//************************************************************* // // Policy specific headers // // Microsoft Confidential // Copyright (c) Microsoft Corporation 1997-1998 // All rights reserved // //************************************************************* #include "uenv.h" #include "reghash.h" #include "rsop.h" #include "chkacc.h" #include "collect.h" #include "Indicate.h" #include "rsopsec.h" #include "gpfilter.h" #include "locator.h" #include "rsopinc.h" #define GPO_LPARAM_FLAG_DELETE 0x00000001 // // Structures // typedef struct _GPINFOHANDLE { LPGPOINFO pGPOInfo; BOOL bNoBackgroupThread; } GPINFOHANDLE, *LPGPINFOHANDLE; typedef struct _DNENTRY { LPTSTR pwszDN; // Distinguished name union { PGROUP_POLICY_OBJECT pDeferredGPO; // GPO corresponding to this DN struct _DNENTRY * pDeferredOU; // OU correspdonding to this DN }; PLDAPMessage pOUMsg; // Message for evaluating deferred OU GPO_LINK gpoLink; // Type of GPO struct _DNENTRY * pNext; // Singly linked list pointer } DNENTRY; typedef struct _LDAPQUERY { LPTSTR pwszDomain; // Domain of subtree search LPTSTR pwszFilter; // Ldap filter for search DWORD cbAllocLen; // Allocated size of pwszFilter in bytes DWORD cbLen; // Size of pwszFilter currently used in bytes PLDAP pLdapHandle; // Ldap bind handle BOOL bOwnLdapHandle; // Does this struct own pLdapHandle ? PLDAPMessage pMessage; // Ldap message handle DNENTRY * pDnEntry; // Distinguished name entry struct _LDAPQUERY * pNext; // Singly linked list pointer } LDAPQUERY; typedef struct _POLICYCHANGEDINFO { HANDLE hToken; BOOL bMachine; } POLICYCHANGEDINFO, *LPPOLICYCHANGEDINFO; // // Verison number for the registry file format // #define REGISTRY_FILE_VERSION 1 // // File signature // #define REGFILE_SIGNATURE 0x67655250 // // Default refresh rate (minutes) // // Client machines will refresh every 90 minutes // Domain controllers will refresh every 5 minutes // #define GP_DEFAULT_REFRESH_RATE 90 #define GP_DEFAULT_REFRESH_RATE_DC 5 // // Default refresh rate max offset // // To prevent many clients from querying policy at the exact same // time, a random amount is added to the refresh rate. In the // default case, a number between 0 and 30 will be added to // 180 to determine when the next background refresh will occur // #define GP_DEFAULT_REFRESH_RATE_OFFSET 30 #define GP_DEFAULT_REFRESH_RATE_OFFSET_DC 0 // // Max keyname size // #define MAX_KEYNAME_SIZE 2048 #define MAX_VALUENAME_SIZE 512 // // Max time to wait for the network to start (in ms) // #define MAX_WAIT_TIME 120000 // // Extension registry path // #define GP_EXTENSIONS TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions") // // Path for extension preference policies // #define GP_EXTENSIONS_POLICIES TEXT("Software\\Policies\\Microsoft\\Windows\\Group Policy\\%s") // // Group Policy Object option flags // // Note, this was taken from sdk\inc\gpedit.h // #define GPO_OPTION_DISABLE_USER 0x00000001 // The user portion of this GPO is disabled #define GPO_OPTION_DISABLE_MACHINE 0x00000002 // The machine portion of this GPO is disabled // // DS Object class types // extern TCHAR szDSClassAny[]; extern TCHAR szDSClassGPO[]; extern TCHAR szDSClassSite[]; extern TCHAR szDSClassDomain[]; extern TCHAR szDSClassOU[]; extern TCHAR szObjectClass[]; // // Extension name properties // #define GPO_MACHEXTENSION_NAMES L"gPCMachineExtensionNames" #define GPO_USEREXTENSION_NAMES L"gPCUserExtensionNames" #define GPO_FUNCTIONALITY_VERSION L"gPCFunctionalityVersion" #define MACHPOLICY_DENY_USERS L"DenyUsersFromMachGP" extern TCHAR wszKerberos[]; #define POLICY_GUID_PATH TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\PolicyGuid") // // Global flags for Gpo shutdown processing. These are accessed outside // the lock because its value is either 0 or 1. Even if there is a race, // all it means is that shutdown will start one iteration later. // extern BOOL g_bStopMachGPOProcessing; extern BOOL g_bStopUserGPOProcessing; // // Critical section for handling concurrent, asynchronous completion // extern CRITICAL_SECTION g_GPOCS; // // Global pointers for maintaining asynchronous completion context // extern LPGPINFOHANDLE g_pMachGPInfo; extern LPGPINFOHANDLE g_pUserGPInfo; // // Status UI critical section, callback, and proto-types // extern CRITICAL_SECTION g_StatusCallbackCS; extern PFNSTATUSMESSAGECALLBACK g_pStatusMessageCallback; DWORD UserPolicyCallback (BOOL bVerbose, LPWSTR lpMessage); DWORD MachinePolicyCallback (BOOL bVerbose, LPWSTR lpMessage); // // Function proto-types // DWORD WINAPI GPOThread (LPGPOINFO lpGPOInfo); extern "C" BOOL ProcessGPOs (LPGPOINFO lpGPOInfo); DWORD WINAPI PolicyChangedThread (LPPOLICYCHANGEDINFO lpPolicyChangedInfo); BOOL ResetPolicies (LPGPOINFO lpGPOInfo, LPTSTR lpArchive); extern "C" BOOL SetupGPOFilter (LPGPOINFO lpGPOInfo ); extern "C" void FilterGPOs( LPGPEXT lpExt, LPGPOINFO lpGPOInfo ); void FreeLists( LPGPOINFO lpGPOInfo ); void FreeExtList(LPEXTLIST pExtList ); BOOL CheckGPOs (LPGPEXT lpExt, LPGPOINFO lpGPOInfo, DWORD dwTime, BOOL *pbProcessGPOs, BOOL *pbNoChanges, PGROUP_POLICY_OBJECT *ppDeletedGPOList); BOOL CheckForChangedSid( LPGPOINFO lpGPOInfo, CLocator *plocator ); extern "C" BOOL CheckForSkippedExtensions( LPGPOINFO lpGPOInfo, BOOL bRsopPlanningMode ); extern "C" BOOL ReadGPExtensions( LPGPOINFO lpGPOInfo ); BOOL LoadGPExtension (LPGPEXT lpExt, BOOL bRsopPlanningMode ); extern "C" BOOL UnloadGPExtensions (LPGPOINFO lpGPOInfo); BOOL WriteStatus( TCHAR *lpExtName, LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, LPGPEXTSTATUS lpExtStatus ); void ReadStatus ( TCHAR *lpExtName, LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, LPGPEXTSTATUS lpExtStatus ); DWORD ProcessGPOList (LPGPEXT lpExt, LPGPOINFO lpGPOInfo, PGROUP_POLICY_OBJECT pDeletedGPOList, PGROUP_POLICY_OBJECT pChangedGPOList, BOOL bNoChanges, ASYNCCOMPLETIONHANDLE pAsyncHandle, HRESULT *phrCSERsopStatus ); BOOL ProcessGPORegistryPolicy (LPGPOINFO lpGPOInfo, PGROUP_POLICY_OBJECT pChangedGPOList, HRESULT *phrRsopLogging); BOOL SaveGPOList (TCHAR *pszExtName, LPGPOINFO lpGPOInfo, HKEY hKeyRootMach, LPTSTR lpwszSidUser, BOOL bShadow, PGROUP_POLICY_OBJECT lpGPOList); extern "C" BOOL AddGPO (PGROUP_POLICY_OBJECT * lpGPOList, DWORD dwFlags, BOOL bFound, BOOL bAccessGranted, BOOL bDisabled, DWORD dwOptions, DWORD dwVersion, LPTSTR lpDSPath, LPTSTR lpFileSysPath, LPTSTR lpDisplayName, LPTSTR lpGPOName, LPTSTR lpExtensions, PSECURITY_DESCRIPTOR pSD, DWORD cbSDLen, GPO_LINK GPOLink, LPTSTR lpLink, LPARAM lParam, BOOL bFront, BOOL bBlock, BOOL bVerbose, BOOL bProcessGPO); BOOL RefreshDisplay (LPGPOINFO lpGPOInfo); extern "C" DWORD IsSlowLink (HKEY hKeyRoot, LPTSTR lpDCAddress, BOOL *bSlow, DWORD* pdwAdapterIndex ); BOOL GetGPOInfo (DWORD dwFlags, LPTSTR lpHostName, LPTSTR lpDNName, LPCTSTR lpComputerName, PGROUP_POLICY_OBJECT *lpGPOList, LPSCOPEOFMGMT *ppSOMList, LPGPCONTAINER *ppGpContainerList, PNETAPI32_API pNetAPI32, BOOL bMachineTokenOk, PRSOPTOKEN pRsopToken, WCHAR *pwszSiteName, CGpoFilter *pGpoFilter, CLocator *pLocator ); void WINAPI ShutdownGPOProcessing( BOOL bMachine ); void DebugPrintGPOList( LPGPOINFO lpGPOInfo ); typedef BOOL (*PFNREGFILECALLBACK)(LPGPOINFO lpGPOInfo, LPTSTR lpKeyName, LPTSTR lpValueName, DWORD dwType, DWORD dwDataLength, LPBYTE lpData, WCHAR *pwszGPO, WCHAR *pwszSOM, REGHASHTABLE *pHashTable); BOOL ParseRegistryFile (LPGPOINFO lpGPOInfo, LPTSTR lpRegistry, PFNREGFILECALLBACK pfnRegFileCallback, HANDLE hArchive, WCHAR *pwszGPO, WCHAR *pwszSOM, REGHASHTABLE *pHashTable, BOOL bRsopPlanningMode); BOOL ExtensionHasPerUserLocalSetting( LPTSTR pszExtension, HKEY hKeyRoot ); void CheckGroupMembership( LPGPOINFO lpGPOInfo, HANDLE hToken, BOOL *pbMemChanged, BOOL *pbUserLocalMemChanged, PTOKEN_GROUPS *pTokenGroups ); BOOL ReadMembershipList( LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, PTOKEN_GROUPS pGroups ); void SaveMembershipList( LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, PTOKEN_GROUPS pGroups ); BOOL GroupInList( LPTSTR lpSid, PTOKEN_GROUPS pGroups ); DWORD GetCurTime(); extern "C" DWORD GetDomainControllerInfo( PNETAPI32_API pNetAPI32, LPTSTR szDomainName, ULONG ulFlags, HKEY hKeyRoot, PDOMAIN_CONTROLLER_INFO* ppInfo, BOOL* pfSlow, DWORD* pdwAdapterIndex ); PLDAP GetMachineDomainDS( PNETAPI32_API pNetApi32, PLDAP_API pLdapApi ); extern "C" HANDLE GetMachineToken(); NTSTATUS CallDFS(LPWSTR lpDomainName, LPWSTR lpDCName); BOOL AddLocalGPO( LPSCOPEOFMGMT *ppSOMList ); BOOL AddGPOToRsopList( LPGPCONTAINER *ppGpContainerList, DWORD dwFlags, BOOL bFound, BOOL bAccessGranted, BOOL bDisabled, DWORD dwVersion, LPTSTR lpDSPath, LPTSTR lpFileSysPath, LPTSTR lpDisplayName, LPTSTR lpGPOName, PSECURITY_DESCRIPTOR pSD, DWORD cbSDLen, BOOL bFilterAllowed, WCHAR *pwszFilterId, LPWSTR szSOM, DWORD dwGPOOptions ); SCOPEOFMGMT *AllocSOM( LPWSTR pwszSOMId ); void FreeSOM( SCOPEOFMGMT *pSOM ); GPLINK *AllocGpLink( LPWSTR pwszGPO, DWORD dwOptions ); void FreeGpLink( GPLINK *pGpLink ); extern "C" GPCONTAINER *AllocGpContainer( DWORD dwFlags, BOOL bFound, BOOL bAccessGranted, BOOL bDisabled, DWORD dwVersion, LPTSTR lpDSPath, LPTSTR lpFileSysPath, LPTSTR lpDisplayName, LPTSTR lpGpoName, PSECURITY_DESCRIPTOR pSD, DWORD cbSDLen, BOOL bFilterAllowed, WCHAR *pwszFilterId, LPWSTR szSOM, DWORD dwOptions ); void FreeGpContainer( GPCONTAINER *pGpContainer ); void FreeSOMList( SCOPEOFMGMT *pSOMList ); void FreeGpContainerList( GPCONTAINER *pGpContainerList ); extern "C" LONG GPOExceptionFilter( PEXCEPTION_POINTERS pExceptionPtrs ); extern "C" BOOL FreeGpoInfo( LPGPOINFO pGpoInfo ); BOOL ReadExtStatus(LPGPOINFO lpGPOInfo); BOOL ReadGPOList ( TCHAR * pszExtName, HKEY hKeyRoot, HKEY hKeyRootMach, LPTSTR lpwszSidUser, BOOL bShadow, PGROUP_POLICY_OBJECT * lpGPOList); BOOL GetDeletedGPOList (PGROUP_POLICY_OBJECT lpGPOList, PGROUP_POLICY_OBJECT *ppDeletedGPOList); BOOL HistoryPresent( LPGPOINFO lpGPOInfo, LPGPEXT lpExt, BOOL *pbPresent); extern "C" BOOL InitializePolicyProcessing(BOOL bMachine); BOOL FilterCheck( PLDAP pld, PLDAP_API pLDAP, PLDAPMessage pMessage, PRSOPTOKEN pRsopToken, LPTSTR szWmiFilter, CGpoFilter *pGpoFilter, CLocator *pLocator, BOOL *pbFilterAllowed, WCHAR **ppwszFilterId ); BOOL CheckGPOAccess (PLDAP pld, PLDAP_API pLDAP, HANDLE hToken, PLDAPMessage pMessage, LPTSTR lpSDProperty, DWORD dwFlags, PSECURITY_DESCRIPTOR *ppSD, DWORD *pcbSDLen, BOOL *pbAccessGranted, PRSOPTOKEN pRsopToken ); BOOL AddOU( DNENTRY **ppOUList, LPTSTR pwszOU, GPO_LINK gpoLink ); BOOL EvaluateDeferredGPOs (PLDAP pldBound, PLDAP_API pLDAP, LPTSTR pwszDomainBound, DWORD dwFlags, HANDLE hToken, BOOL bVerbose, PGROUP_POLICY_OBJECT pDeferredForcedList, PGROUP_POLICY_OBJECT pDeferredNonForcedList, PGROUP_POLICY_OBJECT *ppForcedList, PGROUP_POLICY_OBJECT *ppNonForcedList, LPGPCONTAINER *ppGpContainerList, PRSOPTOKEN pRsopToken, CGpoFilter *pGpoFilter, CLocator *pLocator ); BOOL SearchDSObject (LPTSTR lpDSObject, DWORD dwFlags, HANDLE hToken, PGROUP_POLICY_OBJECT *pGPOForcedList, PGROUP_POLICY_OBJECT *pGPONonForcedList, LPSCOPEOFMGMT *ppSOMList, LPGPCONTAINER *ppGpContainerList, BOOL bVerbose, GPO_LINK GPOLink, PLDAP pld, PLDAP_API pLDAP, PLDAPMessage pLDAPMsg,BOOL *bBlock, PRSOPTOKEN pRsopToken ); BOOL EvaluateDeferredOUs( DNENTRY *pOUList, DWORD dwFlags, HANDLE hToken, PGROUP_POLICY_OBJECT *ppDeferredForcedList, PGROUP_POLICY_OBJECT *ppDeferredNonForcedList, LPSCOPEOFMGMT *ppSOMList, LPGPCONTAINER *ppGpContainerList, BOOL bVerbose, PLDAP pld, PLDAP_API pLDAP, BOOL *pbBlock, PRSOPTOKEN pRsopToken); void FreeDnEntry( DNENTRY *pDnEntry ); BOOL CheckOUAccess( PLDAP_API pLDAP, PLDAP pld, PLDAPMessage pMessage, PRSOPTOKEN pRsopToken, BOOL *pbAccessGranted ); BOOL AddAdmFile( WCHAR *pwszFile, WCHAR *pwszGPO, FILETIME *pftWrite, LPTSTR szComputer, ADMFILEINFO **ppAdmFileCache ); void FreeAdmFileCache( ADMFILEINFO *pAdmFileCache ); ADMFILEINFO * AllocAdmFileInfo( WCHAR *pwszFile, WCHAR *pwszGPO, FILETIME *pftWrite ); void FreeAdmFileInfo( ADMFILEINFO *pAdmFileInfo ); DWORD SavePolicyState( LPGPOINFO pInfo ); DWORD SaveLinkState( LPGPOINFO pInfo ); DWORD ComparePolicyState( LPGPOINFO pInfo, BOOL* pbLinkChanged, BOOL* pbStateChanged, BOOL *pbNoState ); DWORD DeletePolicyState( LPCWSTR szSid ); LPTSTR GetSomPath( LPTSTR szContainer ); HRESULT RsopSidsFromToken(PRSOPTOKEN pRsopToken, PTOKEN_GROUPS* ppGroups); #define DOMAIN_GPO_LOCATION_FMT L"cn=policies,cn=system,%s"