAcctList) ; pAcct ; pAcct = (TAcctReplNode*)e.Next() ) { if ( (pAcct->operations & OPS_Create_Account ) == 0 ) continue;
if ( !UStrICmp(pAcct->GetType(),s_ClassUser) || !UStrICmp(pAcct->GetType(),s_ClassInetOrgPerson) ) { // users, we will always move
err.MsgWrite(0,DCT_MSG_USER_WILL_BE_MOVED_S,pAcct->GetName()); pAcct->operations = OPS_Move_Object | OPS_Call_Extensions; } else if (! UStrICmp(pAcct->GetType(),L"group") ) { if ( CanMoveInMixedMode(pAcct,pAcctList,pOptions) ) { pAcct->operations = OPS_Move_Object | OPS_Call_Extensions; err.MsgWrite(0,DCT_MSG_GROUP_WILL_BE_MOVED_S,pAcct->GetName()); } else { hr = S_FALSE; } } else { err.MsgWrite(0,DCT_MSG_CANT_MOVE_UNKNOWN_TYPE_SS,pAcct->GetName(), pAcct->GetType()); } } e.Close();
pAcctList->SortedToTree();
return hr;}
void LoadNecessaryFunctions(){ HMODULE hPro = LoadLibrary(L"advapi32.dll"); if ( hPro ) ConvertStringSidToSid = (TConvertStringSidToSid)GetProcAddress(hPro, "ConvertStringSidToSidW"); else { err.SysMsgWrite(ErrE, GetLastError(), DCT_MSG_LOAD_LIBRARY_FAILED_SD, L"advapi32.dll"); Mark(L"errors", L"generic"); }}//---------------------------------------------------------------------------------------------------------
// MoveObj2k - This function moves objects within a forest.
//---------------------------------------------------------------------------------------------------------
int CAcctRepl::MoveObj2K( Options * pOptions, //in -Options that we recieved from the user
TNodeListSortable * acctlist, //in -AcctList of accounts to be copied.
ProgressFn * progress, //in -Progress Function to display messages
IStatusObj * pStatus // in -status object to support cancellation
){ HRESULT hr = S_OK;
MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); IObjPropBuilderPtr pClass(__uuidof(ObjPropBuilder)); TNodeListSortable pMemberOf, pMember; c_array<WCHAR> achMesg(LEN_Path);
LoadNecessaryFunctions(); FillNamingContext(pOptions);
// Make sure we are connecting to the DC that has RID Pool Allocator FSMO role.
hr = GetRidPoolAllocator(pOptions);
if (FAILED(hr)) { return hr; }
// Since we are in the same forest we need to turn off the AddSidHistory functionality.
// because it is always going to fail.
pOptions->flags &= ~F_AddSidHistory;
BOOL bSrcNative = false; BOOL bTgtNative = false; _variant_t var; _bstr_t sTargetDomain = pOptions->tgtDomain;
pAccess->raw_IsNativeMode(pOptions->srcDomain, (long*)&bSrcNative); pAccess->raw_IsNativeMode(pOptions->tgtDomain, (long*)&bTgtNative);
IMoverPtr pMover(__uuidof(Mover)); TNodeTreeEnum e;
// build the source and target DSA names
_bstr_t sourceDSA; _bstr_t targetDSA; TAcctReplNode * pAcct = NULL; sourceDSA = pOptions->srcCompDns; targetDSA = pOptions->tgtCompDns;
err.LogClose(); // In this call the fourth parameter is the log file name. We are piggy backing this value
// so that we will not have to change the interface for the IMover object.
hr = pMover->raw_Connect(sourceDSA, targetDSA, pOptions->authDomain, pOptions->authUser, pOptions->authPassword, pOptions->logFile, L"", L"");
err.LogOpen(pOptions->logFile, 1); if ( SUCCEEDED(hr) ) { // make sure the account list is in the proper format
if (acctlist->IsTree()) acctlist->ToSorted(); acctlist->CompareSet(&TNodeCompareAccountType);
// sort the account list by Source Type\Source Name
if ( acctlist->IsTree() ) acctlist->ToSorted(); acctlist->CompareSet(&TNodeCompareAccountType);
acctlist->SortedToScrambledTree(); acctlist->Sort(&TNodeCompareAccountType); acctlist->Balance();
pMemberOf.CompareSet(&TNodeCompareMember); pMember.CompareSet(&TNodeCompareMember);
/* The account list is sorted in descending order by type, then in ascending order by object name
this means that the user accounts will be moved first. Here are the steps we will perform for native mode MoveObject. 1. For each object to be copied, Remove (and record) the group memberships 2. If the object is a group, convert it to universal (to avoid having to remove any members that are not being migrated. 3. Move the object.
4. For each migrated group that was converted to a universal group, change it back to its original type, if possible. 5. Restore the group memberships for all objects.
Here are the steps we will perform for mixed mode MoveObject 1. If closed set is not achieved, copy the groups, rather than moving them 2. For each object to be copied, Remove (and record) the group memberships 3. If the object is a group, remove all of its members 4. Move the object.
5. For each migrated group try to add all of its members back 6. Restore the group memberships for all objects. */
if ( ! bSrcNative ) { //
// If a closed-set is not achieved.
//
if (CheckClosedSetGroups(pOptions, acctlist, progress, pStatus) != S_OK) { bool bAllow = false;
//
// Check whether user has enabled non closed-set moves.
//
TRegKey key;
if (key.Open(REGKEY_ADMT) == ERROR_SUCCESS) { DWORD dwAllow = 0;
if (key.ValueGetDWORD(REGVAL_ALLOW_NON_CLOSEDSET_MOVE, &dwAllow) == ERROR_SUCCESS) { if (dwAllow) { bAllow = true; } } }
//
// If user has allowed non closed-set moves generate warning message as a reminder
// that non closed-set moves are currently allowed otherwise generate error message
// and throw exception to stop migration task.
//
if (bAllow) { err.MsgWrite(ErrW, DCT_MSG_MOVE_NON_CLOSEDSET); } else { Mark(L"errors", L"generic"); err.MsgWrite(ErrE, DCT_MSG_CANNOT_MOVE_NON_CLOSEDSET); _com_issue_error(HRESULT_FROM_WIN32(ERROR_DS_CROSS_DOM_MOVE_ERROR)); } }
// this will copy any groups that cannot be moved from the source domain
// if groups are copied in this fashion, SIDHistory cannot be used, and reACLing must be performed
CopyObj2K(pOptions,acctlist,progress,pStatus); }
// This is the start of the Move loop
try { for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist); pAcct; pAcct = (TAcctReplNode *)e.Next() ) {
if ( m_pExt ) { if ( pAcct->operations & OPS_Call_Extensions ) { m_pExt->Process(pAcct,sTargetDomain,pOptions,TRUE); } }
// Do we need to abort ?
if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
// in the mixed-mode case, skip any accounts that we've already copied
if ( ! bSrcNative && ((pAcct->operations & OPS_Move_Object)==0 ) ) continue;
if ( bSrcNative && ( (pAcct->operations & OPS_Create_Account)==0 ) ) continue;
//if the UPN name conflicted, then the UPNUpdate extension set the hr to
//ERROR_OBJECT_ALREADY_EXISTS. If so, set flag for "no change" mode
if (pAcct->GetHr() == ERROR_OBJECT_ALREADY_EXISTS) { pAcct->bUPNConflicted = TRUE; pAcct->SetHr(S_OK); }
Mark(L"processed", pAcct->GetType());
c_array<WCHAR> achMesg(LEN_Path); achMesg[0] = 0; if ( progress ) progress(achMesg);
//
// If updating of user rights is specified then retrieve list of rights
// for source account before the object is moved as object deletion from
// a domain will automatically remove rights in the domain if the domain
// is .NET or later.
//
if (m_UpdateUserRights) { HRESULT hrRights = EnumerateAccountRights(FALSE, pAcct); }
// We need to remove this object from any global groups so that it can be moved.
if ( ! pOptions->nochange ) { wsprintf(achMesg, (WCHAR*)GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBEROF_S), pAcct->GetName()); Progress(achMesg); RecordAndRemoveMemberOf( pOptions, pAcct, &pMemberOf ); }
if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { // First, record the group type, so we can change it back later if needed
IADsGroup * pGroup = NULL; VARIANT var;
VariantInit(&var);
// get the group type
hr = ADsGetObject( const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADsGroup, (void**) &pGroup); if (SUCCEEDED(hr) ) { hr = pGroup->Get(L"groupType", &var); pGroup->Release(); } if ( SUCCEEDED(hr) ) { pAcct->SetGroupType(var.lVal); } else { pAcct->SetGroupType(0); } // make sure it is native and group is a global group
if ( bSrcNative && bTgtNative ) { if ( pAcct->GetGroupType() & 2) { // We are going to convert the group type to universal groups so we can easily move them
wsprintf(achMesg, GET_STRING(DCT_MSG_CHANGE_GROUP_TYPE_S), pAcct->GetName()); Progress(achMesg); // Convert global groups to universal, so we can move them without de-populating
if ( ! pOptions->nochange ) { c_array<WCHAR> achPath(LEN_Path); DWORD nPathLen = LEN_Path; StuffComputerNameinLdapPath(achPath, nPathLen, const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions, FALSE); hr = pClass->raw_ChangeGroupType(achPath, 8); if (SUCCEEDED(hr)) { pAcct->MarkGroupScopeChanged(); } } else { hr = S_OK; } if (FAILED(hr)) { err.SysMsgWrite(ErrE,hr,DCT_MSG_FAILED_TO_CONVERT_GROUP_TO_UNIVERSAL_SD, pAcct->GetSourceSam(), hr); pAcct->MarkError(); Mark(L"errors", pAcct->GetType()); continue; // skip any further processing of this group.
} } else if ( ! ( pAcct->GetGroupType() & 8 ) ) // don't need to depopulate universal groups
{ // For local groups we are going to depopulate the group and move it and then repopulate it.
// In mixed mode, there are no universal groups, so we must depopulate all of the groups
// before we can move them out to the new domain. We will RecordAndRemove members of all Group type
// move them to the target domain and then change their type to Universal and then add all of its
// members back to it.
wsprintf(achMesg, GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBER_S), pAcct->GetName()); Progress(achMesg); RecordAndRemoveMember(pOptions, pAcct, &pMember); }
} else { // for mixed mode source domain, we must depopulate all of the groups
wsprintf(achMesg, GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBER_S), pAcct->GetName()); if ( progress ) progress(achMesg); RecordAndRemoveMember(pOptions, pAcct, &pMember); }
}
BOOL bObjectExists = DoesTargetObjectAlreadyExist(pAcct, pOptions);
if ( bObjectExists ) { // The object exists, see if we need to rename
if ( wcslen(pOptions->prefix) > 0 ) { // Add a prefix to the account name
c_array<WCHAR> achTgt(LEN_Path); c_array<WCHAR> achPref(LEN_Path); c_array<WCHAR> achSuf(LEN_Path); c_array<WCHAR> achTempSam(LEN_Path); _variant_t varStr;
// find the '=' sign
wcscpy(achTgt, pAcct->GetTargetName()); for ( DWORD z = 0; z < wcslen(achTgt); z++ ) { if ( achTgt[z] == L'=' ) break; }
if ( z < wcslen(achTgt) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTgt, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTgt+z+1); }
// Build the target string with the Prefix
wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, pOptions->prefix, (WCHAR*)achSuf); pAcct->SetTargetName(achTgt);
// truncate to allow prefix/suffix to fit in 20 characters.
int resLen = wcslen(pOptions->prefix) + wcslen(pAcct->GetTargetSam()); if ( !_wcsicmp(pAcct->GetType(), L"computer") ) { // Computer name can be only 15 characters long + $
if ( resLen > MAX_COMPUTERNAME_LENGTH + 1 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = MAX_COMPUTERNAME_LENGTH + 1 - wcslen(pOptions->prefix) - wcslen(pOptions->globalSuffix); if ( truncate < 1 ) truncate = 1; wcsncpy(achTempSam, achTruncatedSam, truncate - 1); achTempSam[truncate - 1] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); wcscat(achTempSam, L"$"); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the prefix
wsprintf(achTgt, L"%s%s", pOptions->prefix,(WCHAR*)achTempSam); } else if ( !_wcsicmp(pAcct->GetType(), L"group") ) { if ( resLen > 64 ) { int truncate = 64 - wcslen(pOptions->prefix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, pAcct->GetTargetSam(), truncate); achTempSam[truncate] = L'\0'; } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the prefix
wsprintf(achTgt, L"%s%s", pOptions->prefix,(WCHAR*)achTempSam); } else { if ( resLen > 20 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 20 - wcslen(pOptions->prefix) - wcslen(pOptions->globalSuffix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, achTruncatedSam, truncate); achTempSam[truncate] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the prefix
wsprintf(achTgt, L"%s%s", pOptions->prefix,(WCHAR*)achTempSam); } pAcct->SetTargetSam(achTgt); if ( DoesTargetObjectAlreadyExist(pAcct, pOptions) ) { // Double collision lets log a message and forget about this account
pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_PREF_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); continue; } } else if ( wcslen(pOptions->suffix) > 0 ) { // Add a suffix to the account name
c_array<WCHAR> achTgt(LEN_Path); c_array<WCHAR> achTempSam(LEN_Path);
wsprintf(achTgt, L"%s%s", pAcct->GetTargetName(), pOptions->suffix); pAcct->SetTargetName(achTgt); //Update the sam account name
// truncate to allow prefix/suffix to fit in valid length
int resLen = wcslen(pOptions->suffix) + wcslen(pAcct->GetTargetSam()); if ( !_wcsicmp(pAcct->GetType(), L"computer") ) { // Computer name can be only 15 characters long + $
if ( resLen > MAX_COMPUTERNAME_LENGTH + 1 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = MAX_COMPUTERNAME_LENGTH + 1 - wcslen(pOptions->suffix) - wcslen(pOptions->globalSuffix); if ( truncate < 1 ) truncate = 1; wcsncpy(achTempSam, achTruncatedSam, truncate - 1); achTempSam[truncate - 1] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); wcscat(achTempSam, L"$"); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the suffix taking into account the $ sign
if ( achTempSam[wcslen(achTempSam) - 1] == L'$' ) achTempSam[wcslen(achTempSam) - 1] = L'\0'; wsprintf(achTgt, L"%s%s$", (WCHAR*)achTempSam, pOptions->suffix); } else if ( !_wcsicmp(pAcct->GetType(), L"group") ) { if ( resLen > 64 ) { int truncate = 64 - wcslen(pOptions->suffix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, pAcct->GetTargetSam(), truncate); achTempSam[truncate] = L'\0'; } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the suffix.
wsprintf(achTgt, L"%s%s", (WCHAR*)achTempSam, pOptions->suffix); } else { if ( resLen > 20 ) { c_array<WCHAR> achTruncatedSam(LEN_Path); wcscpy(achTruncatedSam, pAcct->GetTargetSam()); if ( wcslen( pOptions->globalSuffix ) ) { // We must remove the global suffix if we had one.
achTruncatedSam[wcslen(achTruncatedSam) - wcslen(pOptions->globalSuffix)] = L'\0'; } int truncate = 20 - wcslen(pOptions->suffix) - wcslen(pOptions->globalSuffix); if ( truncate < 0 ) truncate = 0; wcsncpy(achTempSam, achTruncatedSam, truncate); achTempSam[truncate] = L'\0'; wcscat(achTempSam, pOptions->globalSuffix); } else wcscpy(achTempSam, pAcct->GetTargetSam());
// Add the suffix.
wsprintf(achTgt, L"%s%s", (WCHAR*)achTempSam, pOptions->suffix); } pAcct->SetTargetSam(achTgt); if ( DoesTargetObjectAlreadyExist(pAcct, pOptions) ) { // Double collision lets log a message and forget about this account
pAcct->MarkAlreadyThere(); err.MsgWrite(ErrE, DCT_MSG_PREF_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); Mark(L"errors",pAcct->GetType()); continue; } } else { // if the skip existing option is specified, and the object exists in the target domain,
// we just skip it
err.MsgWrite(0, DCT_MSG_ACCOUNT_EXISTS_S, pAcct->GetTargetSam()); continue; } }
// If a prefix/suffix is added to the target sam name then we need to rename the account.
// on the source domain and then move it to the target domain.
if ( bObjectExists || (_wcsicmp(pAcct->GetSourceSam(), pAcct->GetTargetSam()) && !pOptions->bUndo )) { // we need to rename the account to the target SAM name before we try to move it
// Get an ADs pointer to the account
IADs * pADs = NULL;
c_array<WCHAR> achPaths(LEN_Path); DWORD nPathLen = LEN_Path;
StuffComputerNameinLdapPath(achPaths, nPathLen, const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions, FALSE); hr = ADsGetObject(achPaths,IID_IADs,(void**)&pADs); if ( SUCCEEDED(hr) ) { hr = pADs->Put(_bstr_t(L"sAMAccountName"),_variant_t(pAcct->GetTargetSam())); if ( SUCCEEDED(hr) && !pOptions->nochange ) { hr = pADs->SetInfo(); if ( SUCCEEDED(hr) ) err.MsgWrite(0,DCT_MSG_ACCOUNT_RENAMED_SS,pAcct->GetSourceSam(),pAcct->GetTargetSam()); } if ( FAILED(hr) ) { err.SysMsgWrite(ErrE,hr,DCT_MSG_RENAME_FAILED_SSD,pAcct->GetSourceSam(),pAcct->GetTargetSam(), hr); Mark(L"errors",pAcct->GetType()); } pADs->Release(); } }
WCHAR sName[MAX_PATH]; DWORD cbDomain = MAX_PATH, cbSid = MAX_PATH; PSID pSrcSid = new BYTE[MAX_PATH]; WCHAR sDomain[MAX_PATH]; SID_NAME_USE use;
if (!pSrcSid) return ERROR_NOT_ENOUGH_MEMORY;
// Get the source account's rid
wsprintf(sName, L"%s\\%s", pOptions->srcDomain, pAcct->GetSourceSam()); if (LookupAccountName(pOptions->srcComp, sName, pSrcSid, &cbSid, sDomain, &cbDomain, &use)) { pAcct->SetSourceSid(pSrcSid); }
// Now we move it
hr = MoveObject( pAcct, pOptions, pMover );
// don't bother with this in nochange mode
if ( pOptions->nochange ) { // we haven't modified the accounts in any way, so nothing else needs to be done for nochange mode
continue; } // Now, we have attempted to move the object - we need to put back the memberships
// UNDO --
if ( _wcsicmp(pAcct->GetSourceSam(), pAcct->GetTargetSam()) && pAcct->WasReplaced() && pOptions->bUndo ) { // Since we undid a prior migration that renamed the account we need
// to rename the account back to its original name.
// Get an ADs pointer to the account
IADs * pADs = NULL;
c_array<WCHAR> achPaths(LEN_Path); DWORD nPathLen = LEN_Path;
StuffComputerNameinLdapPath(achPaths, nPathLen, const_cast<WCHAR*>(pAcct->GetTargetPath()), pOptions, TRUE); hr = ADsGetObject(achPaths,IID_IADs,(void**)&pADs); if ( SUCCEEDED(hr) ) { hr = pADs->Put(_bstr_t(L"sAMAccountName"),_variant_t(pAcct->GetTargetSam())); if ( SUCCEEDED(hr) && !pOptions->nochange ) { hr = pADs->SetInfo(); if ( SUCCEEDED(hr) ) err.MsgWrite(0,DCT_MSG_ACCOUNT_RENAMED_SS,pAcct->GetSourceSam(),pAcct->GetTargetSam()); } if ( FAILED(hr) ) { err.SysMsgWrite(ErrE,hr,DCT_MSG_RENAME_FAILED_SSD,pAcct->GetSourceSam(),pAcct->GetTargetSam(), hr); Mark(L"errors",pAcct->GetType()); } pADs->Release(); } } // -- UNDO
// FAILED Move ----
if ( (bObjectExists || _wcsicmp(pAcct->GetSourceSam(), pAcct->GetTargetSam())) && ! pAcct->WasReplaced() ) { // if we changed the SAM account name, and the move still failed, we need to change it back now
IADs * pADs = NULL;
c_array<WCHAR> achPaths(LEN_Path); DWORD nPathLen = LEN_Path;
StuffComputerNameinLdapPath(achPaths, nPathLen, const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions, FALSE); hr = ADsGetObject(achPaths,IID_IADs,(void**)&pADs); if ( SUCCEEDED(hr) ) { hr = pADs->Put(_bstr_t(L"sAMAccountName"),_variant_t(pAcct->GetSourceSam())); if ( SUCCEEDED(hr) ) { hr = pADs->SetInfo(); if ( SUCCEEDED(hr) ) err.MsgWrite(0,DCT_MSG_ACCOUNT_RENAMED_SS,pAcct->GetTargetSam(),pAcct->GetSourceSam()); } if ( FAILED(hr) ) { err.SysMsgWrite(ErrE,hr,DCT_MSG_RENAME_FAILED_SSD,pAcct->GetTargetSam(),pAcct->GetSourceSam(), hr); Mark(L"errors",pAcct->GetType()); } pADs->Release(); } }// --- Failed Move
} // end of Move-Loop
e.Close(); } catch ( ... ) { err.MsgWrite(ErrE,DCT_MSG_MOVE_EXCEPTION); Mark(L"errors", L"generic"); }
try { // if we've moved any of the members, update the member records to use the target names
Progress(GET_STRING(DCT_MSG_UPDATE_MEMBER_LIST_S)); UpdateMemberList(&pMember,acctlist); UpdateMemberList(&pMemberOf,acctlist); } catch (... ) { err.MsgWrite(ErrE,DCT_MSG_RESET_MEMBER_EXCEPTION); Mark(L"errors", L"generic"); }
for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist); pAcct; pAcct = (TAcctReplNode *)e.Next() ) { if ( m_pExt && !pOptions->nochange ) { if ( pAcct->WasReplaced() && (pAcct->operations & OPS_Call_Extensions) ) { m_pExt->Process(pAcct,sTargetDomain,pOptions,FALSE); } }
//
// If updating of rights is specified then add rights for target object. If
// the source domain is W2K then explicitly remove rights for source object
// as W2K does not automatically remove rights when an object is removed from
// the domain as of SP 2. This behavior most likely will not change for W2K.
//
if (m_UpdateUserRights) { HRESULT hrRights = AddAccountRights(TRUE, pAcct);
if (SUCCEEDED(hrRights) && (pOptions->srcDomainVer == 5) && (pOptions->srcDomainVerMinor == 0)) { RemoveAccountRights(FALSE, pAcct); } }
//translate the roaming profile if requested
if ( pOptions->flags & F_TranslateProfiles && ((_wcsicmp(pAcct->GetType(), s_ClassUser) == 0) || (_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson) == 0))) { wsprintf(achMesg, GET_STRING(IDS_TRANSLATE_ROAMING_PROFILE_S), pAcct->GetName()); if ( progress ) progress(achMesg);
WCHAR tgtProfilePath[MAX_PATH];
GetBkupRstrPriv((WCHAR*)NULL); GetPrivilege((WCHAR*)NULL,SE_SECURITY_NAME); if ( wcslen(pAcct->GetSourceProfile()) > 0 ) { DWORD ret = TranslateRemoteProfile(pAcct->GetSourceProfile(), tgtProfilePath, pAcct->GetSourceSam(), pAcct->GetTargetSam(), pOptions->srcDomain, pOptions->tgtDomain, pOptions->pDb, pOptions->lActionID, pAcct->GetSourceSid(), pOptions->nochange); } } } e.Close();
for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist); pAcct; pAcct = (TAcctReplNode *)e.Next() ) { try { if (bSrcNative && bTgtNative) { if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { wsprintf(achMesg, GET_STRING(IDS_UPDATING_GROUP_MEMBERSHIPS_S), pAcct->GetName()); if ( progress ) progress(achMesg); if ( pAcct->GetGroupType() & 4 ) { wsprintf(achMesg, GET_STRING(DCT_MSG_RESET_GROUP_MEMBERS_S), pAcct->GetName()); Progress(achMesg); ResetGroupsMembers(pOptions, pAcct, &pMember, pOptions->pDb); } else { // we need to update the members of these Universal/Global groups to
// point members to the target domain if those members have been migrated
// in previous runs.
ResetMembersForUnivGlobGroups(pOptions, pAcct); } } } else { if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { wsprintf(achMesg, GET_STRING(DCT_MSG_RESET_GROUP_MEMBERS_S), pAcct->GetName()); if ( progress ) progress(achMesg); ResetGroupsMembers(pOptions, pAcct, &pMember, pOptions->pDb); } } } catch (... ) { err.MsgWrite(ErrE,DCT_MSG_GROUP_MEMBERSHIPS_EXCEPTION); Mark(L"errors", pAcct->GetType()); } }
bool bChangedAny = true; // Have to go through it atleast once.
while ( bChangedAny ) { bChangedAny = false; for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist); pAcct; pAcct = (TAcctReplNode *)e.Next() ) { if ( pOptions->nochange ) continue;
if ( bSrcNative && bTgtNative ) { // We have changed the migrated global groups to universal groups
// now we need to change them back to their original types, if possible
if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { if ( pAcct->GetGroupType() & 2 ) { if ( pAcct->bChangedType ) continue;
// attempt to change it back to its original type
if ( pAcct->WasReplaced() ) { // the account was moved, use the target name
hr = pClass->raw_ChangeGroupType(const_cast<WCHAR*>(pAcct->GetTargetPath()), pAcct->GetGroupType()); } else { // we failed to move the account, use the source name
hr = pClass->raw_ChangeGroupType(const_cast<WCHAR*>(pAcct->GetSourcePath()), pAcct->GetGroupType()); } pAcct->SetHr(hr);
if ( SUCCEEDED(hr) ) { pAcct->bChangedType = true; bChangedAny = true; } } } } else { // for mixed->native mode migration we can change the group type and add all the members back
if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { if ( !(pAcct->GetGroupType() & 4) && !pAcct->bChangedType ) { if ( pAcct->WasReplaced() ) { hr = pClass->raw_ChangeGroupType(const_cast<WCHAR*>(pAcct->GetTargetPath()), pAcct->GetGroupType()); } else { hr = pClass->raw_ChangeGroupType(const_cast<WCHAR*>(pAcct->GetSourcePath()), pAcct->GetGroupType()); } pAcct->SetHr(hr);
if ( SUCCEEDED(hr) ) { pAcct->bChangedType = true; bChangedAny = true; } } } // if group
} // Native/Mixed
} //for
}
// Log a message for all the groups that we were not able to change back to original type
for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist); pAcct; pAcct = (TAcctReplNode *)e.Next() ) { if ( pOptions->nochange ) continue; if ( bSrcNative && bTgtNative ) { // We have changed the migrated global groups to universal groups
// now we need to change them back to their original types, if possible
if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { if ( pAcct->GetGroupType() & 2 ) { if (FAILED(pAcct->GetHr())) { err.SysMsgWrite(ErrE,hr,DCT_MSG_GROUP_CHANGETYPE_FAILED_SD, pAcct->GetTargetPath(), hr); Mark(L"errors", pAcct->GetType()); } } } } else { // for mixed->native mode migration we can change the group type and add all the members back
if ( _wcsicmp(pAcct->GetType(), L"group") == 0 || _wcsicmp(pAcct->GetType(), L"lgroup") == 0 ) { if ( !(pAcct->GetGroupType() & 4) ) { if (FAILED(pAcct->GetHr())) { err.SysMsgWrite(ErrE,hr,DCT_MSG_GROUP_CHANGETYPE_FAILED_SD, pAcct->GetTargetPath(), hr); Mark(L"errors", pAcct->GetType()); } } } // if group
} // Native/Mixed
} //for
Progress(GET_STRING(DCT_MSG_RESET_MEMBERSHIP_S)); ResetObjectsMembership( pOptions,&pMemberOf, pOptions->pDb );
ResetTypeOfPreviouslyMigratedGroups(pOptions); } else { // Connection failed.
err.SysMsgWrite(ErrE,hr,DCT_MSG_MOVEOBJECT_CONNECT_FAILED_D,hr); Mark(L"errors", ((TAcctReplNode*)acctlist->Head())->GetType()); } if ( progress ) progress(L""); pMover->Close(); return 0;}
//---------------------------------------------------------------------------------------------------------
// MoveObject - This method does the actual move on the object calling the Mover object.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::MoveObject( TAcctReplNode * pAcct, Options * pOptions, IMoverPtr pMover ){ HRESULT hr = S_OK; WCHAR sourcePath[LEN_Path]; WCHAR targetPath[LEN_Path]; DWORD nPathLen = LEN_Path; WCHAR * pRelativeTgtOUPath = NULL;
safecopy(sourcePath,pAcct->GetSourcePath());
WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_MOVING_S), pAcct->GetName()); Progress(mesg);
if ( ! pOptions->bUndo ) { MakeFullyQualifiedAdsPath(targetPath, nPathLen, pOptions->tgtOUPath, pOptions->tgtDomain, pOptions->tgtNamingContext); } else { swprintf(targetPath,L"LDAP://%ls/%ls",pOptions->tgtDomain,pOptions->tgtOUPath); } //make sourcePath and targetPath all lowercase to avoid a W2K bug in ntdsa.dll
_wcslwr(targetPath); _wcslwr(sourcePath); //due to lowercase force above, we have to replace "ldap://" with "LDAP://" in
//order for subsequent ADsGetObjects calls to succeed
if ( !_wcsnicmp(L"LDAP://", targetPath, 7) ) { WCHAR aNewPath[LEN_Path] = L"LDAP"; UStrCpy(aNewPath+UStrLen(aNewPath), targetPath+UStrLen(aNewPath)); wcscpy(targetPath, aNewPath); } if ( !_wcsnicmp(L"LDAP://", sourcePath, 7) ) { WCHAR aNewPath[LEN_Path] = L"LDAP"; UStrCpy(aNewPath+UStrLen(aNewPath), sourcePath+UStrLen(aNewPath)); wcscpy(sourcePath, aNewPath); }
WCHAR sTargetRDN[LEN_Path]; wcscpy(sTargetRDN, pAcct->GetTargetName());
if ( ! pOptions->nochange ) { hr = pMover->raw_MoveObject(sourcePath,sTargetRDN,targetPath); //if the Move operation failed due to a W2K bug for CNs which
//include a '/', un-escape the '/' and try again
if ((hr == E_INVALIDARG) && (wcschr(sTargetRDN, L'/'))) { _bstr_t strName = GetUnEscapedNameWithFwdSlash(_bstr_t(sTargetRDN)); //remove any escape characters added
hr = pMover->raw_MoveObject(sourcePath,(WCHAR*)strName,targetPath); } } else { hr = pMover->raw_CheckMove(sourcePath,sTargetRDN,targetPath); //if the Check Move operation failed due to a W2K bug for CNs which
//include a '/', un-escape the '/' and try again
if ((hr == E_INVALIDARG) && (wcschr(sTargetRDN, L'/'))) { _bstr_t strName = GetUnEscapedNameWithFwdSlash(_bstr_t(sTargetRDN)); //remove any escape characters added
hr = pMover->raw_CheckMove(sourcePath,(WCHAR*)strName,targetPath); } if ( HRESULT_CODE(hr) == ERROR_DS_CANT_MOVE_ACCOUNT_GROUP || HRESULT_CODE(hr) == ERROR_DS_CANT_MOVE_RESOURCE_GROUP || HRESULT_CODE(hr) == ERROR_DS_CANT_WITH_ACCT_GROUP_MEMBERSHPS || HRESULT_CODE(hr) == ERROR_USER_EXISTS ) { hr = 0; } } if ( SUCCEEDED(hr) ) { WCHAR path[LEN_Path]; DWORD nPathLen = LEN_Path;
pAcct->MarkReplaced(); Mark(L"created", pAcct->GetType()); // set the target path
UStrCpy(path,pAcct->GetTargetName()); if ( *pOptions->tgtOUPath ) { wcscat(path, L","); wcscat(path, pOptions->tgtOUPath); } pRelativeTgtOUPath = wcschr(targetPath + wcslen(L"LDAP://") + 2, L'/');
if ( pRelativeTgtOUPath ) { *pRelativeTgtOUPath = 0; swprintf(path,L"%ls/%ls,%ls",targetPath,pAcct->GetTargetName(),pRelativeTgtOUPath+1); } else { MakeFullyQualifiedAdsPath(path, nPathLen, pOptions->tgtOUPath, pOptions->tgtComp, pOptions->tgtNamingContext); }
pAcct->SetTargetPath(path); err.MsgWrite(0,DCT_MSG_OBJECT_MOVED_SS,pAcct->GetSourcePath(),pAcct->GetTargetPath());
} else { pAcct->MarkError(); Mark(L"errors", pAcct->GetType()); if ( hr == 8524 ) { err.MsgWrite(ErrE,DCT_MSG_MOVEOBJECT_FAILED_S8524,pAcct->GetName(),hr); } else if ( (hr == HRESULT_FROM_WIN32(ERROR_DS_INAPPROPRIATE_AUTH)) || (hr == SEC_E_UNKNOWN_CREDENTIALS) || (hr == SEC_E_NO_CREDENTIALS) ) { err.SysMsgWrite(ErrE,hr,DCT_MSG_MOVEOBJECT_FAILED_DELEGATION_SD,pAcct->GetName(),hr); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_MOVEOBJECT_FAILED_SD,pAcct->GetName(),hr); } }
return hr;}
//---------------------------------------------------------------------------------------------------------
// RecordAndRemoveMemberOf : This method removes all values in the memberOf property and then records these
// memberships. These memberships are later updated.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::RecordAndRemoveMemberOf ( Options * pOptions, //in- Options specified by the user
TAcctReplNode * pAcct, //in- Account being migrated.
TNodeListSortable * pMember //out-List containing the MemberOf values.
){ // First Enumerate all the objects in the member of property
INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); IEnumVARIANT * pEnum; LPWSTR sCols[] = { L"memberOf" }; SAFEARRAY * pSa; BSTR * pData; SAFEARRAYBOUND bd = { 1, 0 }; IADs * pAds; _bstr_t sObjDN; _bstr_t sGrpName; _variant_t var; _variant_t * pDt; _variant_t vx; DWORD ulFetch; _bstr_t sDN; WCHAR sPath[LEN_Path]; IADsGroup * pGroup; _variant_t * pVar;
if ( pMember->IsTree() ) pMember->ToSorted();
WCHAR sPathSource[LEN_Path]; DWORD nPathLen = LEN_Path; StuffComputerNameinLdapPath(sPathSource, nPathLen, const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions, FALSE); err.MsgWrite(0,DCT_STRIPPING_GROUP_MEMBERSHIPS_SS,pAcct->GetName(),sPathSource); // Get this users distinguished name.
HRESULT hr = ADsGetObject(sPathSource, IID_IADs, (void**) &pAds); if ( FAILED(hr) ) { err.SysMsgWrite(ErrE, hr, DCT_MSG_SOURCE_ACCOUNT_NOT_FOUND_SSD, pAcct->GetName(), pOptions->srcDomain, hr); Mark(L"errors", pAcct->GetType()); return hr; }
hr = pAds->Get(L"distinguishedName", &var); pAds->Release(); if ( FAILED(hr)) return hr; sObjDN = V_BSTR(&var);
// Set up the column array
pSa = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData(pSa, (void HUGEP **) &pData); pData[0] = SysAllocString(sCols[0]); SafeArrayUnaccessData(pSa);
// hr = pQuery->raw_SetQuery(const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions->srcDomain, L"(objectClass=*)", ADS_SCOPE_BASE, TRUE);
hr = pQuery->raw_SetQuery(sPathSource, pOptions->srcDomain, L"(objectClass=*)", ADS_SCOPE_BASE, TRUE); hr = pQuery->raw_SetColumns(pSa); hr = pQuery->raw_Execute(&pEnum); if ( FAILED(hr)) return hr;
while ( pEnum->Next(1, &var, &ulFetch) == S_OK ) { SAFEARRAY * vals = var.parray; // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); vx = pDt[0]; SafeArrayUnaccessData(vals);
// Single value in the property. Good enough for me though
if ( vx.vt == VT_BSTR ) { sDN = V_BSTR(&vx); sDN = PadDN(sDN);
if ( sDN.length() > 0 ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBEROF_SS), pAcct->GetName(), (WCHAR*) sDN); Progress(mesg);
SimpleADsPathFromDN(pOptions, sDN, sPath); WCHAR sSourcePath[LEN_Path]; WCHAR sPaths[LEN_Path]; DWORD nPathLen = LEN_Path;
wcscpy(sSourcePath, (WCHAR*) sPath);
if ( !wcsncmp(L"LDAP://", sSourcePath, 7) ) StuffComputerNameinLdapPath(sPaths, nPathLen, sSourcePath, pOptions, FALSE);
// Get the IADsGroup pointer to each of the objects in member of and remove this object from the group
hr = ADsGetObject(sPaths, IID_IADsGroup, (void**) &pGroup); if ( FAILED(hr) ) continue;
pGroup->Get(L"sAMAccountName", &var); sGrpName = V_BSTR(&var); hr = pGroup->Get(L"groupType",&var); if ( SUCCEEDED(hr) ) { if ( var.lVal & 2 ) { // this is a global group
if ( !pOptions->nochange ) hr = pGroup->Remove(sPathSource); else hr = S_OK;
if ( SUCCEEDED(hr) ) { // err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,sPath2,(WCHAR*)sGrpName);
err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,sPathSource,(WCHAR*)sPaths); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sPathSource,sPaths,hr); Mark(L"errors", pAcct->GetType()); } } else { err.MsgWrite(0,DCT_MSG_NOT_REMOVING_MEMBER_FROM_GROUP_SS,sPathSource,sPaths); pGroup->Release(); continue; } } pGroup->Release(); if (FAILED(hr)) continue;
// Record this path into the list
TRecordNode * pNode = new TRecordNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); pNode->SetMember((WCHAR*)sPath); pNode->SetMemberSam((WCHAR*)sGrpName); pNode->SetDN((WCHAR*)sDN); pNode->SetARNode(pAcct); if (! pMember->InsertIfNew((TNode*) pNode) ) delete pNode; } } else if ( vx.vt & VT_ARRAY ) { // We must have got an Array of multivalued properties
// Access the BSTR elements of this variant array
SAFEARRAY * multiVals = vx.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { sDN = _bstr_t(pVar[dw]); sDN = PadDN(sDN); SimpleADsPathFromDN(pOptions, sDN, sPath);
WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBEROF_SS), pAcct->GetName(), (WCHAR*) sDN); Progress(mesg);
WCHAR sSourcePath[LEN_Path]; WCHAR sPaths[LEN_Path]; DWORD nPathLen = LEN_Path;
wcscpy(sSourcePath, (WCHAR*) sPath);
if ( !wcsncmp(L"LDAP://", sSourcePath, 7) ) StuffComputerNameinLdapPath(sPaths, nPathLen, sSourcePath, pOptions, FALSE);
// Get the IADsGroup pointer to each of the objects in member of and remove this object from the group
hr = ADsGetObject(sPaths, IID_IADsGroup, (void**) &pGroup); if ( FAILED(hr) ) continue;
pGroup->Get(L"sAMAccountName", &var); sGrpName = V_BSTR(&var); hr = pGroup->Get(L"groupType",&var); if ( SUCCEEDED(hr) ) { if ( var.lVal & 2 ) { // This is a global group
if ( !pOptions->nochange ) hr = pGroup->Remove(sPathSource); else hr = S_OK;
if ( SUCCEEDED(hr) ) { err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,sPathSource,sPaths); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sPathSource,sPaths); Mark(L"errors", pAcct->GetType()); } } else { err.MsgWrite(0,DCT_MSG_NOT_REMOVING_MEMBER_FROM_GROUP_SS,sPathSource,sPaths); pGroup->Release(); continue; } } pGroup->Release(); if (FAILED(hr)) continue;
// Record this path into the list
TRecordNode * pNode = new TRecordNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); pNode->SetMember(sPath); pNode->SetMemberSam((WCHAR*)sGrpName); pNode->SetDN((WCHAR*)sDN); pNode->SetARNode(pAcct); if (! pMember->InsertIfNew((TNode*) pNode) ) delete pNode; } SafeArrayUnaccessData(multiVals); } } pEnum->Release(); var.Clear(); return S_OK;}
//---------------------------------------------------------------------------------------------------------
// ResetObjectsMembership : This method restores the memberOf property of the object being migrated. It uses
// the information that was stored by RecordAndRemoveMemberOf function.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::ResetObjectsMembership( Options * pOptions, //in- Options set by the user.
TNodeListSortable * pMember, //in- The member list that is used to restore the values
IIManageDBPtr pDb //in- Database object to lookup migrated accounts.
){ IVarSetPtr pVs(__uuidof(VarSet)); _bstr_t sMember; IADs * pAds; IUnknown * pUnk; _bstr_t sPath; _variant_t var; _bstr_t sMyDN; IADsGroup * pGroup = NULL; TAcctReplNode * pAcct = NULL; HRESULT hr; WCHAR sPaths[LEN_Path]; DWORD nPathLen = LEN_Path;
// Sort the member list by the account nodes
pMember->Sort(&TNodeCompareAcctNode);
// For all the items in the member list lets add the member to the group.
// First check in the migrated objects table to see if it has been migrated.
for ( TRecordNode * pNode = (TRecordNode *)pMember->Head(); pNode; pNode = (TRecordNode *)pNode->Next()) { pVs->QueryInterface(IID_IUnknown, (void**) &pUnk); // get the needed information from the account node
if ( pAcct != pNode->GetARNode() ) { if ( pNode->GetARNode()->WasReplaced() ) { // the account was moved successfully - add the target account to all of its old groups
StuffComputerNameinLdapPath(sPaths, nPathLen, const_cast<WCHAR*>(pNode->GetARNode()->GetTargetPath()), pOptions); hr = ADsGetObject(sPaths, IID_IADs, (void**) &pAds); } else { // the move failed, add the source account back to its groups
StuffComputerNameinLdapPath(sPaths, nPathLen, const_cast<WCHAR*>(pNode->GetARNode()->GetSourcePath()), pOptions, FALSE); hr = ADsGetObject(sPaths, IID_IADs, (void**) &pAds); } if ( SUCCEEDED(hr) ) { pAds->Get(L"distinguishedName", &var); pAds->Release(); sMyDN = V_BSTR(&var); } else { continue; } pAcct = pNode->GetARNode(); if ( pAcct->WasReplaced() ) { err.MsgWrite(0,DCT_READDING_GROUP_MEMBERS_SS,pAcct->GetTargetName(),sPaths); } else { err.MsgWrite(0,DCT_READDING_GROUP_MEMBERS_SS,pAcct->GetName(),sPaths); } } sMember = pNode->GetMemberSam(); if ( pAcct->WasReplaced() ) { pVs->Clear(); hr = pDb->raw_GetAMigratedObject((WCHAR*)sMember,pOptions->srcDomain, pOptions->tgtDomain, &pUnk); pUnk->Release(); if ( hr == S_OK ) { // Since we have already migrated this object lets use the target objects information.
VerifyAndUpdateMigratedTarget(pOptions, pVs); sPath = pVs->get(L"MigratedObjects.TargetAdsPath"); } else // Other wise use the source objects path to add.
sPath = pNode->GetMember(); } else { sPath = pNode->GetMember(); } // We have a path to the object lets get the group interface and add this object as a member
WCHAR sPath2[LEN_Path]; DWORD nPathLen = LEN_Path; if ( SUCCEEDED(hr) ) { StuffComputerNameinLdapPath(sPath2, nPathLen, (WCHAR*) sPath, pOptions, TRUE); hr = ADsGetObject(sPath2, IID_IADsGroup, (void**) &pGroup); } if ( SUCCEEDED(hr) ) { if ( pAcct->WasReplaced() ) { if ( ! pOptions->nochange ) hr = pGroup->Add(sPaths); else hr = 0; if ( SUCCEEDED(hr) ) { err.MsgWrite(0,DCT_MSG_READDED_MEMBER_SS,pAcct->GetTargetPath(),sPath2); } else { //hr = BetterHR(hr);
if ( HRESULT_CODE(hr) == ERROR_DS_UNWILLING_TO_PERFORM ) { err.MsgWrite(0,DCT_MSG_READD_MEMBER_FAILED_CONSTRAINTS_SS,pAcct->GetTargetPath(),sPath2); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_READD_TARGET_MEMBER_FAILED_SSD,pAcct->GetTargetPath(),(WCHAR*)sPath2,hr); } Mark(L"errors", pAcct->GetType()); } } else { WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_RESET_OBJECT_MEMBERSHIP_SS), (WCHAR*) sPath2, pAcct->GetTargetName()); Progress(mesg);
if ( ! pOptions->nochange ) hr = pGroup->Add(sPaths); else hr = 0; if ( SUCCEEDED(hr) ) { err.MsgWrite(0,DCT_MSG_READDED_MEMBER_SS,pAcct->GetSourcePath(),(WCHAR*)sPath2); } else { //hr = BetterHR(hr);
if ( HRESULT_CODE(hr) == ERROR_DS_UNWILLING_TO_PERFORM ) { err.MsgWrite(0,DCT_MSG_READD_MEMBER_FAILED_CONSTRAINTS_SS,pAcct->GetTargetPath(),(WCHAR*)sPath2); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_READD_SOURCE_MEMBER_FAILED_SSD,pAcct->GetSourcePath(),(WCHAR*)sPath2,hr); } Mark(L"errors", pAcct->GetType()); } } } else { // the member could not be added to the group
hr = BetterHR(hr); err.SysMsgWrite(ErrW,hr,DCT_MSG_FAILED_TO_GET_OBJECT_SD,(WCHAR*)sPath2,hr); Mark(L"warnings", pAcct->GetType()); } if ( pGroup ) { pGroup->Release(); pGroup = NULL; } } return hr;}
//---------------------------------------------------------------------------------------------------------
// ResetTypeOfPreviouslyMigratedGroups
//
// Attempts to change group scope back to global for global groups that were previously migrated but were
// unable to have their scope changed back to global due to having members outside of the domain.
//---------------------------------------------------------------------------------------------------------
void CAcctRepl::ResetTypeOfPreviouslyMigratedGroups(Options* pOptions){ // retrieve list of global groups that have been migrated from source domain
IVarSetPtr spVarSet(__uuidof(VarSet)); IUnknownPtr spUnknown(spVarSet); IUnknown* punk = spUnknown;
HRESULT hr = pOptions->pDb->GetMigratedObjectByType(-1, _bstr_t(pOptions->srcDomain), _bstr_t(L"ggroup"), &punk);
if (SUCCEEDED(hr)) { // for each global group
long lCount = spVarSet->get(_bstr_t(L"MigratedObjects"));
for (long lIndex = 0; lIndex < lCount; lIndex++) { WCHAR szKey[256];
// if marked as having been global group
// which means it was converted to universal group
swprintf(szKey, L"MigratedObjects.%ld.status", lIndex); long lStatus = spVarSet->get(_bstr_t(szKey));
if (lStatus & AR_Status_GroupScopeChanged) { // bind to group in target domain
swprintf(szKey, L"MigratedObjects.%ld.TargetAdsPath", lIndex); _bstr_t strADsPath = spVarSet->get(_bstr_t(szKey));
if (strADsPath.length()) { IADsGroupPtr spGroup; hr = ADsGetObject(strADsPath, IID_IADsGroup, (void**)&spGroup);
if (SUCCEEDED(hr)) { // if group is currently a universal group
_bstr_t strPropertyName(L"groupType");
VARIANT var; VariantInit(&var);
hr = spGroup->Get(strPropertyName, &var);
if (SUCCEEDED(hr)) { long lGroupType = _variant_t(var, false);
if (lGroupType & ADS_GROUP_TYPE_UNIVERSAL_GROUP) { // change it's type back to global group
spGroup->Put(strPropertyName, _variant_t(long(unsigned long(ADS_GROUP_TYPE_GLOBAL_GROUP|ADS_GROUP_TYPE_SECURITY_ENABLED)))); hr = spGroup->SetInfo();
if (SUCCEEDED(hr)) { // log successful change
err.MsgWrite(ErrI, DCT_MSG_CHANGE_GLOBAL_GROUP_SCOPE_BACK_S, (LPCTSTR)strADsPath); } }
if (SUCCEEDED(hr)) { // clear status flag in database
swprintf(szKey, L"MigratedObjects.%ld.GUID", lIndex); _bstr_t strGUID = spVarSet->get(_bstr_t(szKey)); pOptions->pDb->UpdateMigratedObjectStatus(strGUID, lStatus & ~AR_Status_GroupScopeChanged); } } } } } } }}
//---------------------------------------------------------------------------------------------------------
// RecordAndRemoveMember : Records and removes the objects in the member property of the object(group) being
// migrated. The recorded information is later used to restore membership.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::RecordAndRemoveMember ( Options * pOptions, //in- Options set by the user.
TAcctReplNode * pAcct, //in- Account being copied.
TNodeListSortable * pMember //out-Membership list to be used later to restore membership
){ HRESULT hr; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); IEnumVARIANT * pEnum; LPWSTR sCols[] = { L"member" }; SAFEARRAY * pSa; SAFEARRAYBOUND bd = { 1, 0 }; WCHAR sPath[LEN_Path]; DWORD nPathLen = LEN_Path; _bstr_t sDN; IADsGroupPtr pGroup; _variant_t var; DWORD ulFetch=0; IADsPtr pAds; _bstr_t sGrpName; _variant_t * pDt; _variant_t vx; BSTR HUGEP * pData; WCHAR sSourcePath[LEN_Path]; WCHAR sAdsPath[LEN_Path];
wcscpy(sSourcePath, pAcct->GetSourcePath());
if ( !wcsncmp(L"LDAP://", sSourcePath, 7) ) StuffComputerNameinLdapPath(sAdsPath, nPathLen, sSourcePath, pOptions, FALSE);
hr = ADsGetObject(sAdsPath, IID_IADsGroup, (void**) &pGroup); if ( FAILED(hr) ) return hr;
pSa = SafeArrayCreate(VT_BSTR, 1, &bd); hr = SafeArrayAccessData(pSa, (void HUGEP **)&pData); pData[0] = SysAllocString(sCols[0]); hr = SafeArrayUnaccessData(pSa); hr = pQuery->raw_SetQuery(sAdsPath, pOptions->srcDomain, L"(objectClass=*)", ADS_SCOPE_BASE, TRUE); hr = pQuery->raw_SetColumns(pSa); hr = pQuery->raw_Execute(&pEnum); if ( FAILED(hr) ) return hr;
err.MsgWrite(0,DCT_STRIPPING_GROUP_MEMBERS_SS,pAcct->GetName(),sAdsPath); while ( pEnum->Next(1, &var, &ulFetch) == S_OK ) { SAFEARRAY * vals = var.parray; // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); vx = pDt[0]; SafeArrayUnaccessData(vals);
// Single value in the property. Good enough for me though
if ( vx.vt == VT_BSTR ) { sDN = V_BSTR(&vx); sDN = PadDN(sDN);
if ( sDN.length() ) { WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBER_SS), pAcct->GetName(), (WCHAR*) sDN); Progress(mesg);
hr = ADsPathFromDN(pOptions, sDN, sPath);
if (SUCCEEDED(hr)) { // Get the IADs pointer to each of the objects in member and remove the object from the group
hr = ADsGetObject((WCHAR*)sPath, IID_IADs, (void**) &pAds);
if ( SUCCEEDED(hr) ) { pAds->Get(L"sAMAccountName", &var); sGrpName = V_BSTR(&var);
pAds->Get(L"distinguishedName", &var); sDN = V_BSTR(&var); }
if ( !pOptions->nochange ) hr = pGroup->Remove((WCHAR*) sPath); else hr = S_OK;
if (FAILED(hr)) { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sAdsPath,(WCHAR*)sPath,hr); Mark(L"errors", pAcct->GetType()); continue; } else { err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,(WCHAR*)sPath,sAdsPath); } } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sAdsPath,(WCHAR*)sDN,hr); Mark(L"errors", pAcct->GetType()); continue; }
// Record this path into the list
TRecordNode * pNode = new TRecordNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); pNode->SetMember((WCHAR*)sPath); pNode->SetMemberSam((WCHAR*)sGrpName); pNode->SetDN((WCHAR*)sDN); pNode->SetARNode(pAcct); if (! pMember->InsertIfNew((TNode*) pNode) ) delete pNode; } } else if ( vx.vt & VT_ARRAY ) { // We must have got an Array of multivalued properties
// Access the BSTR elements of this variant array
_variant_t * pVar; SAFEARRAY * multiVals = vx.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { sDN = _bstr_t(pVar[dw]); _bstr_t sPadDN = PadDN(sDN);
WCHAR mesg[LEN_Path]; wsprintf(mesg, (WCHAR*)GET_STRING(DCT_MSG_RECORD_REMOVE_MEMBER_SS), pAcct->GetName(), (WCHAR*) sPadDN); Progress(mesg);
hr = ADsPathFromDN(pOptions, sPadDN, sPath);
if (SUCCEEDED(hr)) { WCHAR tempPath[LEN_Path]; wcscpy(tempPath, sPath); if ( !wcsncmp(L"LDAP://", tempPath, 7) ) StuffComputerNameinLdapPath(sPath, nPathLen, tempPath, pOptions, FALSE);
// Get the IADsGroup pointer to each of the objects in member of and remove this object from the group
hr = ADsGetObject((WCHAR*)sPath, IID_IADs, (void**) &pAds); if ( SUCCEEDED(hr) ) { hr = pAds->Get(L"sAMAccountName", &var); if ( SUCCEEDED(hr) ) { sGrpName = V_BSTR(&var); }
hr = pAds->Get(L"distinguishedName", &var); if ( SUCCEEDED(hr) ) { sDN = V_BSTR(&var); }
if ( !pOptions->nochange ) hr = pGroup->Remove((WCHAR*)sPath); else hr = S_OK;
if ( SUCCEEDED(hr) ) { err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,(WCHAR*)sPath,sAdsPath); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sAdsPath,(WCHAR*)sPath,hr); Mark(L"errors", pAcct->GetType()); } if ( SUCCEEDED(hr) ) { // Record this path into the list
TRecordNode * pNode = new TRecordNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); pNode->SetMember((WCHAR*)sPath); pNode->SetMemberSam((WCHAR*)sGrpName); pNode->SetDN((WCHAR*)sDN); pNode->SetARNode(pAcct); if ( ! pMember->InsertIfNew((TNode*) pNode) ) delete pNode; } } else { // Since we were not able to get this user. it has probably been migrated to another domain.
// we should use the DN to find where the object is migrated to and then use the migrated object
// to establish the membership instead.
// Remove the rogue member
if ( !pOptions->nochange ) hr = pGroup->Remove((WCHAR*)sPath); else hr = S_OK;
if ( SUCCEEDED(hr) ) { err.MsgWrite(0,DCT_MSG_REMOVED_MEMBER_FROM_GROUP_SS,(WCHAR*)sPath,sAdsPath); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sAdsPath,(WCHAR*)sPath,hr); Mark(L"errors", pAcct->GetType()); }
// Check in the DB to see where this object may have been migrated
IUnknown * pUnk = NULL; IVarSetPtr pVsMigObj(__uuidof(VarSet));
hr = pVsMigObj->QueryInterface(IID_IUnknown, (void**)&pUnk);
if ( SUCCEEDED(hr) ) hr = pOptions->pDb->raw_GetMigratedObjectBySourceDN(sPadDN, &pUnk);
if (pUnk) pUnk->Release();
if ( hr == S_OK ) { // Record this path into the list
TRecordNode * pNode = new TRecordNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); WCHAR sKey[500];
wsprintf(sKey, L"MigratedObjects.%s", GET_STRING(DB_TargetAdsPath)); pNode->SetMember((WCHAR*)pVsMigObj->get(sKey).bstrVal);
wsprintf(sKey, L"MigratedObjects.%s", GET_STRING(DB_TargetSamName)); pNode->SetMemberSam((WCHAR*)pVsMigObj->get(sKey).bstrVal); pNode->SetDN((WCHAR*)sDN); pNode->SetARNode(pAcct); if ( ! pMember->InsertIfNew((TNode*) pNode) ) delete pNode; } else { //Log a message saying we can not find this object and the membership will not be updated on the other side.
err.MsgWrite(ErrE,DCT_MSG_MEMBER_NOT_FOUND_SS, pAcct->GetName(), (WCHAR*)sDN); } } } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_REMOVE_MEMBER_FAILED_SSD,sAdsPath,(WCHAR*)sPadDN,hr); Mark(L"errors", pAcct->GetType()); } } SafeArrayUnaccessData(multiVals); } } pEnum->Release(); var.Clear(); return S_OK;}
void CAcctRepl::UpdateMemberList(TNodeListSortable * pMemberList,TNodeListSortable * acctlist){ // for each moved object in the account list, look it up in the member list
TNodeTreeEnum e; TAcctReplNode * pAcct; TRecordNode * pRec;// HRESULT hr = S_OK;
WCHAR dn[LEN_Path]; WCHAR const * slash;
pMemberList->Sort(TNodeCompareMemberDN);
for ( pAcct = (TAcctReplNode *)e.OpenFirst(acctlist) ; pAcct ; pAcct = (TAcctReplNode *)e.Next()) { if ( pAcct->WasReplaced() ) { //err.DbgMsgWrite(0,L"UpdateMemberList:: %ls was replaced",pAcct->GetSourcePath());
slash = wcschr(pAcct->GetSourcePath()+8,L'/'); if ( slash ) { safecopy(dn,slash+1); // err.DbgMsgWrite(0,L"Searching the member list for %ls",dn);
// if the account was replaced, find any instances of it in the member list, and update them
pRec = (TRecordNode *)pMemberList->Find(&TNodeCompareMemberItem,dn); while ( pRec ) { // err.DbgMsgWrite(0,L"Found record: Member=%ls, changing it to %ls",pRec->GetMember(),pAcct->GetTargetPath());
// change the member data to refer to the new location of the account
pRec->SetMember(pAcct->GetTargetPath()); pRec->SetMemberSam(pAcct->GetTargetSam()); pRec->SetMemberMoved(); pRec = (TRecordNode*)pRec->Next(); if ( pRec && UStrICmp(pRec->GetDN(),dn) ) { // the next record is for a different node
pRec = NULL; } } } } // else
// err.DbgMsgWrite(0,L"UpdateMemberList:: %ls was not replaced",pAcct->GetSourcePath());
} e.Close(); // put the list back like it was before
pMemberList->Sort(TNodeCompareMember);}
void CAcctRepl::SimpleADsPathFromDN( Options * pOptions, WCHAR const * sDN, WCHAR * sPath ){ WCHAR const * pDcPart = wcsstr(sDN,L",DC=");
UStrCpy(sPath,L"LDAP://");
if ( pDcPart ) { WCHAR const * curr; // pointer to DN
WCHAR * sPathCurr; // pointer to domain name part of the path
for ( sPathCurr = sPath+UStrLen(sPath), curr = pDcPart + 4; *curr ; sPathCurr++ ) { // replace each occurrence of ,DC= in the DN with '.' in this part of the domain
if ( !UStrICmp(curr,L",DC=",4) ) { (*sPathCurr) = L'.'; curr+=4; } else { (*sPathCurr) = (*curr); curr++; } } // null-terminate the string
(*sPathCurr) = 0; } else { // if we can't figure it out from the path for some reason, default to the source domain
UStrCpy(sPath+UStrLen(sPath),pOptions->srcDomain); } UStrCpy(sPath+UStrLen(sPath),L"/"); UStrCpy(sPath + UStrLen(sPath),sDN);
}
BOOL GetSidString(PSID sid, WCHAR* sSid){ BOOL ret = false; SAFEARRAY * pSa = NULL; SAFEARRAYBOUND bd; HRESULT hr = S_OK; LPBYTE pByte = NULL; _variant_t var; if (IsValidSid(sid)) { DWORD len = GetLengthSid(sid); bd.cElements = len; bd.lLbound = 0; pSa = SafeArrayCreate(VT_UI1, 1, &bd); if ( pSa ) hr = SafeArrayAccessData(pSa, (void**)&pByte);
if ( SUCCEEDED(hr) ) { for ( DWORD x = 0; x < len; x++) pByte[x] = ((LPBYTE)sid)[x]; hr = SafeArrayUnaccessData(pSa); } if ( SUCCEEDED(hr) ) { var.vt = VT_UI1 | VT_ARRAY; var.parray = pSa; VariantSidToString(var); wcscpy(sSid, (WCHAR*) var.bstrVal); ret = true; } } return ret;}//---------------------------------------------------------------------------------------------------------
// ADsPathFromDN : Constructs the AdsPath from distinguished name by looking up the Global Catalog.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::ADsPathFromDN( Options * pOptions, //in -Options as set by the user
_bstr_t sDN, //in -Distinguished name to be converted
WCHAR * sPath, //out-The ads path of object referenced by the DN
bool bWantLDAP //in - Flag telling us if they want LDAP path or GC path.
){ HRESULT hr; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); WCHAR sCont[LEN_Path]; IEnumVARIANT * pEnum; WCHAR sQuery[LEN_Path]; LPWSTR sCols[] = { L"ADsPath" }; _variant_t var; DWORD pFetch = 0; BSTR * pDt; _variant_t * pvar; _variant_t vx; SAFEARRAY * pSa; SAFEARRAYBOUND bd = { 1, 0 }; long rc;
pSa = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData( pSa, (void HUGEP **) &pDt); pDt[0] = SysAllocString(sCols[0]); SafeArrayUnaccessData(pSa);
//
// Attempt to query the global catalog for specified distinguished name. If unable to
// obtain name of global catalog server than query domain controller in source domain.
//
_bstr_t strGlobalCatalogServer;
DWORD dwError = GetGlobalCatalogServer4(pOptions->srcDomain, strGlobalCatalogServer);
if (dwError == ERROR_SUCCESS) { if ((PWSTR)strGlobalCatalogServer) { wsprintf(sCont, L"GC://%s", (PWSTR)strGlobalCatalogServer); } else { return E_OUTOFMEMORY; } } else { wsprintf(sCont, L"LDAP://%s", pOptions->srcDomain); }
wsprintf(sQuery, L"(distinguishedName=%s)", GetEscapedFilterValue(sDN).c_str()); hr = pQuery->raw_SetQuery(sCont, pOptions->srcDomain, sQuery, ADS_SCOPE_SUBTREE, TRUE); if ( FAILED(hr) ) return hr; hr = pQuery->raw_SetColumns(pSa); if ( FAILED(hr) ) return hr; hr = pQuery->raw_Execute(&pEnum); if ( FAILED(hr) ) return hr;
hr = pEnum->Next(1, &var, &pFetch); if ( SUCCEEDED(hr) && pFetch > 0 && (var.vt & VT_ARRAY) ) { SAFEARRAY * vals = var.parray; // Get the VARIANT Array out
rc = SafeArrayAccessData(vals, (void HUGEP**) &pvar); vx = pvar[0]; rc = SafeArrayUnaccessData(vals);
wcscpy(sPath, (WCHAR*)V_BSTR(&vx)); if (bWantLDAP) { WCHAR sTemp[LEN_Path]; wsprintf(sTemp, L"LDAP%s", sPath + 2); wcscpy(sPath, sTemp); } hr = S_OK; } else { // This must not be from this forest so we need to use the LDAP://<SID=##> format
wsprintf(sPath, L"LDAP://%s/%s", pOptions->srcDomain, (WCHAR*) sDN); hr = S_OK; } pEnum->Release();
return hr;}
//---------------------------------------------------------------------------------------------------------
// FillNamingContext : Gets the naming context for both domains if they are Win2k
//---------------------------------------------------------------------------------------------------------
BOOL CAcctRepl::FillNamingContext( Options * pOptions //in,out-Options as set by the user
){ // Get the defaultNamingContext for the source domain
IADs * pAds = NULL; WCHAR sAdsPath[LEN_Path]; VARIANT var; BOOL rc = TRUE; HRESULT hr;
VariantInit(&var); // we should always be able to get the naming context for the target domain,
// since the target domain will always be Win2K
if ( ! *pOptions->tgtNamingContext ) { wcscpy(sAdsPath, L"LDAP://"); wcscat(sAdsPath, pOptions->srcDomain); wcscat(sAdsPath, L"/rootDSE"); hr = ADsGetObject(sAdsPath, IID_IADs, (void**)&pAds); if ( FAILED(hr)) rc = FALSE;
if ( SUCCEEDED (hr) ) { hr = pAds->Get(L"defaultNamingContext",&var); if ( SUCCEEDED( hr) ) wcscpy(pOptions->srcNamingContext, var.bstrVal); VariantClear(&var); } if ( pAds ) { pAds->Release(); pAds = NULL; } wcscpy(sAdsPath, L"LDAP://"); wcscat(sAdsPath, pOptions->tgtDomain); wcscat(sAdsPath, L"/rootDSE"); hr = ADsGetObject(sAdsPath, IID_IADs, (void**)&pAds); if ( FAILED(hr)) rc = FALSE;
if ( SUCCEEDED (hr) ) { hr = pAds->Get(L"defaultNamingContext",&var); if ( SUCCEEDED( hr) ) wcscpy(pOptions->tgtNamingContext, var.bstrVal); VariantClear(&var); } if ( pAds ) pAds->Release(); } return rc;}
//---------------------------------------------------------------------------------------------------------
// ResetGroupsMembers : This method re-adds the objects in the pMember list to the group account. This
// resets the group to its original form. ( as before the migration ). It also
// takes into account the MigratedObjects table which in turn allows to add the target
// information of newly migrated accounts to the group instead of the source account.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::ResetGroupsMembers( Options * pOptions, //in- Options as set by the user
TAcctReplNode * pAcct, //in- Account being copied
TNodeListSortable * pMember, //in- Membership list to restore
IIManageDBPtr pDb //in- DB object to look up migrated objects.
){ // Add all the members back to the group.
IADsGroup * pGroup; HRESULT hr; _bstr_t sMember; _bstr_t sPath; IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk; DWORD groupType = 0; _variant_t var; WCHAR sMemPath[LEN_Path]; WCHAR sPaths[LEN_Path]; DWORD nPathLen = LEN_Path; WCHAR subPath[LEN_Path];
*sMemPath = L'\0';
if ( pAcct->WasReplaced() ) { wcscpy(subPath, pAcct->GetTargetPath()); StuffComputerNameinLdapPath(sPaths, nPathLen, subPath, pOptions, TRUE); hr = ADsGetObject(sPaths, IID_IADsGroup, (void**) &pGroup); err.MsgWrite(0, DCT_READDING_MEMBERS_TO_GROUP_SS, pAcct->GetTargetName(), sPaths); } else { wcscpy(subPath, pAcct->GetSourcePath()); StuffComputerNameinLdapPath(sPaths, nPathLen, subPath, pOptions, FALSE); hr = ADsGetObject(sPaths, IID_IADsGroup, (void**) &pGroup); err.MsgWrite(0, DCT_READDING_MEMBERS_TO_GROUP_SS, pAcct->GetName(), sPaths); } if ( FAILED(hr) ) return hr;
hr = pGroup->Get(L"groupType", &var); if ( SUCCEEDED(hr) ) { groupType = var.lVal; }
for ( TRecordNode * pNode = (TRecordNode*)pMember->Head(); pNode; pNode = (TRecordNode*)pNode->Next()) { if ( pNode->GetARNode() != pAcct ) continue; pVs->QueryInterface(IID_IUnknown, (void**)&pUnk);
sMember = pNode->GetMemberSam(); if ( pAcct->WasReplaced() && sMember.length() && !pNode->IsMemberMoved() ) { hr = pDb->raw_GetAMigratedObject(sMember,pOptions->srcDomain, pOptions->tgtDomain, &pUnk); } else { hr = S_FALSE; // if we don't have the sam name, don't bother trying to look this one up
} pUnk->Release(); if ( hr == S_OK ) { // Since we have already migrated this object lets use the target objects information.
VerifyAndUpdateMigratedTarget(pOptions, pVs); sPath = pVs->get(L"MigratedObjects.TargetAdsPath"); } else // Other wise use the source objects path to add.
sPath = pNode->GetMember(); if ( groupType & 4 ) { // To add local group members we need to change the LDAP path to the SID type path
IADs * pAds = NULL; hr = ADsGetObject((WCHAR*) sPath, IID_IADs, (void**) &pAds); if ( SUCCEEDED(hr) ) hr = pAds->Get(L"objectSid", &var);
if ( SUCCEEDED(hr) ) { // Make sure the SID we got was in string format
VariantSidToString(var); UStrCpy(sMemPath,L"LDAP://<SID="); UStrCpy(sMemPath + UStrLen(sMemPath),var.bstrVal); UStrCpy(sMemPath + UStrLen(sMemPath),L">"); } } else wcscpy(sMemPath, (WCHAR*) sPath);
WCHAR mesg[LEN_Path]; wsprintf(mesg, GET_STRING(DCT_MSG_RESET_GROUP_MEMBERS_SS), pAcct->GetName(), (WCHAR*) sMemPath); Progress(mesg);
if ( !pOptions->nochange ) hr = pGroup->Add(sMemPath); else hr = S_OK;
// Try again with LDAP path if SID path failed.
if ( FAILED(hr) && ( groupType & 4 ) ) hr = pGroup->Add((WCHAR*) sPath);
if ( FAILED(hr) ) { hr = BetterHR(hr); err.SysMsgWrite(ErrE, hr, DCT_MSG_FAILED_TO_READD_TO_GROUP_SSD,(WCHAR*)sPath, pAcct->GetName(),hr); Mark(L"errors", pAcct->GetType()); } else { err.MsgWrite(0, DCT_MSG_READD_MEMBER_TO_GROUP_SS, (WCHAR*) sPath, pAcct->GetName()); } } pGroup->Release(); return hr;}
BOOL CAcctRepl::TruncateSam(WCHAR * tgtname, TAcctReplNode * acct, Options * options, TNodeListSortable * acctList){ // SInce we can not copy accounts with lenght more than 20 characters we will truncate
// it and then add sequence numbers (0-99) in case there are duplicates.
// we are also going to take into account the global prefix and suffix length while truncating
// the account.
BOOL ret = TRUE; int lenPref = wcslen(options->globalPrefix); int lenSuff = wcslen(options->globalSuffix); int lenOrig = wcslen(tgtname); int maxLen = 20;
if ( !_wcsicmp(acct->GetType(), L"group") ) maxLen = 255; else maxLen = 20;
int lenTruncate = maxLen - ( 2 + lenPref + lenSuff );
// we can not truncate accounts if prefix and suffix are > 20 characters themselves
if ( lenPref + lenSuff > (maxLen - 2) ) return FALSE;
WCHAR sTemp[LEN_Path];
wcscpy(sTemp, tgtname); StripSamName(tgtname);
bool bReplaced = wcscmp(tgtname, sTemp) != 0; bool bTruncate = lenPref + lenSuff + lenOrig > maxLen;
if (bReplaced || bTruncate) { bool bGenerate = true;
// if the account was previously migrated
if (IsAccountMigrated(acct, options, options->pDb, sTemp)) { //if (CheckifAccountExists(options, sTemp))
//{
// if prefix matches
if ((lenPref == 0) || (_wcsnicmp(sTemp, options->globalPrefix, lenPref) == 0)) { // if suffix matches
if ((lenSuff == 0) || (_wcsnicmp(&sTemp[wcslen(sTemp) - lenSuff], options->globalSuffix, lenSuff) == 0)) { // and portion of name without sequence number matches
int cchName = wcslen(sTemp) - 2 - lenSuff - lenPref;
if ((_wcsnicmp(&sTemp[lenPref], tgtname, cchName) == 0)) { // then use previously truncated name
cchName += 2; wcsncpy(tgtname, &sTemp[lenPref], cchName); tgtname[cchName] = 0; bGenerate = false; } } } //}
}
// generate truncated name without sequence number
// if name has not been previously generated and
// the account does not exist then use generated name
if (bGenerate) { // Note: using swprintf instead of wsprintf because
// swprintf supports supplying length argument for precision
swprintf( sTemp, L"%s%.*s%s", lenPref ? options->globalPrefix : L"", lenTruncate + 2, tgtname, lenSuff ? options->globalSuffix : L"" );
if (acctList->Find(&TNodeFindByNameOnly, sTemp) == NULL) { if (CheckifAccountExists(options, sTemp) == false) { tgtname[lenTruncate + 2] = 0;
if (bTruncate) { err.MsgWrite(0, DCT_MSG_TRUNCATED_ACCOUNT_NAME_SSD, acct->GetName(), tgtname, maxLen); }
bGenerate = false; } } }
// generate truncated name with sequence number
if (bGenerate) { wcsncpy(sTemp, tgtname, lenTruncate); sTemp[lenTruncate] = 0; int cnt = 0; bool cont = true; while (cont) { wsprintf( tgtname, L"%s%s%02d%s", lenPref ? options->globalPrefix : L"", sTemp, cnt, lenSuff ? options->globalSuffix : L"" );
if (acctList->Find(&TNodeFindByNameOnly, tgtname) || CheckifAccountExists(options, tgtname)) { cnt++; } else { wsprintf(tgtname, L"%s%02d", sTemp, cnt); cont = false;
// Account is truncated so log a message.
if (bTruncate) { err.MsgWrite(0, DCT_MSG_TRUNCATED_ACCOUNT_NAME_SSD, acct->GetName(), tgtname, maxLen); } }
if (cnt > 99) { // We only have 2 digits for numbers so any more than this we can not handle.
if (bTruncate) { err.MsgWrite(ErrW,DCT_MSG_FAILED_TO_TRUNCATE_S, acct->GetTargetName()); } Mark(L"warnings",acct->GetType()); UStrCpy(tgtname, acct->GetTargetName()); ret = FALSE; break; } } } }
return ret;}//---------------------------------------------------------------------------------------------------------
// FillNodeFromPath : We will take the LDAP path that is provided to us and from that fill
// in all the information that is required in AcctRepl node.
//---------------------------------------------------------------------------------------------------------
HRESULT CAcctRepl::FillNodeFromPath( TAcctReplNode *pAcct, // in-Account node to fillin
Options * pOptions, //in - Options set by the users
TNodeListSortable * acctList ){ HRESULT hr = S_OK; IADsPtr pAds; VARIANT var; BSTR sText; WCHAR text[LEN_Account]; BOOL bBuiltIn = FALSE; WCHAR sSam[LEN_Path];
VariantInit(&var); FillNamingContext(pOptions);
hr = ADsGetObject(const_cast<WCHAR*>(pAcct->GetSourcePath()), IID_IADs, (void**)&pAds); if ( SUCCEEDED(hr) ) { // Check if this is a BuiltIn account.
hr = pAds->Get(L"isCriticalSystemObject", &var); if ( SUCCEEDED(hr) ) { bBuiltIn = V_BOOL(&var) == -1 ? TRUE : FALSE; } else { // This must be a NT4 account. We need to get the SID and check if
// it's RID belongs to the BUILTIN rids.
hr = pAds->Get(L"objectSID", &var); if ( SUCCEEDED(hr) ) { SAFEARRAY * pArray = V_ARRAY(&var); PSID pSid; hr = SafeArrayAccessData(pArray, (void**)&pSid); if ( SUCCEEDED(hr) ) { PUCHAR ucCnt = GetSidSubAuthorityCount(pSid); DWORD * rid = (DWORD *) GetSidSubAuthority(pSid, (*ucCnt)-1); bBuiltIn = BuiltinRid(*rid); if ( bBuiltIn ) { hr = pAds->get_Name(&sText); if (SUCCEEDED(hr)) { bBuiltIn = CheckBuiltInWithNTApi(pSid, (WCHAR*) sText, pOptions); } SysFreeString(sText); sText = NULL; } hr = SafeArrayUnaccessData(pArray); } VariantClear(&var); } }
hr = pAds->get_Class(&sText); if ( SUCCEEDED(hr) ) { pAcct->SetType((WCHAR*) sText); } else { err.MsgWrite(ErrE, DCT_MSG_GET_REQUIRED_ATTRIBUTE_FAILED, L"objectClass", pAcct->GetSourcePath(), hr); Mark(L"errors", (wcslen(pAcct->GetType()) > 0) ? pAcct->GetType() : L"generic"); pAcct->operations = 0; return hr; }
// check if it is a group. If it is then get the group type and store it in the node.
if ( _wcsicmp((WCHAR*) sText, L"group") == 0 ) { hr = pAds->Get(L"groupType", &var); if ( SUCCEEDED(hr) ) { pAcct->SetGroupType((long) V_INT(&var)); } }
SysFreeString(sText); sText = NULL;
hr = pAds->get_Name(&sText); if (SUCCEEDED(hr)) { safecopy(text,(WCHAR*)sText); pAcct->SetName(text); } else { err.MsgWrite(ErrE, DCT_MSG_GET_REQUIRED_ATTRIBUTE_FAILED, L"distinguishedName", pAcct->GetSourcePath(), hr); Mark(L"errors", pAcct->GetType()); pAcct->operations = 0; return hr; }
//if the name includes a '/', then we have to get the escaped version from the path
//due to a bug in W2K.
if (wcschr((WCHAR*)sText, L'/')) { _bstr_t sCNName = GetCNFromPath(_bstr_t(pAcct->GetSourcePath())); if (sCNName.length() != 0) { pAcct->SetName((WCHAR*)sCNName); } }
// if inter-forest migration and source object is an InetOrgPerson then...
if ((pOptions->bSameForest == FALSE) && (_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson) == 0)) { //
// must use the naming attribute of the target forest
//
// retrieve naming attribute for this class in target forest
SNamingAttribute naNamingAttribute;
hr = GetNamingAttribute(pOptions->tgtDomainDns, s_ClassInetOrgPerson, naNamingAttribute);
if (FAILED(hr)) { err.MsgWrite(ErrE, DCT_MSG_CANNOT_GET_NAMING_ATTRIBUTE_SS, s_ClassInetOrgPerson, pOptions->tgtDomainDns); Mark(L"errors", pAcct->GetType()); return hr; }
_bstr_t strNamingAttribute(naNamingAttribute.strName.c_str());
// retrieve source attribute value
VARIANT var; VariantInit(&var);
hr = pAds->Get(strNamingAttribute, &var);
if (FAILED(hr)) { err.MsgWrite(ErrE, DCT_MSG_CANNOT_GET_SOURCE_ATTRIBUTE_REQUIRED_FOR_NAMING_SSS, naNamingAttribute.strName.c_str(), pAcct->GetSourcePath(), pOptions->tgtDomainDns); Mark(L"errors", pAcct->GetType()); return hr; }
// set target naming attribute value from source attribute value
pAcct->SetTargetName(strNamingAttribute + L"=" + _bstr_t(_variant_t(var, false))); } else { // else set target name equal to source name
pAcct->SetTargetName(pAcct->GetName()); }
hr = pAds->Get(L"sAMAccountName", &var); if ( SUCCEEDED(hr)) { // Add the prefix or the suffix as it is needed
wcscpy(sSam, (WCHAR*)V_BSTR(&var)); pAcct->SetSourceSam(sSam); TruncateSam(sSam, pAcct, pOptions, acctList); pAcct->SetTargetSam(sSam); AddPrefixSuffix(pAcct, pOptions); VariantClear(&var); } else { wcscpy(sSam, sText); pAcct->SetSourceSam(sSam); TruncateSam(sSam, pAcct, pOptions, acctList); pAcct->SetTargetSam(sSam); AddPrefixSuffix(pAcct, pOptions); }
SysFreeString(sText); sText = NULL;
// Don't know why it is different for WinNT to ADSI
if ( pOptions->srcDomainVer > 4 ) hr = pAds->Get(L"profilePath", &var); else hr = pAds->Get(L"profile", &var);
if ( SUCCEEDED(hr)) { pAcct->SetSourceProfile((WCHAR*) V_BSTR(&var)); VariantClear(&var); } else { hr = S_OK; }
if ( bBuiltIn ) { // Builtin account so we are going to ignore this account. ( by setting the operation mask to 0 )
err.MsgWrite(ErrW, DCT_MSG_IGNORING_BUILTIN_S, pAcct->GetSourceSam()); Mark(L"warnings", pAcct->GetType()); pAcct->operations = 0; } } else { err.SysMsgWrite(ErrE, hr, DCT_MSG_OBJECT_NOT_FOUND_SSD, pAcct->GetSourcePath(), opt.srcDomain, hr); Mark(L"errors", (wcslen(pAcct->GetType()) > 0) ? pAcct->GetType() : L"generic"); pAcct->operations = 0; }
return hr;}
//---------------------------------------------------------------------------------------------------------
// GetNt4Type : Given the account name and the domain finds the type of account.
//---------------------------------------------------------------------------------------------------------
BOOL CAcctRepl::GetNt4Type(const WCHAR *sComp, const WCHAR *sAcct, WCHAR *sType){ DWORD rc = 0; USER_INFO_0 * buf; BOOL ret = FALSE; USER_INFO_1 * specialBuf;
if ( (rc = NetUserGetInfo(sComp, sAcct, 1, (LPBYTE *) &specialBuf)) == NERR_Success ) { if ( specialBuf->usri1_flags & UF_WORKSTATION_TRUST_ACCOUNT || specialBuf->usri1_flags & UF_SERVER_TRUST_ACCOUNT || specialBuf->usri1_flags & UF_INTERDOMAIN_TRUST_ACCOUNT ) { // this is not really a user (maybe a computer or a trust account) So we will ignore it.
ret = FALSE; } else { wcscpy(sType, L"user"); ret = TRUE; } NetApiBufferFree(specialBuf); } else if ( (rc = NetGroupGetInfo(sComp, sAcct, 0, (LPBYTE *) &buf)) == NERR_Success ) { wcscpy(sType, L"group"); NetApiBufferFree(buf); ret = TRUE; } else if ( (rc = NetLocalGroupGetInfo(sComp, sAcct, 0, (LPBYTE *) &buf)) == NERR_Success ) { wcscpy(sType, L"group"); NetApiBufferFree(buf); ret = TRUE; }
return ret;}
//------------------------------------------------------------------------------
// UndoCopy: This function Undoes the copying of the accounts. It currently
// does the following tasks. Add to it if needed.
// 1. Deletes the target account if Inter-Forest, but replace source acocunts
// in local groups for accounts migrated by ADMT.
// 2. Moves the object back to its original position if Intra-Forest.
// 3. Calls the Undo function on the Extensions
//------------------------------------------------------------------------------
int CAcctRepl::UndoCopy( Options * options, // in -options
TNodeListSortable * acctlist, // in -list of accounts to process
ProgressFn * progress, // in -window to write progress messages to
TError & error, // in -window to write error messages to
IStatusObj * pStatus, // in -status object to support cancellation
void WindowUpdate (void ) // in - window update function
){ BOOL bSameForest = FALSE; // sort the account list by Source Type\Source Name
acctlist->CompareSet(&TNodeCompareAccountType);
acctlist->SortedToScrambledTree(); acctlist->Sort(&TNodeCompareAccountType); acctlist->Balance();
long rc; // Since these are Win2k domains we need to process it with Win2k code.
MCSDCTWORKEROBJECTSLib::IAccessCheckerPtr pAccess(__uuidof(MCSDCTWORKEROBJECTSLib::AccessChecker)); // First of all we need to find out if they are in the same forest.
HRESULT hr = S_OK; if ( BothWin2K(options) ) { hr = pAccess->raw_IsInSameForest(options->srcDomainDns,options->tgtDomainDns, (long*)&bSameForest); } if ( SUCCEEDED(hr) ) { if ( !bSameForest ) // Different forest we need to delete the one that we had previously created.
rc = DeleteObject(options, acctlist, progress, pStatus); else { // Within a forest we can move the object around.
TNodeListSortable * pList = NULL; hr = MakeAcctListFromMigratedObjects(options, options->lUndoActionID, pList,TRUE); if ( SUCCEEDED(hr) && pList ) { if ( pList->IsTree() ) pList->ToSorted(); pList->CompareSet(&TNodeCompareAccountType); pList->UnsortedToTree(); pList->Balance();
rc = MoveObj2K(options, pList, progress, pStatus); } else { err.SysMsgWrite(ErrE,hr,DCT_MSG_FAILED_TO_LOAD_UNDO_LIST_D,hr); Mark(L"errors", L"generic"); } }
if ( progress ) progress(L""); } return rc;}
int CAcctRepl::DeleteObject( Options * pOptions, //in -Options that we recieved from the user
TNodeListSortable * acctlist, //in -AcctList of accounts to be copied.
ProgressFn * progress, //in -Progress Function to display messages
IStatusObj * pStatus // in -status object to support cancellation
){ TNodeListSortable * pList = NULL; TNodeTreeEnum tenum; TAcctReplNode * acct = NULL, * tNext = NULL; HRESULT hr = S_OK; DWORD rc = 0; WCHAR mesg[LEN_Path]; IUnknown * pUnk = NULL; IVarSetPtr pVs(__uuidof(VarSet)); _variant_t var; hr = MakeAcctListFromMigratedObjects(pOptions, pOptions->lUndoActionID, pList,FALSE); if ( SUCCEEDED(hr) && pList ) { if ( pList->IsTree() ) pList->ToSorted(); pList->SortedToScrambledTree(); pList->Sort(&TNodeCompareAccountSam); pList->Balance(); /* restore source account of account being deleted in local groups prior to deleting
the target account */ wcscpy(mesg, GET_STRING(IDS_LG_MEMBER_FIXUP_UNDO)); if ( progress ) progress(mesg); ReplaceSourceInLocalGroup(pList, pOptions, pStatus);
for ( acct = (TAcctReplNode *)tenum.OpenFirst(pList) ; acct ; acct = tNext) { // Call the extensions for undo
wsprintf(mesg, GET_STRING(IDS_RUNNING_EXTS_S), acct->GetTargetPath()); if ( progress ) progress(mesg); Mark(L"processed",acct->GetType()); // Close the log file if it is open
WCHAR filename[LEN_Path]; err.LogClose(); if (m_pExt) m_pExt->Process(acct, pOptions->tgtDomain, pOptions,FALSE); safecopy (filename,opt.logFile); err.LogOpen(filename,1 /*append*/ );
if ( acct->GetStatus() & AR_Status_Created ) { wsprintf(mesg, GET_STRING(IDS_DELETING_S), acct->GetTargetPath()); if ( progress ) progress(mesg); if ( ! _wcsicmp(acct->GetType(),L"computer") ) { // do not delete the computer accounts, because if we do,
// the computer will be immediately locked out of the domain
tNext = (TAcctReplNode *) tenum.Next(); pList->Remove(acct); delete acct; continue; }
//
// If updating of rights was specified and objects are being deleted from a W2K domain
// then explicitly remove rights for objects as W2K does not automatically remove
// rights when an object is deleted.
//
if (m_UpdateUserRights && (pOptions->tgtDomainVer == 5) && (pOptions->tgtDomainVerMinor == 0)) { hr = EnumerateAccountRights(TRUE, acct);
if (SUCCEEDED(hr)) { RemoveAccountRights(TRUE, acct); } }
// Now delete the account.
if ( !_wcsicmp(acct->GetType(), s_ClassUser) || !_wcsicmp(acct->GetType(), s_ClassInetOrgPerson) ) rc = NetUserDel(pOptions->tgtComp, acct->GetTargetSam()); else { // Must be a group try both local and global.
rc = NetGroupDel(pOptions->tgtComp, acct->GetTargetSam()); if ( rc ) rc = NetLocalGroupDel(pOptions->tgtComp, acct->GetTargetSam()); } // Log a message
if ( !rc ) { err.MsgWrite(0, DCT_MSG_ACCOUNT_DELETED_S, (WCHAR*)acct->GetTargetPath()); Mark(L"created",acct->GetType()); } else { err.SysMsgWrite(ErrE, rc, DCT_MSG_DELETE_ACCOUNT_FAILED_SD, (WCHAR*)acct->GetTargetPath(), rc); Mark(L"errors", acct->GetType()); } } else { err.MsgWrite(ErrW, DCT_MSG_NO_DELETE_WAS_REPLACED_S, acct->GetTargetPath()); Mark(L"warnings",acct->GetType()); } tNext = (TAcctReplNode *) tenum.Next(); pList->Remove(acct); delete acct; } tenum.Close(); delete pList; }
if ( pUnk ) pUnk->Release();
return rc;}
HRESULT CAcctRepl::MakeAcctListFromMigratedObjects(Options * pOptions, long lUndoActionID, TNodeListSortable *& pAcctList,BOOL bReverseDomains){ IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; HRESULT hr = S_OK; _bstr_t sSName, sTName, sSSam, sTSam, sType, sSUPN, sSDSid; long lSRid, lTRid; long lStat; WCHAR sActionInfo[LEN_Path];
hr = pVs->QueryInterface(IID_IUnknown, (void**)&pUnk); if ( SUCCEEDED(hr) ) hr = pOptions->pDb->raw_GetMigratedObjects( pOptions->lUndoActionID, &pUnk);
if ( SUCCEEDED(hr) ) { pAcctList = new TNodeListSortable(); if (!pAcctList) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY); long lCnt = pVs->get("MigratedObjects"); for ( long l = 0; l < lCnt; l++) { wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_SourceAdsPath)); sSName = pVs->get(sActionInfo);
wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_TargetAdsPath)); sTName = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_status)); lStat = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_TargetSamName)); sTSam = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_SourceSamName)); sSSam = pVs->get(sActionInfo);
wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_Type)); sType = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_SourceDomainSid)); sSDSid = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_SourceRid)); lSRid = pVs->get(sActionInfo); wsprintf(sActionInfo, L"MigratedObjects.%d.%s", l, GET_STRING(DB_TargetRid)); lTRid = pVs->get(sActionInfo); TAcctReplNode * pNode = new TAcctReplNode(); if (!pNode) return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY);
if ( bReverseDomains ) { pNode->SetSourcePath((WCHAR*) sTName); pNode->SetTargetPath((WCHAR*) sSName); pNode->SetSourceSam((WCHAR*) sTSam); pNode->SetTargetSam((WCHAR*) sSSam); pNode->SetSourceRid(lTRid); pNode->SetTargetRid(lSRid); //if we are moving the acounts back during an undo, get the source UPN for this account
GetAccountUPN(pOptions, sSName, sSUPN); pNode->SetSourceUPN((WCHAR*) sSUPN); } else { pNode->SetSourcePath((WCHAR*) sSName); pNode->SetTargetPath((WCHAR*) sTName); pNode->SetSourceSam((WCHAR*) sSSam); pNode->SetTargetSam((WCHAR*) sTSam); pNode->SetSourceRid(lSRid); pNode->SetTargetRid(lTRid); } pNode->SetType((WCHAR*) sType); pNode->SetStatus(lStat); pNode->SetSourceSid(SidFromString((WCHAR*)sSDSid)); pAcctList->InsertBottom((TNode*) pNode); } } return hr;}
void CAcctRepl::AddPrefixSuffix( TAcctReplNode * pNode, Options * pOptions ){ DWORD dwLen = 0; c_array<WCHAR> achSs(LEN_Path); c_array<WCHAR> achTgt(LEN_Path); c_array<WCHAR> achPref(LEN_Path); c_array<WCHAR> achSuf(LEN_Path); c_array<WCHAR> achTemp(LEN_Path); c_array<WCHAR> achTargetSamName(LEN_Path);
wcscpy(achTargetSamName, pNode->GetTargetSam()); if ( wcslen(pOptions->globalPrefix) ) { int truncate = 255; if ( !_wcsicmp(pNode->GetType(), s_ClassUser) || !_wcsicmp(pNode->GetType(), s_ClassInetOrgPerson) ) { truncate = 20 - wcslen(pOptions->globalPrefix); } else if ( !_wcsicmp(pNode->GetType(), L"computer") ) { // fix up the trailing $
// assume that achTargetSamName always ends with $
// if the length of achTargetSamName (including $) is greater than truncate,
// we need to add in $ before string terminator
// since the trailing $ comes from the original sam name, we use MAX_COMPUTERNAME_LENGTH + 1
// to calculate the truncation position
truncate = MAX_COMPUTERNAME_LENGTH + 1 - wcslen(pOptions->globalPrefix); if (truncate < wcslen(achTargetSamName)) { WCHAR sTruncatedSamName[LEN_Path]; wcscpy(sTruncatedSamName, achTargetSamName); sTruncatedSamName[truncate - 1] = L'$'; sTruncatedSamName[truncate] = L'\0'; err.MsgWrite(0, DCT_MSG_TRUNCATED_COMPUTER_NAME_SSD, (WCHAR*)achTargetSamName, sTruncatedSamName, MAX_COMPUTERNAME_LENGTH); achTargetSamName[truncate - 1] = L'$'; } }
// make sure we truncate the account so we dont get account names that are very large.
achTargetSamName[truncate] = L'\0';
// Prefix is specified so lets just add that.
wsprintf(achTemp, L"%s%s", pOptions->globalPrefix, (WCHAR*)achTargetSamName);
wcscpy(achTgt, pNode->GetTargetName()); for ( DWORD z = 0; z < wcslen(achTgt); z++ ) { if ( achTgt[z] == L'=' ) break; } if ( z < wcslen(achTgt) ) { // Get the prefix part ex.CN=
wcsncpy(achPref, achTgt, z+1); achPref[z+1] = 0; wcscpy(achSuf, achTgt+z+1); } else { wcscpy(achPref,L""); wcscpy(achSuf,achTgt); }
// Remove the \ if it is escaping the space
if ( achSuf[0] == L'\\' && achSuf[1] == L' ' ) { WCHAR achTemp[LEN_Path]; wcscpy(achTemp, achSuf+1); wcscpy(achSuf, achTemp); } // Build the target string with the Prefix
wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, pOptions->globalPrefix, (WCHAR*)achSuf);
pNode->SetTargetSam(achTemp); pNode->SetTargetName(achTgt); } else if ( wcslen(pOptions->globalSuffix) ) { int truncate = 255; if ( !_wcsicmp(pNode->GetType(), s_ClassUser) || !_wcsicmp(pNode->GetType(), s_ClassInetOrgPerson) ) { truncate = 20 - wcslen(pOptions->globalSuffix); } else if ( !_wcsicmp(pNode->GetType(), L"computer") ) { // since the trailing $ does not come from the original sam name, we have to use MAX_COMPUTERNAME_LENGTH
// to calculate the truncation position
truncate = MAX_COMPUTERNAME_LENGTH - wcslen(pOptions->globalSuffix); if (truncate < wcslen(achTargetSamName)) { WCHAR sTruncatedSamName[LEN_Path]; wcscpy(sTruncatedSamName, achTargetSamName); sTruncatedSamName[truncate] = L'$'; sTruncatedSamName[truncate + 1] = L'\0'; err.MsgWrite(0, DCT_MSG_TRUNCATED_COMPUTER_NAME_SSD, (WCHAR*)achTargetSamName, sTruncatedSamName, MAX_COMPUTERNAME_LENGTH); } }
// make sure we truncate the account so we dont get account names that are very large.
achTargetSamName[truncate] = L'\0';
// Suffix is specified.
if ( !_wcsicmp( pNode->GetType(), L"computer") ) { // We need to make sure we take into account the $ sign in computer sam name.
dwLen = wcslen(achTargetSamName); // Get rid of the $ sign
wcscpy(achSs, achTargetSamName); if ( achSs[dwLen - 1] == L'$' ) { achSs[dwLen - 1] = L'\0'; } wsprintf(achTemp, L"%s%s$", (WCHAR*)achSs, pOptions->globalSuffix); } else { //Simply add the suffix to all other accounts.
wsprintf(achTemp, L"%s%s", (WCHAR*)achTargetSamName, pOptions->globalSuffix); }
// Remove the trailing space \ escape sequence
wcscpy(achTgt, pNode->GetName()); for ( int i = wcslen(achTgt)-1; i >= 0; i-- ) { if ( achTgt[i] != L' ' ) break; }
if ( achTgt[i] == L'\\' ) { WCHAR * pTemp = &achTgt[i]; *pTemp = 0; wcscpy(achPref, achTgt); wcscpy(achSuf, pTemp+1); } else { wcscpy(achPref, achTgt); wcscpy(achSuf, L""); } wsprintf(achTgt, L"%s%s%s", (WCHAR*)achPref, (WCHAR*)achSuf, pOptions->globalSuffix);
pNode->SetTargetSam(achTemp); pNode->SetTargetName(achTgt); }}
void CAcctRepl::BuildTargetPath(WCHAR const * sCN, WCHAR const * tgtOU, WCHAR * stgtPath){ WCHAR pTemp[LEN_Path]; DWORD dwArraySizeOfpTemp = sizeof(pTemp)/sizeof(pTemp[0]);
if (tgtOU == NULL) _com_issue_error(E_INVALIDARG); if (wcslen(tgtOU) >= dwArraySizeOfpTemp) _com_issue_error(HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER)); wcscpy(pTemp, tgtOU); *stgtPath = L'\0'; // Make sure it is a LDAP path.
if ( !wcsncmp(L"LDAP://", pTemp, 7) ) { // Get the LDAP://<DOMAIN>/ part.
WCHAR * p = wcschr(pTemp + 7, L'/'); // Build the string.
if (p) { *p = L'\0'; wsprintf(stgtPath, L"%s/%s,%s", pTemp, sCN, p+1); } }}
HRESULT CAcctRepl::BetterHR(HRESULT hr){ HRESULT temp = hr; if ( hr == 0x8007001f || hr == 0x80071392 ) temp = HRESULT_FROM_WIN32(NERR_UserExists); else if ( hr == 0x80072030 || hr == 0x80070534 ) temp = HRESULT_FROM_WIN32(NERR_UserNotFound); return temp;}
HRESULT CAcctRepl::GetThePrimaryGroupMembers(Options * pOptions, WCHAR * sGroupSam, IEnumVARIANT ** pVar){ // This function looks for accounts that have the primaryGroupID set to the rid of the
// group in the argument.
BSTR pCols = L"aDSPath"; DWORD rid = 0; HRESULT hr; if ( GetRidForGroup(pOptions, sGroupSam, rid) ) hr = QueryPrimaryGroupMembers(pCols, pOptions, rid, pVar); else hr = HRESULT_FROM_WIN32(GetLastError());
return hr;}
HRESULT CAcctRepl::AddPrimaryGroupMembers(Options * pOptions, SAFEARRAY * multiVals, WCHAR * sGroupSam){ // This function will get the accounts with primarygroupID = Group's RID and
// adds the DN for these Accounts to the safearry in the argument list.
BSTR pCols = L"distinguishedName"; DWORD rid = 0, dwFetch = 0; IEnumVARIANT * pEnum = NULL; HRESULT hr = S_OK; _variant_t var; _variant_t * var2; SAFEARRAYBOUND bd; long lb, ub; _variant_t * pData = NULL;
SafeArrayGetLBound(multiVals, 1, &lb); SafeArrayGetUBound(multiVals, 1, &ub); bd.lLbound = lb; bd.cElements = ub - lb + 1; if ( GetRidForGroup(pOptions, sGroupSam, rid) ) { hr = QueryPrimaryGroupMembers(pCols, pOptions, rid, &pEnum); if ( SUCCEEDED(hr) ) { while ( pEnum->Next(1, &var, &dwFetch) == S_OK ) { if (var.vt == (VT_ARRAY|VT_VARIANT)) { SAFEARRAY * pArray = var.parray; hr = SafeArrayAccessData(pArray, (void **)&var2); if ( SUCCEEDED(hr) ) { // Add one more element to the array.
bd.cElements++; hr = SafeArrayRedim(multiVals, &bd); }
// Fill in the new element with the information in the variant.
if ( SUCCEEDED(hr) ) hr = SafeArrayAccessData(multiVals, (void HUGEP**) &pData);
if ( SUCCEEDED(hr) ) { pData[++ub] = *var2; SafeArrayUnaccessData(multiVals); } if ( SUCCEEDED(hr) ) SafeArrayUnaccessData(pArray); var.Clear(); } else // Something really bad happened we should not get here in normal cond
hr = E_FAIL; } } } else hr = HRESULT_FROM_WIN32(GetLastError());
if ( pEnum ) pEnum->Release(); return hr;}
bool CAcctRepl::GetRidForGroup(Options * pOptions, WCHAR * sGroupSam, DWORD& rid){ // We lookup the Account name and get its SID. Once we have the SID we extract the RID and return that
SID_NAME_USE use; PSID sid = (PSID) new BYTE[LEN_Path]; WCHAR dom[LEN_Path]; DWORD cbsid = LEN_Path, cbDom = LEN_Path; bool ret = true;
if (!sid) return false;
if ( LookupAccountName(pOptions->srcComp, sGroupSam, sid, &cbsid, dom, &cbDom, &use) ) { // we now have the sid so get its sub authority count.
PUCHAR pSubCnt = GetSidSubAuthorityCount(sid); DWORD * pRid = GetSidSubAuthority(sid, (*pSubCnt) -1 ); rid = *pRid; } else ret = false; delete [] sid; return ret;}
HRESULT CAcctRepl::QueryPrimaryGroupMembers(BSTR cols, Options * pOptions, DWORD rid, IEnumVARIANT** pEnum){ WCHAR sQuery[LEN_Path]; WCHAR sCont[LEN_Path]; SAFEARRAY * colNames; SAFEARRAYBOUND bd = { 1, 0 }; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); BSTR * pData; HRESULT hr;
wsprintf(sQuery, L"(primaryGroupID=%d)", rid); wsprintf(sCont, L"LDAP://%s", pOptions->srcDomain);
colNames = SafeArrayCreate(VT_BSTR, 1, &bd);
hr = SafeArrayAccessData(colNames, (void**)&pData);
if ( SUCCEEDED(hr) ) { pData[0] = SysAllocString(cols); hr = SafeArrayUnaccessData(colNames); }
if ( SUCCEEDED(hr) ) hr = pQuery->SetQuery(sCont, pOptions->srcDomain, sQuery, ADS_SCOPE_SUBTREE, FALSE); if ( SUCCEEDED(hr) ) hr = pQuery->SetColumns(colNames);
if ( SUCCEEDED(hr) ) hr = pQuery->Execute(pEnum);
return hr;}
// CheckBuiltInWithNTApi - This function makes sure that the account really is a
// builtin account with the NT APIs. In case of NT4 accounts
// there are certain special accounts that the WinNT provider
// gives us a SID that is the SYSTEM sid ( example Service ).
// To make sure that this account exists we use LookupAccountName
// with domain qualified account name to make sure that the account
// is really builtin or not.
BOOL CAcctRepl::CheckBuiltInWithNTApi(PSID pSid, WCHAR *sSam, Options * pOptions){ BOOL retVal = TRUE; WCHAR sName[LEN_Path]; SID_NAME_USE use; DWORD cbDomain = LEN_Path, cbSid = LEN_Path; PSID pAccSid = new BYTE[LEN_Path]; WCHAR sDomain[LEN_Path];
if (!pAccSid) return TRUE;
wsprintf(sName, L"%s\\%s", pOptions->srcDomainFlat, sSam); if ( LookupAccountName(pOptions->srcComp, sName, pAccSid, &cbSid, sDomain, &cbDomain, &use) ) { // We found the account now we need to check the sid with the sid passed in and if they
// are the same then this is a builtin account otherwise its not.
retVal = EqualSid(pSid, pAccSid); } delete [] pAccSid; return retVal;}
BOOL CAcctRepl::StuffComputerNameinLdapPath(WCHAR *sAdsPath, DWORD nPathLen, WCHAR *sSubPath, Options *pOptions, BOOL bTarget){ BOOL ret = FALSE; _bstr_t sTemp;
if ((!sAdsPath) || (!sSubPath)) return FALSE;
WCHAR * pTemp = wcschr(sSubPath + 7, L'/'); // Filter out the 'LDAP://<domain-name>/' from the path
if ( pTemp ) { sTemp = L"LDAP://"; if ( bTarget ) sTemp += (pOptions->tgtComp + 2); else sTemp += (pOptions->srcComp + 2); sTemp += L"/"; sTemp += (pTemp + 1);
if (sTemp.length() > 0) { wcsncpy(sAdsPath, sTemp, nPathLen-1); ret = TRUE; } } return ret;}
BOOL CAcctRepl::DoesTargetObjectAlreadyExist(TAcctReplNode * pAcct, Options * pOptions){ // Check to see if the target object already exists
WCHAR sPath[LEN_Path]; DWORD nPathLen = LEN_Path; BOOL bObjectExists = FALSE; WCHAR * pRelativeTgtOUPath; WCHAR path[LEN_Path] = L""; IADs * pAdsTemp = NULL; WCHAR sSrcTemp[LEN_Path]; WCHAR * pTemp = NULL;
// First, check the target path, to see if an object with the same CN already exists
if ( ! pOptions->bUndo ) { MakeFullyQualifiedAdsPath(sPath, nPathLen, pOptions->tgtOUPath, pOptions->tgtDomain, pOptions->tgtNamingContext); pRelativeTgtOUPath = wcschr(sPath + UStrLen(L"LDAP://") + 2,L'/'); } else { UStrCpy(sPath,pAcct->GetTargetPath()); pRelativeTgtOUPath = wcschr(sPath + UStrLen(L"LDAP://") + 2,L'/'); if (pRelativeTgtOUPath) { // get the target CN name
pTemp = pRelativeTgtOUPath + 1; (*pRelativeTgtOUPath) = 0; do { pRelativeTgtOUPath = wcschr(pRelativeTgtOUPath+1,L',');
} while ((pRelativeTgtOUPath) && ( *(pRelativeTgtOUPath-1) == L'\\' )); } }
if ( pRelativeTgtOUPath ) { *pRelativeTgtOUPath = 0; if ( pOptions->bUndo && pTemp ) { pAcct->SetTargetName(pTemp); // get the source CN name for the account
UStrCpy(sSrcTemp,pAcct->GetSourcePath()); WCHAR * start = wcschr(sSrcTemp + UStrLen(L"LDAP://")+2,L'/'); *start = 0; start++;
WCHAR * comma = start-1; do { comma = wcschr(comma+1,L','); } while ( *(comma-1) == L'\\' ); *comma = 0; pAcct->SetName(start); } swprintf(path,L"%ls/%ls,%ls",sPath,pAcct->GetTargetName(),pRelativeTgtOUPath+1); if ( pOptions->bUndo ) { UStrCpy(pOptions->tgtOUPath,pRelativeTgtOUPath+1); }
} else { MakeFullyQualifiedAdsPath(path, nPathLen, pOptions->tgtOUPath, pOptions->tgtDomain, pOptions->tgtNamingContext); } HRESULT hr = ADsGetObject(path,IID_IADs,(void**)&pAdsTemp); if ( SUCCEEDED(hr) ) { pAdsTemp->Release(); bObjectExists = TRUE; }
// Also, check the SAM name to see if it exists on the target
hr = LookupAccountInTarget(pOptions,const_cast<WCHAR*>(pAcct->GetTargetSam()),sPath); if ( SUCCEEDED(hr) ) { bObjectExists = TRUE; } else { hr = 0; }
return bObjectExists;}
//-----------------------------------------------------------------------------------------
// UpdateMemberToGroups This function updates the groups that the accounts are members of.
// adding this member to all the groups that have been migrated.
//-----------------------------------------------------------------------------------------
HRESULT CAcctRepl::UpdateMemberToGroups(TNodeListSortable * acctList, Options *pOptions, BOOL bGrpsOnly){ TNodeListSortable newList; WCHAR mesg[LEN_Path]; HRESULT hr = S_OK;
// Expand the containers and the membership
wcscpy(mesg, GET_STRING(IDS_EXPANDING_MEMBERSHIP)); Progress(mesg); // Expand the list to include all the groups that the accounts in this list are members of
newList.CompareSet(&TNodeCompareAccountTypeAndRDN); //set to sort by type and source path RDN
if ( !newList.IsTree() ) newList.SortedToTree(); // Call expand membership function to get a list of all groups that contain as members objects in our account list
if ( ExpandMembership( acctList, pOptions, &newList, Progress, bGrpsOnly, TRUE) ) { if ( newList.IsTree() ) newList.ToSorted(); TNodeListEnum e; Lookup p; for (TAcctReplNode* pNode = (TAcctReplNode *)e.OpenFirst((TNodeList*)&newList); pNode; pNode = (TAcctReplNode*)e.Next()) { hr = S_OK; IADsGroupPtr spGroup; _bstr_t strGroupName;
// go through each of the account nodes in the newly added account list. Since
// we have special map that contain the members information we can use that
//For each member in the member map for this group, find the account node that corresponds to the member
//information and possibly add the member to the group
CGroupMemberMap::iterator itGrpMemberMap; for (itGrpMemberMap = pNode->mapGrpMember.begin(); itGrpMemberMap != pNode->mapGrpMember.end(); itGrpMemberMap++) { p.pName = (WCHAR*)(itGrpMemberMap->first); p.pType = (WCHAR*)(itGrpMemberMap->second); TAcctReplNode * pNodeMember = (TAcctReplNode *) acctList->Find(&TNodeFindAccountName, &p);
bool bIgnored = false; if (pNodeMember) bIgnored = ((!pNodeMember->WasReplaced()) && (pNodeMember->GetStatus() & AR_Status_AlreadyExisted));
// If we found one ( we should always find one. ) and the member was successfuly
// added or replaced the member information.
if ( pNodeMember && ((pNodeMember->WasCreated() || pNodeMember->WasReplaced()) || bIgnored)) { // Get the Group pointer (once per group) and add the target object to the member.
if (spGroup) { hr = S_OK; } else { hr = ADsGetObject(const_cast<WCHAR*>(pNode->GetTargetPath()), IID_IADsGroup, (void**)&spGroup);
if (SUCCEEDED(hr)) { BSTR bstr = 0; spGroup->get_Name(&bstr); strGroupName = _bstr_t(bstr, false); } }
if ( SUCCEEDED(hr) ) { if ( pOptions->nochange ) { VARIANT_BOOL bIsMem; hr = spGroup->IsMember(const_cast<WCHAR*>(pNodeMember->GetTargetPath()), &bIsMem); if ( SUCCEEDED(hr) ) { if ( bIsMem ) hr = HRESULT_FROM_WIN32(NERR_UserExists); } } else { //add the new account to the group
hr = spGroup->Add(const_cast<WCHAR*>(pNodeMember->GetTargetPath()));
/* if the new account's source account is also in the group, remove it */ IIManageDBPtr pDB = pOptions->pDb; IVarSetPtr pVsTemp(__uuidof(VarSet)); IUnknownPtr spUnknown(pVsTemp); IUnknown* pUnk = spUnknown; //is this account in the migrated objects table
HRESULT hrGet = pDB->raw_GetAMigratedObject(_bstr_t(pNodeMember->GetSourceSam()), pOptions->srcDomain, pOptions->tgtDomain, &pUnk); if (hrGet == S_OK) { //remove the source account from the group
RemoveSourceAccountFromGroup(spGroup, pVsTemp, pOptions); } }//end else not no change mode
}//end if got group pointer
if ( SUCCEEDED(hr) ) err.MsgWrite(0, DCT_MSG_ADDED_TO_GROUP_SS, pNodeMember->GetTargetPath(), (WCHAR*)strGroupName); else { if (strGroupName.length() == 0) strGroupName = pNode->GetTargetPath();
hr = BetterHR(hr); if ( HRESULT_CODE(hr) == NERR_UserExists ) { err.MsgWrite(0,DCT_MSG_USER_IN_GROUP_SS,pNodeMember->GetTargetPath(), (WCHAR*)strGroupName); } else if ( HRESULT_CODE(hr) == NERR_UserNotFound ) { err.SysMsgWrite(0, hr, DCT_MSG_MEMBER_NONEXIST_SS, pNodeMember->GetTargetPath(), (WCHAR*)strGroupName, hr); } else { // message for the generic failure case
err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_ADD_TO_GROUP_SSD, pNodeMember->GetTargetPath(), (WCHAR*)strGroupName, hr); Mark(L"warnings", pNodeMember->GetType()); } }//end else failed to add account to group
}//end if found account to add to group
}//for each member in the enumerated group node's member map
}//for each account being migrated
// Clean up the list.
TAcctReplNode * pNext = NULL; for ( pNode = (TAcctReplNode *)e.OpenFirst(&newList); pNode; pNode = pNext) { pNext = (TAcctReplNode *)e.Next(); newList.Remove(pNode); delete pNode; } }
return hr;}
// This function enumerates all members of the Universal/Global groups and for each member
// checks if that member has been migrated. If it is then it removes the source member and
// adds the target member.
HRESULT CAcctRepl::ResetMembersForUnivGlobGroups(Options *pOptions, TAcctReplNode *pAcct){ IADsGroup * pGroup; HRESULT hr; _bstr_t sMember; _bstr_t sTgtMem; WCHAR sSrcPath[LEN_Path]; WCHAR sTgtPath[LEN_Path]; DWORD nPathLen = LEN_Path; IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk; IADsMembers * pMembers = NULL; IEnumVARIANT * pEnum = NULL; _variant_t var;
if ( pAcct->WasReplaced() ) { WCHAR subPath[LEN_Path]; WCHAR sPaths[LEN_Path];
wcscpy(subPath, pAcct->GetTargetPath()); StuffComputerNameinLdapPath(sPaths, nPathLen, subPath, pOptions, TRUE); hr = ADsGetObject(sPaths, IID_IADsGroup, (void**) &pGroup); err.MsgWrite(0, DCT_UPDATING_MEMBERS_TO_GROUP_SS, pAcct->GetTargetName(), sPaths); } else return S_OK;
if ( FAILED(hr) ) return hr;
hr = pGroup->Members(&pMembers);
if ( SUCCEEDED(hr) ) { hr = pMembers->get__NewEnum((IUnknown**)&pEnum); }
if ( SUCCEEDED(hr) ) { DWORD dwFet = 0; while ( pEnum->Next(1, &var, &dwFet) == S_OK ) { IDispatch * pDisp = var.pdispVal; IADs * pAds = NULL;
pDisp->QueryInterface(IID_IADs, (void**)&pAds); pAds->Get(L"distinguishedName", &var); pAds->Release(); sMember = var; pVs->QueryInterface(IID_IUnknown, (void**)&pUnk); hr = pOptions->pDb->raw_GetMigratedObjectBySourceDN(sMember, &pUnk); pUnk->Release(); if ( hr == S_OK ) { // Since we have moved this member we should remove it from the group
// and add target member to the group.
sTgtMem = pVs->get(L"MigratedObjects.TargetAdsPath"); _bstr_t sTgtType = pVs->get(L"MigratedObjects.Type");
if ( !_wcsicmp(L"computer", (WCHAR*) sTgtType ) ) { MakeFullyQualifiedAdsPath(sSrcPath, nPathLen, (WCHAR*)sMember, pOptions->srcComp + 2, L""); MakeFullyQualifiedAdsPath(sTgtPath, nPathLen, (WCHAR*)sTgtMem, pOptions->tgtComp + 2, L"");// HRESULT hr1 = pGroup->Remove(sSrcPath);
pGroup->Remove(sSrcPath);
if ( ! pOptions->nochange ) hr = pGroup->Add(sTgtPath); else hr = 0;
if ( SUCCEEDED(hr) ) { err.MsgWrite(0, DCT_REPLACE_MEMBER_TO_GROUP_SSS, (WCHAR*)sMember, (WCHAR*) sTgtMem, pAcct->GetTargetName()); } else { err.SysMsgWrite(ErrE, hr, DCT_REPLACE_MEMBER_FAILED_SSS, (WCHAR*)sMember, (WCHAR*) sTgtMem, pAcct->GetTargetName()); } } } } }
if ( pEnum ) pEnum->Release(); if ( pMembers ) pMembers->Release(); return hr;}
/* This function will get the varset from the action history table for the given
undo action ID. We will find the given source name and retrieve the UPN for that account */void CAcctRepl::GetAccountUPN(Options * pOptions, _bstr_t sSName, _bstr_t& sSUPN){ HRESULT hr; IUnknown * pUnk = NULL; IVarSetPtr pVsAH(__uuidof(VarSet));
sSUPN = L"";
hr = pVsAH->QueryInterface(IID_IUnknown, (void**)&pUnk);
//fill a varset with the setting from the action to be undone from the Action History table
if ( SUCCEEDED(hr) ) hr = pOptions->pDb->raw_GetActionHistory(pOptions->lUndoActionID, &pUnk);
if (pUnk) pUnk->Release();
if ( hr == S_OK ) { WCHAR key[MAX_PATH]; bool bFound = false; int i = 0; long numAccounts = pVsAH->get(GET_BSTR(DCTVS_Accounts_NumItems)); _bstr_t tempName;
while ((i<numAccounts) && (!bFound)) { swprintf(key,GET_STRING(DCTVSFmt_Accounts_D),i); tempName = pVsAH->get(key); if (_wcsicmp((WCHAR*)tempName, (WCHAR*)sSName) == 0) { bFound = true; swprintf(key,GET_STRING(DCTVSFmt_Accounts_SourceUPN_D),i); sSUPN = pVsAH->get(key); } i++; }//end while
}//end if S_OK
}
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 1 NOV 2000 * * * * This function is responsible for updating the * * manager\directReports properties for a migrated user or the * * managedBy\managedObjects properties for a migrated group. * * * *********************************************************************/
//BEGIN UpdateManagement
HRESULT CAcctRepl::UpdateManagement(TNodeListSortable * acctList, Options *pOptions){ /* local variables */ HRESULT hr = S_OK; TAcctReplNode * pAcct; IEnumVARIANT * pEnum; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); INetObjEnumeratorPtr pQuery2(__uuidof(NetObjEnumerator)); LPWSTR sUCols[] = { L"directReports",L"managedObjects", L"manager"}; int nUCols = DIM(sUCols); LPWSTR sGCols[] = { L"managedBy" }; int nGCols = DIM(sGCols); SAFEARRAY * cols; SAFEARRAYBOUND bdU = { nUCols, 0 }; SAFEARRAYBOUND bdG = { nGCols, 0 }; BSTR HUGEP * pData = NULL; _bstr_t sQuery; _variant_t varMgr; _variant_t varDR; _variant_t varMdO; _variant_t varMain; _variant_t HUGEP * pDt, * pVar; DWORD dwf; _bstr_t sTPath; _bstr_t sPath; _bstr_t sSam; _bstr_t sType; _bstr_t sName; _bstr_t sTgtName; long lgrpType; WCHAR mesg[LEN_Path]; IADs * pDSE = NULL; WCHAR strText[LEN_Path]; _variant_t varGC;
/* function body */ //change from a tree to a sorted list
if ( acctList->IsTree() ) acctList->ToSorted();
//prepare to connect to the GC
_bstr_t sGCDomain = pOptions->srcDomainDns; swprintf(strText,L"LDAP://%ls/RootDSE",pOptions->srcDomainDns); hr = ADsGetObject(strText,IID_IADs,(void**)&pDSE); if ( SUCCEEDED(hr) ) { hr = pDSE->Get(L"RootDomainNamingContext",&varGC); if ( SUCCEEDED(hr) ) sGCDomain = GetDomainDNSFromPath(varGC.bstrVal); } _bstr_t sGCPath = _bstr_t(L"GC://") + sGCDomain;
//for each account migrated, if not excluded, migrate the manager\directReports
for ( pAcct = (TAcctReplNode*)acctList->Head(); pAcct; pAcct = (TAcctReplNode*)pAcct->Next()) { if ( pOptions->pStatus ) { LONG status = 0; HRESULT hr = pOptions->pStatus->get_Status(&status);
if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
//update the message
wsprintf(mesg, GET_STRING(IDS_UPDATING_MGR_PROPS_S), pAcct->GetName()); Progress(mesg);
//build the path to the source object
WCHAR sPathSource[LEN_Path]; DWORD nPathLen = LEN_Path; StuffComputerNameinLdapPath(sPathSource, nPathLen, const_cast<WCHAR*>(pAcct->GetSourcePath()), pOptions, FALSE);
//connect to the GC instead of a specific DC
WCHAR * pTemp = wcschr(sPathSource + 7, L'/'); if ( pTemp ) { _bstr_t sNewPath = sGCPath + _bstr_t(pTemp); wcscpy(sPathSource, sNewPath); }
//for user, migrate the manager\directReports managedObjects relationship
if (!_wcsicmp(pAcct->GetType(), s_ClassUser) || !_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson)) { bool bDoManager = false; bool bDoManagedObjects = false;
//if the property has explicitly been excluded from migration by the user, don't migrate it
if (pOptions->bExcludeProps) { PCWSTR pszExcludeList;
if (!_wcsicmp(pAcct->GetType(), s_ClassUser)) { pszExcludeList = pOptions->sExcUserProps; } else if (!_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson)) { pszExcludeList = pOptions->sExcInetOrgPersonProps; } else { pszExcludeList = NULL; }
if (!IsStringInDelimitedString(pszExcludeList, L"*", L',')) { if (!IsStringInDelimitedString(pszExcludeList, L"manager", L',') && !IsStringInDelimitedString(pszExcludeList, L"directReports", L',')) { bDoManager = true; }
if (!IsStringInDelimitedString(pszExcludeList, L"managedObjects", L',')) { bDoManagedObjects = true; } } } else { bDoManager = true; bDoManagedObjects = true; }
if (!bDoManager && !bDoManagedObjects) { continue; }
/* get the "manager", and "directReports", and "managedObjects" property */ //build the column array
cols = SafeArrayCreate(VT_BSTR, 1, &bdU); SafeArrayAccessData(cols, (void HUGEP **) &pData); for ( int i = 0; i < nUCols; i++) pData[i] = SysAllocString(sUCols[i]); SafeArrayUnaccessData(cols);
sQuery = L"(objectClass=*)";
//query the information
hr = pQuery->raw_SetQuery(sPathSource, pOptions->srcDomain, sQuery, ADS_SCOPE_SUBTREE, TRUE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(cols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&pEnum); if (FAILED(hr)) return FALSE;
while (pEnum->Next(1, &varMain, &dwf) == S_OK) { SAFEARRAY * vals = V_ARRAY(&varMain); // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); varDR = pDt[0]; varMdO = pDt[1]; varMgr = pDt[2]; SafeArrayUnaccessData(vals);
//process the manager by setting the manager on the moved user if the
//source user's manager has been migrated
if ( bDoManager && (varMgr.vt & VT_ARRAY) ) { //we always get an Array of variants
SAFEARRAY * multiVals = varMgr.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { _bstr_t sManager = _bstr_t(V_BSTR(&pVar[dw])); sManager = PadDN(sManager); _bstr_t sSrcDomain = GetDomainDNSFromPath(sManager); sPath = _bstr_t(L"LDAP://") + sSrcDomain + _bstr_t(L"/") + sManager; if (GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions)) { IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; pVs->QueryInterface(IID_IUnknown, (void**) &pUnk); WCHAR sDomainNB[LEN_Path]; WCHAR sDNS[LEN_Path];
//get NetBIOS of the objects source domain
GetDnsAndNetbiosFromName(sSrcDomain, sDomainNB, sDNS);
// See if the manager was migrated
hr = pOptions->pDb->raw_GetAMigratedObjectToAnyDomain((WCHAR*)sSam, sDomainNB, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs); _variant_t var; //get the manager's target adspath
var = pVs->get(L"MigratedObjects.TargetAdsPath"); sTPath = V_BSTR(&var); if ( wcslen((WCHAR*)sTPath) > 0 ) { IADsUser * pUser = NULL; //set the manager on the target object
hr = ADsGetObject((WCHAR*)pAcct->GetTargetPath(), IID_IADsUser, (void**)&pUser); if ( SUCCEEDED(hr) ) { _bstr_t sTemp = _bstr_t(wcsstr((WCHAR*)sTPath, L"CN=")); var = sTemp; hr = pUser->Put(L"Manager", var); if ( SUCCEEDED(hr) ) { hr = pUser->SetInfo(); if (FAILED(hr)) err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); pUser->Release(); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); }//end if got the path to the manager on the target
}//end if manager was migrated
pUnk->Release(); }//end if got source sam
}//for each manager (only one)
SafeArrayUnaccessData(multiVals); }//end if variant array (it will be)
//process the directReports by setting the manager on the previously moved
//user if the source user's manager has been migrated
if ( bDoManager && (varDR.vt & VT_ARRAY) ) { //we always get an Array of variants
SAFEARRAY * multiVals = varDR.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { _bstr_t sDirectReport = _bstr_t(V_BSTR(&pVar[dw])); sDirectReport = PadDN(sDirectReport); _bstr_t sSrcDomain = GetDomainDNSFromPath(sDirectReport); sPath = _bstr_t(L"LDAP://") + sSrcDomain + _bstr_t(L"/") + sDirectReport; if (GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions)) { IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; pVs->QueryInterface(IID_IUnknown, (void**) &pUnk); WCHAR sDomainNB[LEN_Path]; WCHAR sDNS[LEN_Path];
//get NetBIOS of the objects source domain
GetDnsAndNetbiosFromName(sSrcDomain, sDomainNB, sDNS);
// See if the direct report was migrated
hr = pOptions->pDb->raw_GetAMigratedObjectToAnyDomain((WCHAR*)sSam, sDomainNB, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs); _variant_t var; //get the direct report's target adspath
var = pVs->get(L"MigratedObjects.TargetAdsPath"); sTPath = V_BSTR(&var); if ( wcslen((WCHAR*)sTPath) > 0 ) { IADsUser * pUser = NULL; //set the manager on the target object
hr = ADsGetObject(sTPath, IID_IADsUser, (void**)&pUser); if ( SUCCEEDED(hr) ) { _bstr_t sTemp = _bstr_t(wcsstr((WCHAR*)pAcct->GetTargetPath(), L"CN=")); var = sTemp; hr = pUser->Put(L"Manager", var); if ( SUCCEEDED(hr) ) { hr = pUser->SetInfo(); if (FAILED(hr)) err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); pUser->Release(); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); }//end if got the path to the manager on the target
}//end if manager was migrated
pUnk->Release(); }//end if got source sam
}//for each directReport
SafeArrayUnaccessData(multiVals); }//end if variant array (it will be)
/* get the "managedObjects" property */ //process the managedObjects by setting the managedBy on the moved group if the
//source user's managed group has been migrated
if ( bDoManagedObjects && (varMdO.vt & VT_ARRAY) ) { //we always get an Array of variants
SAFEARRAY * multiVals = varMdO.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { _bstr_t sManaged = _bstr_t(V_BSTR(&pVar[dw])); sManaged = PadDN(sManaged); _bstr_t sSrcDomain = GetDomainDNSFromPath(sManaged); sPath = _bstr_t(L"LDAP://") + sSrcDomain + _bstr_t(L"/") + sManaged; if (GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions)) { IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; pVs->QueryInterface(IID_IUnknown, (void**) &pUnk); WCHAR sDomainNB[LEN_Path]; WCHAR sDNS[LEN_Path];
//get NetBIOS of the objects source domain
GetDnsAndNetbiosFromName(sSrcDomain, sDomainNB, sDNS);
// See if the managed object was migrated
hr = pOptions->pDb->raw_GetAMigratedObjectToAnyDomain((WCHAR*)sSam, sDomainNB, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs); _variant_t var; //get the managed object's target adspath
var = pVs->get(L"MigratedObjects.TargetAdsPath"); sTPath = V_BSTR(&var); if ( wcslen((WCHAR*)sTPath) > 0 ) { IADsGroup * pGroup = NULL; //set the manager on the target object
hr = ADsGetObject(sTPath, IID_IADsGroup, (void**)&pGroup); if ( SUCCEEDED(hr) ) { _bstr_t sTemp = _bstr_t(wcsstr((WCHAR*)pAcct->GetTargetPath(), L"CN=")); var = sTemp; hr = pGroup->Put(L"ManagedBy", var); if ( SUCCEEDED(hr) ) { hr = pGroup->SetInfo(); if (FAILED(hr)) err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); pGroup->Release(); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)pAcct->GetTargetPath(), (WCHAR*)sTPath, hr); }//end if got the path to the manager on the target
}//end if manager was migrated
pUnk->Release(); }//end if got source sam
}//for each manager (only one)
SafeArrayUnaccessData(multiVals); }//end if variant array (it will be)
varMgr.Clear(); varMdO.Clear(); varDR.Clear(); VariantInit(&varMain); // data not owned by varMain so clear VARTYPE
}
if (pEnum) pEnum->Release(); // SafeArrayDestroy(cols);
}//end if user
//for group, migrate the managedBy\managedObjects relationship
if (!_wcsicmp(pAcct->GetType(), L"group")) { //if the managedBy property has explicitly been excluded from migration by the user, don't migrate it
if (pOptions->bExcludeProps && (IsStringInDelimitedString(pOptions->sExcGroupProps, L"managedBy", L',') || IsStringInDelimitedString(pOptions->sExcGroupProps, L"*", L','))) continue;
/* get the "managedBy" property */ //build the column array
cols = SafeArrayCreate(VT_BSTR, 1, &bdG); SafeArrayAccessData(cols, (void HUGEP **) &pData); for ( int i = 0; i < nGCols; i++) pData[i] = SysAllocString(sGCols[i]); SafeArrayUnaccessData(cols);
sQuery = L"(objectClass=*)";
//query the information
hr = pQuery->raw_SetQuery(sPathSource, pOptions->srcDomain, sQuery, ADS_SCOPE_BASE, TRUE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(cols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&pEnum); if (FAILED(hr)) return FALSE;
while (pEnum->Next(1, &varMain, &dwf) == S_OK) { SAFEARRAY * vals = V_ARRAY(&varMain); // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); varMgr = pDt[0]; SafeArrayUnaccessData(vals);
//process the managedBy by setting the managedBy on the moved group if the
//source group's manager has been migrated
if ( varMgr.vt & VT_BSTR ) { _bstr_t sManager = varMgr; sManager = PadDN(sManager); _bstr_t sSrcDomain = GetDomainDNSFromPath(sManager); sPath = _bstr_t(L"LDAP://") + sSrcDomain + _bstr_t(L"/") + sManager; if (GetSamFromPath(sPath, sSam, sType, sName, sTgtName, lgrpType, pOptions)) { IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; pVs->QueryInterface(IID_IUnknown, (void**) &pUnk); WCHAR sDomainNB[LEN_Path]; WCHAR sDNS[LEN_Path];
//get NetBIOS of the objects source domain
GetDnsAndNetbiosFromName(sSrcDomain, sDomainNB, sDNS);
// See if the manager was migrated
hr = pOptions->pDb->raw_GetAMigratedObjectToAnyDomain((WCHAR*)sSam, sDomainNB, &pUnk); if ( hr == S_OK ) { VerifyAndUpdateMigratedTarget(pOptions, pVs); _variant_t var; //get the manager's target adspath
var = pVs->get(L"MigratedObjects.TargetAdsPath"); sTPath = V_BSTR(&var); if ( wcslen((WCHAR*)sTPath) > 0 ) { IADsGroup * pGroup = NULL; //set the manager on the target object
hr = ADsGetObject((WCHAR*)pAcct->GetTargetPath(), IID_IADsGroup, (void**)&pGroup); if ( SUCCEEDED(hr) ) { _bstr_t sTemp = _bstr_t(wcsstr((WCHAR*)sTPath, L"CN=")); var = sTemp; hr = pGroup->Put(L"ManagedBy", var); if ( SUCCEEDED(hr) ) { hr = pGroup->SetInfo(); if (FAILED(hr)) err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); pGroup->Release(); } else err.SysMsgWrite(0, hr, DCT_MSG_MANAGER_MIG_FAILED, (WCHAR*)sTPath, (WCHAR*)pAcct->GetTargetPath(), hr); }//end if got the path to the manager on the target
}//end if manager was migrated
pUnk->Release(); }//end if got source sam
}//end if variant array (it will be)
varMgr.Clear(); varMain.Clear(); }
if (pEnum) pEnum->Release(); // SafeArrayDestroy(cols);
}//end if group
}//end for each account being migrated
wcscpy(mesg, L""); Progress(mesg);
return hr;}//END UpdateManagement
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 29 NOV 2000 * * * * This function is responsible for removing the escape character* * in front of any '/' characters. * * * *********************************************************************/
//BEGIN GetUnEscapedNameWithFwdSlash
_bstr_t CAcctRepl::GetUnEscapedNameWithFwdSlash(_bstr_t strName){/* local variables */ WCHAR szNameOld[MAX_PATH]; WCHAR szNameNew[MAX_PATH]; WCHAR * pchBeg = NULL; _bstr_t sNewName = L"";
/* function body */ if (strName.length()) { safecopy(szNameOld, (WCHAR*)strName); for (WCHAR* pch = wcschr(szNameOld, _T('\\')); pch; pch = wcschr(pch + 1, _T('\\'))) { if ((*(pch + 1)) == L'/') { if (pchBeg == NULL) { wcsncpy(szNameNew, szNameOld, pch - szNameOld); szNameNew[pch - szNameOld] = L'\0'; } else { size_t cch = wcslen(szNameNew); wcsncat(szNameNew, pchBeg, pch - pchBeg); szNameNew[cch + (pch - pchBeg)] = L'\0'; }
pchBeg = pch + 1; } }
if (pchBeg == NULL) wcscpy(szNameNew, szNameOld); else wcscat(szNameNew, pchBeg);
sNewName = szNameNew; }
return sNewName;}//END GetUnEscapedNameWithFwdSlash
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 29 NOV 2000 * * * * This function is responsible for gets the CN name of an object* * from an ADsPath and returns that CN name if it was retrieved or * * NULL otherwise. * * * *********************************************************************/
//BEGIN GetCNFromPath
_bstr_t CAcctRepl::GetCNFromPath(_bstr_t sPath){/* local variables */ BOOL bFound = FALSE; WCHAR sName[LEN_Path]; WCHAR sTempPath[LEN_Path]; _bstr_t sCNName = L""; WCHAR * sTempDN; /* function body */ if ((sPath.length() > 0) && (sPath.length() < LEN_Path )) { wcscpy(sTempPath, (WCHAR*)sPath); sTempDN = wcsstr(sTempPath, L"CN="); if (sTempDN) { wcscpy(sName, sTempDN); sTempDN = wcsstr(sName, L",OU="); if (sTempDN) { bFound = TRUE; *sTempDN = L'\0'; } sTempDN = wcsstr(sName, L",CN="); if (sTempDN) { bFound = TRUE; *sTempDN = L'\0'; } sTempDN = wcsstr(sName, L",DC="); if (sTempDN) { bFound = TRUE; *sTempDN = L'\0'; } } } if (bFound) sCNName = sName;
return sCNName;}//END GetCNFromPath
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 26 FEB 2001 * * * * This function is responsible for replacing the source account * * for a given list of accounts in any local groups they are a member* * of on the target, if that account was migrated by ADMT. This * * function is called during the undo process. * * * *********************************************************************/
//BEGIN ReplaceSourceInLocalGroup
BOOL CAcctRepl::ReplaceSourceInLocalGroup(TNodeListSortable *acctlist, //in- Accounts being processed
Options *pOptions, //in- Options specified by the user
IStatusObj *pStatus) // in -status object to support cancellation
{/* local variables */ TAcctReplNode * pAcct; IEnumVARIANT * pEnum; INetObjEnumeratorPtr pQuery(__uuidof(NetObjEnumerator)); LPWSTR sCols[] = { L"memberOf" }; int nCols = DIM(sCols); SAFEARRAY * psaCols; SAFEARRAYBOUND bd = { nCols, 0 }; BSTR HUGEP * pData; WCHAR sQuery[LEN_Path]; _variant_t HUGEP * pDt, * pVar; _variant_t vx; _variant_t varMain; DWORD dwf = 0; HRESULT hr = S_OK; _bstr_t sDomPath = L""; _bstr_t sDomain = L"";
/* function body */ FillNamingContext(pOptions);
//for each account, enumerate all local groups it is a member of and add the account's
//source account in that local group
for ( pAcct = (TAcctReplNode*)acctlist->Head(); pAcct; pAcct = (TAcctReplNode*)pAcct->Next()) { // Do we need to abort ?
if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } }
//enumerate the groups this account is a member of
sDomain = GetDomainDNSFromPath(pAcct->GetTargetPath()); if (!_wcsicmp(pAcct->GetType(), s_ClassUser)) wsprintf(sQuery, L"(&(sAMAccountName=%s)(objectCategory=Person)(objectClass=user))", pAcct->GetTargetSam()); else if (!_wcsicmp(pAcct->GetType(), s_ClassInetOrgPerson)) wsprintf(sQuery, L"(&(sAMAccountName=%s)(objectCategory=Person)(objectClass=inetOrgPerson))", pAcct->GetTargetSam()); else wsprintf(sQuery, L"(&(sAMAccountName=%s)(objectCategory=Group))", pAcct->GetTargetSam()); psaCols = SafeArrayCreate(VT_BSTR, 1, &bd); SafeArrayAccessData(psaCols, (void HUGEP **)&pData); for ( int i = 0; i < nCols; i++ ) pData[i] = SysAllocString(sCols[i]); SafeArrayUnaccessData(psaCols); hr = pQuery->raw_SetQuery(sDomPath, sDomain, sQuery, ADS_SCOPE_SUBTREE, FALSE); if (FAILED(hr)) return FALSE; hr = pQuery->raw_SetColumns(psaCols); if (FAILED(hr)) return FALSE; hr = pQuery->raw_Execute(&pEnum); if (FAILED(hr)) return FALSE;
//while more groups
while (pEnum->Next(1, &varMain, &dwf) == S_OK) { SAFEARRAY * vals = V_ARRAY(&varMain); // Get the VARIANT Array out
SafeArrayAccessData(vals, (void HUGEP**) &pDt); vx = pDt[0]; SafeArrayUnaccessData(vals); if ( vx.vt == VT_BSTR ) { _bstr_t sPath; BSTR sGrpName = NULL; IADsGroup * pGrp = NULL; _variant_t var;
_bstr_t sDN = vx.bstrVal; if (wcslen((WCHAR*)sDN) == 0) continue;
sDN = PadDN(sDN); sPath = _bstr_t(L"LDAP://") + sDomain + _bstr_t(L"/") + sDN;
//connect to the target group
hr = ADsGetObject(sPath, IID_IADsGroup, (void**)&pGrp); if (FAILED(hr)) continue; //get this group's type and name
hr = pGrp->get_Name(&sGrpName); hr = pGrp->Get(L"groupType", &var);
//if this is a local group, get this account source path and add it as a member
if ((SUCCEEDED(hr)) && (var.lVal & 4)) { //add the account's source account to the local group, using the sid string format
WCHAR strSid[MAX_PATH] = L""; WCHAR strRid[MAX_PATH] = L""; DWORD lenStrSid = DIM(strSid); GetTextualSid(pAcct->GetSourceSid(), strSid, &lenStrSid); _bstr_t sSrcDmSid = strSid; _ltow((long)(pAcct->GetSourceRid()), strRid, 10); _bstr_t sSrcRid = strRid; if ((!sSrcDmSid.length()) || (!sSrcRid.length())) { hr = E_INVALIDARG; err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_READD_TO_GROUP_SSD, pAcct->GetSourcePath(), (WCHAR*)sGrpName, hr); continue; }
//build an LDAP path to the src object in the group
_bstr_t sSrcSid = sSrcDmSid + _bstr_t(L"-") + sSrcRid; _bstr_t sSrcLDAPPath = L"LDAP://"; sSrcLDAPPath += _bstr_t(pOptions->tgtComp + 2); sSrcLDAPPath += L"/CN="; sSrcLDAPPath += sSrcSid; sSrcLDAPPath += L",CN=ForeignSecurityPrincipals,"; sSrcLDAPPath += pOptions->tgtNamingContext;
//add the source account to the local group
hr = pGrp->Add(sSrcLDAPPath); if (SUCCEEDED(hr)) err.MsgWrite(0,DCT_MSG_READD_MEMBER_TO_GROUP_SS, pAcct->GetSourcePath(), (WCHAR*)sGrpName); else err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_READD_TO_GROUP_SSD, pAcct->GetSourcePath(), (WCHAR*)sGrpName, hr); }//end if local group
if (pGrp) pGrp->Release(); }//end if bstr
else if ( vx.vt & VT_ARRAY ) { // We must have got an Array of multivalued properties
// Access the BSTR elements of this variant array
SAFEARRAY * multiVals = vx.parray; SafeArrayAccessData(multiVals, (void HUGEP **) &pVar); //for each group
for ( DWORD dw = 0; dw < multiVals->rgsabound->cElements; dw++ ) { // Do we need to abort ?
if ( pStatus ) { LONG status = 0; HRESULT hr = pStatus->get_Status(&status); if ( SUCCEEDED(hr) && status == DCT_STATUS_ABORTING ) { if ( !bAbortMessageWritten ) { err.MsgWrite(0,DCT_MSG_OPERATION_ABORTED); bAbortMessageWritten = true; } break; } } _bstr_t sPath; BSTR sGrpName = NULL; IADsGroup * pGrp = NULL; _variant_t var;
_bstr_t sDN = _bstr_t(V_BSTR(&pVar[dw])); sDN = PadDN(sDN); sPath = _bstr_t(L"LDAP://") + sDomain + _bstr_t(L"/") + sDN;
//connect to the target group
hr = ADsGetObject(sPath, IID_IADsGroup, (void**)&pGrp); if (FAILED(hr)) continue; //get this group's type and name
hr = pGrp->get_Name(&sGrpName); hr = pGrp->Get(L"groupType", &var);
//if this is a local group, get this account source path and add it as a member
if ((SUCCEEDED(hr)) && (var.lVal & 4)) { //add the account's source account to the local group, using the sid string format
WCHAR strSid[MAX_PATH]; WCHAR strRid[MAX_PATH]; DWORD lenStrSid = DIM(strSid); GetTextualSid(pAcct->GetSourceSid(), strSid, &lenStrSid); _bstr_t sSrcDmSid = strSid; _ltow((long)(pAcct->GetSourceRid()), strRid, 10); _bstr_t sSrcRid = strRid; if ((!sSrcDmSid.length()) || (!sSrcRid.length())) { hr = E_INVALIDARG; err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_READD_TO_GROUP_SSD, pAcct->GetSourcePath(), (WCHAR*)sGrpName, hr); continue; }
//build an LDAP path to the src object in the group
_bstr_t sSrcSid = sSrcDmSid + _bstr_t(L"-") + sSrcRid; _bstr_t sSrcLDAPPath = L"LDAP://"; sSrcLDAPPath += _bstr_t(pOptions->tgtComp + 2); sSrcLDAPPath += L"/CN="; sSrcLDAPPath += sSrcSid; sSrcLDAPPath += L",CN=ForeignSecurityPrincipals,"; sSrcLDAPPath += pOptions->tgtNamingContext;
//add the source account to the local group
hr = pGrp->Add(sSrcLDAPPath); if (SUCCEEDED(hr)) err.MsgWrite(0,DCT_MSG_READD_MEMBER_TO_GROUP_SS, pAcct->GetSourcePath(), (WCHAR*)sGrpName); else err.SysMsgWrite(ErrW, hr, DCT_MSG_FAILED_TO_READD_TO_GROUP_SSD, pAcct->GetSourcePath, (WCHAR*)sGrpName, hr); }//end if local group
if (pGrp) pGrp->Release(); }//end for each group
SafeArrayUnaccessData(multiVals); }//end if array of groups
}//end while groups
pEnum->Release(); VariantInit(&vx); VariantInit(&varMain); SafeArrayDestroy(psaCols); }//end for each account
return TRUE;}//END ReplaceSourceInLocalGroup
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 6 MAR 2001 * * * * This function is responsible for retrieving the actual source * * domain, from the Migrated Objects table, of a given path if that * * path is one to a foreign security principal. We are also given a * * pointer to the object reflected by the path parameter. * * * *********************************************************************/
//BEGIN GetDomainOfMigratedForeignSecPrincipal
_bstr_t CAcctRepl::GetDomainOfMigratedForeignSecPrincipal(IADs * pAds, _bstr_t sPath){/* local variables */ IVarSetPtr pVs(__uuidof(VarSet)); IUnknown * pUnk = NULL; HRESULT hr = S_OK; _variant_t varName; _bstr_t sDomainSid, sRid; _bstr_t sDomain = L""; BOOL bSplit = FALSE;
/* function body */ //if this account is outside the domain, lookup the account
//in the migrated objects table to retrieve it's actual source domain
if (wcsstr((WCHAR*)sPath, L"CN=ForeignSecurityPrincipals")) { //get the sid of this account
//use already valid pointer to the object
if (pAds) { hr = pAds->Get(L"name", &varName); } else //else connect to the object
{ IADs * pTempAds = NULL; hr = ADsGetObject(sPath,IID_IADs,(void**)&pTempAds); if (SUCCEEDED(hr)) { hr = pTempAds->Get(L"name",&varName); pTempAds->Release(); } }
if (SUCCEEDED(hr)) { WCHAR sName[MAX_PATH]; _bstr_t sTempName = varName; if (!sTempName == false) { wcscpy(sName, sTempName); //break the sid into domain sid and account rid
WCHAR * pTemp = wcsrchr(sName, L'-'); if (pTemp) { sRid = (pTemp + 1); *pTemp = L'\0'; sDomainSid = sName; bSplit = TRUE; } } } //if we got the rid and domain sid, look in MOT for account's
//real source domain
if (bSplit) { pVs->QueryInterface(IID_IUnknown, (void**)&pUnk); try { IIManageDBPtr pDB(CLSID_IManageDB); hr = pDB->raw_GetAMigratedObjectBySidAndRid(sDomainSid, sRid, &pUnk); if (SUCCEEDED(hr)) sDomain = pVs->get(L"MigratedObjects.SourceDomain"); } catch(_com_error& e) { hr = e.Error(); } catch(...) { hr = E_FAIL; } if (pUnk) pUnk->Release(); } }
return sDomain;}//END GetDomainOfMigratedForeignSecPrincipal
/*********************************************************************
* * * Written by: Paul Thompson * * Date: 22 APR 2001 * * * * This function is responsible for removing the source account * * object, represented by its VarSet entry from the Migrated Objects * * Table, from the given group. This helper function is used by * * "UpdateMemberToGroups" and "UpdateGroupMembership" after * * successfully adding the cloned account to this same group. * * * *********************************************************************/
//BEGIN RemoveSourceAccountFromGroup
void CAcctRepl::RemoveSourceAccountFromGroup(IADsGroup * pGroup, IVarSetPtr pMOTVarSet, Options * pOptions){/* local variables */ _bstr_t sSrcDmSid, sSrcRid, sSrcPath, sGrpName = L""; HRESULT hr = S_OK;
/* function body */
//get the target group's name
BSTR bstr = NULL; hr = pGroup->get_Name(&bstr); if ( SUCCEEDED(hr) ) sGrpName = _bstr_t(bstr, false);
//get the source object's sid from the migrate objects table
sSrcDmSid = pMOTVarSet->get(L"MigratedObjects.SourceDomainSid"); sSrcRid = pMOTVarSet->get(L"MigratedObjects.SourceRid"); sSrcPath = pMOTVarSet->get(L"MigratedObjects.SourceAdsPath"); if ((wcslen((WCHAR*)sSrcDmSid) > 0) && (wcslen((WCHAR*)sSrcPath) > 0) && (wcslen((WCHAR*)sSrcRid) > 0)) { //build an LDAP path to the src object in the group
_bstr_t sSrcSid = sSrcDmSid + _bstr_t(L"-") + sSrcRid; _bstr_t sSrcLDAPPath = L"LDAP://"; sSrcLDAPPath += _bstr_t(pOptions->tgtComp + 2); sSrcLDAPPath += L"/CN="; sSrcLDAPPath += sSrcSid; sSrcLDAPPath += L",CN=ForeignSecurityPrincipals,"; sSrcLDAPPath += pOptions->tgtNamingContext; VARIANT_BOOL bIsMem = VARIANT_FALSE; //got the source LDAP path, now see if that account is in the group
pGroup->IsMember(sSrcLDAPPath, &bIsMem); if (bIsMem) { hr = pGroup->Remove(sSrcLDAPPath);//remove the src account
if ( SUCCEEDED(hr) ) err.MsgWrite(0,DCT_MSG_REMOVE_FROM_GROUP_SS, (WCHAR*)sSrcPath, (WCHAR*)sGrpName); } }}//END RemoveSourceAccountFromGroup
// GetDomainDnFromPath
//
// Retrieves domain distinguished name from ADsPath
_bstr_t __stdcall GetDomainDnFromPath(_bstr_t strADsPath){ CADsPathName pnPathname(strADsPath);
for (long lCount = pnPathname.GetNumElements(); lCount > 0; lCount--) { _bstr_t str = pnPathname.GetElement(0);
if (!str || (_tcsnicmp(str, _T("DC="), 3) == 0)) { break; }
pnPathname.RemoveLeafElement(); }
return pnPathname.Retrieve(ADS_FORMAT_X500_DN);}
//----------------------------------------------------------------------------
// VerifyAndUpdateMigratedTarget Method
//
// Verifies target path and if changed then retrieves new path and updates
// database.
//----------------------------------------------------------------------------
void CAcctRepl::VerifyAndUpdateMigratedTarget(Options* pOptions, IVarSetPtr spAccountVarSet){ WCHAR szADsPath[LEN_Path];
// retrieve migrated objects ADsPath and update server to current domain controller
_bstr_t strGuid = spAccountVarSet->get(L"MigratedObjects.GUID"); _bstr_t strOldPath = spAccountVarSet->get(L"MigratedObjects.TargetAdsPath");
// attempt to connect to object
IADsPtr spTargetObject;
StuffComputerNameinLdapPath(szADsPath, LEN_Path, strOldPath, pOptions, TRUE);
HRESULT hr = ADsGetObject(szADsPath, __uuidof(IADs), (VOID**)&spTargetObject);
//
// If able to bind to an object with the old distinguished name verify
// that the GUID is equal to the previously migrated object.
//
bool bGuidEqual = false;
if (SUCCEEDED(hr)) { BSTR bstr = NULL;
hr = spTargetObject->get_GUID(&bstr);
if (SUCCEEDED(hr)) { _bstr_t strGuidB = _bstr_t(bstr, false);
PCTSTR pszGuidA = strGuid; PCTSTR pszGuidB = strGuidB;
if (pszGuidA && pszGuidB) { if (_tcsicmp(pszGuidA, pszGuidB) == 0) { bGuidEqual = true; } } } else { _com_issue_error(hr); } }
//
// If bind failed because object no longer exists at given path or the GUID of the object does not
// equal the previously migrated object then attempt to bind to object using GUID to retrieve updated
// distinguished name and SAM account name.
//
if ((hr == HRESULT_FROM_WIN32(ERROR_DS_NO_SUCH_OBJECT)) || (SUCCEEDED(hr) && (bGuidEqual == false))) { // retrieve object based on GUID
_bstr_t strGuidPath = _bstr_t(L"LDAP://") + _bstr_t(pOptions->tgtDomainDns) + _bstr_t(L"/<GUID=") + strGuid + _bstr_t(L">");
hr = ADsGetObject(strGuidPath, __uuidof(IADs), (VOID**)&spTargetObject);
// if object found then...
if (SUCCEEDED(hr)) { VARIANT var;
hr = spTargetObject->Get(_bstr_t(L"distinguishedName"), &var);
if (SUCCEEDED(hr)) { CADsPathName pathname; pathname.Set(L"LDAP", ADS_SETTYPE_PROVIDER); pathname.Set(pOptions->tgtDomainDns, ADS_SETTYPE_SERVER); pathname.Set(_bstr_t(_variant_t(var)), ADS_SETTYPE_DN);
_bstr_t strNewPath = pathname.Retrieve(ADS_FORMAT_X500);
// retrieve domain distinguished names
_bstr_t strOldDomainDn = GetDomainDnFromPath(strOldPath); _bstr_t strNewDomainDn = GetDomainDnFromPath(strNewPath);
// if domains are equal than update path
if (strOldDomainDn.length() && strNewDomainDn.length() && (_tcsicmp(strOldDomainDn, strNewDomainDn) == 0)) { // replace server with current target domain controller
StuffComputerNameinLdapPath(szADsPath, LEN_Path, strNewPath, pOptions, TRUE);
// update ADsPath
spAccountVarSet->put(L"MigratedObjects.TargetAdsPath", _bstr_t(szADsPath));
// update SAMAccountName
hr = spTargetObject->Get(_bstr_t(L"sAMAccountName"), &var);
if (SUCCEEDED(hr)) { spAccountVarSet->put(L"MigratedObjects.TargetSamName", _bstr_t(_variant_t(var))); }
// update database
pOptions->pDb->UpdateMigratedTargetObject(IUnknownPtr(spAccountVarSet)); } } } }}
//-----------------------------------------------------------------------------
// GenerateSourceToTargetDnMap Method
//
// Synopsis
// Generates a mapping of source object distinguished names to target object
// distinguished names. This is used during copying of distinguished name type
// attributes to translate the distinguished name for the source object to the
// distinguished name of the target object.
//
// Parameters
// IN acctlist - list of account node objects
//
// Return Value
// A VarSet data object whose keys are the source distinguished names and whose
// values are the target distinguished names.
//-----------------------------------------------------------------------------
IVarSetPtr CAcctRepl::GenerateSourceToTargetDnMap(TNodeListSortable* acctlist){ IVarSetPtr spVarSet(__uuidof(VarSet));
if (opt.srcDomainVer > 4) { TNodeTreeEnum nteEnum; CADsPathName pnSource; CADsPathName pnTarget;
//
// For each object being migrated...
//
for (TAcctReplNode* parnNode = (TAcctReplNode *)nteEnum.OpenFirst(acctlist); parnNode; parnNode = (TAcctReplNode *)nteEnum.Next()) { //
// If either the object has been created or will be replaced then add object to map.
//
if ((opt.flags & F_REPLACE) || parnNode->WasCreated()) { pnSource.Set(parnNode->GetSourcePath(), ADS_SETTYPE_FULL); pnTarget.Set(parnNode->GetTargetPath(), ADS_SETTYPE_FULL);
spVarSet->put(pnSource.Retrieve(ADS_FORMAT_X500_DN), pnTarget.Retrieve(ADS_FORMAT_X500_DN)); } } }
return spVarSet;}
|
