Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1209 lines
31 KiB

/*++
Copyright (c) 1995 Microsoft Corporation
Module Name:
security.c
Abstract:
Routines to deal with security, user accounts, etc.
Externally exposed routines:
SignalLsa
CreateSamEvent
WaitForSam
SetAccountsDomainSid
CreateLocalAdminAccount
CreateLocalUserAccount
SetLocalUserPassword
Author:
Ted Miller (tedm) 5-Apr-1995
adapted from legacy\dll\security.c
Revision History:
--*/
#include "setupp.h"
#include <Lmaccess.h>
#pragma hdrstop
PCWSTR SamEventName = L"\\SAM_SERVICE_STARTED";
PCWSTR SsiAccountNamePostfix = L"$";
PCWSTR SsiSecretName = L"$MACHINE.ACC";
#define DOMAIN_NAME_MAX 33
#define PASSWORD_MAX 14
//
// Constants used for logging that are specific to this source file.
//
PCWSTR szLsaOpenPolicy = L"LsaOpenPolicy";
PCWSTR szLsaSetInformationPolicy = L"LsaSetInformationPolicy";
PCWSTR szLsaQueryInformationPolicy = L"LsaQueryInformationPolicy";
PCWSTR szNtSetEvent = L"NtSetEvent";
PCWSTR szNtCreateEvent = L"NtCreateEvent";
PCWSTR szSamConnect = L"SamConnect";
PCWSTR szGetAccountsDomainName = L"GetAccountsDomainName";
PCWSTR szSamLookupDomainInSamServer = L"SamLookupDomainInSamServer";
PCWSTR szSamOpenDomain = L"SamOpenDomain";
PCWSTR szSamEnumerateUsersInDomain = L"SamEnumerateUsersInDomain";
PCWSTR szSamOpenUser = L"SamOpenUser";
PCWSTR szSamChangePasswordUser = L"SamChangePasswordUser";
PCWSTR szSamCreateUserInDomain = L"SamCreateUserInDomain";
PCWSTR szSamQueryInformationUser = L"SamQueryInformationUser";
PCWSTR szSamSetInformationUser = L"SamSetInformationUser";
PCWSTR szMyAddLsaSecretObject = L"MyAddLsaSecretObject";
VOID
SetupLsaInitObjectAttributes(
IN OUT POBJECT_ATTRIBUTES ObjectAttributes,
IN OUT PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
);
BOOL
GetAccountsDomainName(
IN LSA_HANDLE hPolicy, OPTIONAL
OUT PWSTR Name,
IN DWORD NameBufferSize
);
LSA_HANDLE
OpenLsaPolicy(
VOID
);
PSID
CreateSidFromSidAndRid(
IN PSID DomainSid,
IN DWORD Rid
);
NTSTATUS
MyAddLsaSecretObject(
IN PCWSTR Password
);
BOOL
SetAccountsDomainSid(
IN DWORD Seed,
IN PCWSTR DomainName
)
/*++
Routine Description:
Routine to set the sid of the AccountDomain.
Arguments:
Seed - The seed is used to generate a unique Sid. The seed should
be generated by looking at the systemtime before and after
a dialog and subtracting the milliseconds field.
DomainName - supplies name to give to local domain
Return value:
Boolean value indicating outcome.
--*/
{
PSID Sid;
PSID SidPrimary ;
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
LSA_HANDLE PolicyHandle = NULL;
PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
NTSTATUS Status;
BOOL bResult;
//
//
// Open the LSA Policy object to set the account domain sid. The access
// mask needed for this is POLICY_TRUST_ADMIN.
//
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
if(!NT_SUCCESS(Status)) {
SetuplogError(
LogSevError,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_SETACCOUNTDOMAINSID, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szLsaOpenPolicy,
Status,
NULL,NULL);
return(FALSE);
}
Status = LsaQueryInformationPolicy(
PolicyHandle,
PolicyAccountDomainInformation,
&PolicyCurrentAccountDomainInfo
);
if(NT_SUCCESS(Status)) {
RtlInitUnicodeString(&PolicyCurrentAccountDomainInfo->DomainName,DomainName);
Status = LsaSetInformationPolicy(
PolicyHandle,
PolicyAccountDomainInformation,
(PVOID) PolicyCurrentAccountDomainInfo
);
LsaFreeMemory( PolicyCurrentAccountDomainInfo );
}
if(NT_SUCCESS(Status)) {
bResult = TRUE;
} else {
bResult = FALSE;
SetuplogError(
LogSevError,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_SETACCOUNTDOMAINSID, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szLsaSetInformationPolicy,
Status,
NULL,NULL);
}
LsaClose(PolicyHandle);
return(bResult);
}
VOID
SetupLsaInitObjectAttributes(
IN OUT POBJECT_ATTRIBUTES ObjectAttributes,
IN OUT PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
)
/*++
Routine Description:
This function initializes the given Object Attributes structure, including
Security Quality Of Service. Memory must be allcated for both
ObjectAttributes and Security QOS by the caller. Borrowed from
lsa
Arguments:
ObjectAttributes - Pointer to Object Attributes to be initialized.
SecurityQualityOfService - Pointer to Security QOS to be initialized.
Return Value:
None.
--*/
{
SecurityQualityOfService->Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQualityOfService->ImpersonationLevel = SecurityImpersonation;
SecurityQualityOfService->ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
SecurityQualityOfService->EffectiveOnly = FALSE;
InitializeObjectAttributes(ObjectAttributes,NULL,0,NULL,NULL);
//
// The InitializeObjectAttributes macro presently stores NULL for
// the SecurityQualityOfService field, so we must manually copy that
// structure for now.
//
ObjectAttributes->SecurityQualityOfService = SecurityQualityOfService;
}
BOOL
CreateLocalUserAccount(
IN PCWSTR UserName,
IN PCWSTR Password,
IN PSID* PointerToUserSid OPTIONAL
)
/*++
Routine Description:
Routine to add a local user account to the AccountDomain. This account
is created with the password indicated.
Arguments:
UserName - supplies name for user account
Password - supplies initial password for user account.
PointerToUserSid - If this argument is present, then on return it will contain the
pointer to the user sid. It is the responsibility of the caller
to free the Sid, using MyFree.
Return value:
Boolean value indicating outcome.
--*/
{
return (NT_SUCCESS(CreateLocalAdminAccount(UserName,
Password,
PointerToUserSid
)
)
);
}
NTSTATUS
CreateLocalAdminAccountEx(
IN PCWSTR UserName,
IN PCWSTR Password,
IN PCWSTR Description,
IN PSID* PointerToUserSid OPTIONAL
)
/*++
Routine Description:
Routine to add a local user account to the AccountDomain. This account
has ADMINISTRATOR priveledges and is created with the password indicated.
Arguments:
UserName - supplies name for user account
Password - supplies initial password for user account.
Description - Description that appears in user manager.
PointerToUserSid - If this argument is present, then on return it will contain the
pointer to the user sid. It is the responsibility of the caller
to free the Sid, using MyFree.
Return value:
Boolean value indicating outcome.
--*/
{
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
UNICODE_STRING UnicodeString;
SAM_HANDLE ServerHandle;
SAM_HANDLE DomainHandle;
SAM_HANDLE UserHandle;
SAM_HANDLE AliasHandle;
SAM_HANDLE BuiltinDomainHandle;
WCHAR AccountsDomainName[DOMAIN_NAME_MAX];
NTSTATUS Status;
PSID BuiltinDomainId;
PSID UserSid;
ULONG User_RID;
PUSER_CONTROL_INFORMATION UserControlInfo;
USER_SET_PASSWORD_INFORMATION UserPasswordInfo;
LSA_HANDLE PolicyHandle = NULL;
PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
USER_ADMIN_COMMENT_INFORMATION AdminCommentInfo;
//
// Use SamConnect to connect to the local domain ("") and get a handle
// to the local sam server.
//
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
RtlInitUnicodeString(&UnicodeString,L"");
Status = SamConnect(
&UnicodeString,
&ServerHandle,
SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
&ObjectAttributes
);
if(!NT_SUCCESS(Status)) {
goto err0;
}
//
// Use the LSA to retrieve the name of the Accounts domain.
//
if(!GetAccountsDomainName(NULL,AccountsDomainName,DOMAIN_NAME_MAX)) {
goto err1;
}
//
// Open the AccountDomain. First find the Sid for this
// in the Sam and then open the domain using this sid
//
//
// Open the LSA Policy object to set the account domain sid.
//
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
if(NT_SUCCESS(Status)) {
Status = LsaQueryInformationPolicy(
PolicyHandle,
PolicyAccountDomainInformation,
&PolicyCurrentAccountDomainInfo
);
if(NT_SUCCESS(Status)) {
Status = SamOpenDomain(
ServerHandle,
DOMAIN_READ | DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP |
DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_CREATE_USER,
PolicyCurrentAccountDomainInfo->DomainSid,
&DomainHandle
);
}
LsaClose( PolicyHandle );
}
if (!NT_SUCCESS(Status)) {
goto err2;
}
//
// Use SamCreateUserInDomain to create a new user with the username
// specified. This user account is created disabled with the
// password not required.
//
RtlInitUnicodeString(&UnicodeString,UserName);
Status = SamCreateUserInDomain(
DomainHandle,
&UnicodeString,
//USER_READ_ACCOUNT | USER_WRITE_ACCOUNT | USER_FORCE_PASSWORD_CHANGE,
USER_ALL_ACCESS,
&UserHandle,
&User_RID
);
if(!NT_SUCCESS(Status)) {
goto err3;
}
//
// Query all the default control information about the user added
//
Status = SamQueryInformationUser(UserHandle,UserControlInformation,&UserControlInfo);
if(!NT_SUCCESS(Status)) {
goto err4;
}
//
// If the password is a Null password, make sure the
// password_not required bit is set before the null
// password is set.
//
if(!Password[0]) {
UserControlInfo->UserAccountControl |= USER_PASSWORD_NOT_REQUIRED;
Status = SamSetInformationUser(UserHandle,UserControlInformation,UserControlInfo);
if(!NT_SUCCESS(Status)) {
goto err5;
}
}
//
// Set the password ( NULL or non NULL )
//
RtlInitUnicodeString(&UserPasswordInfo.Password,Password);
UserPasswordInfo.PasswordExpired = FALSE;
Status = SamSetInformationUser(UserHandle,UserSetPasswordInformation,&UserPasswordInfo);
if(!NT_SUCCESS(Status)) {
goto err5;
}
//
// Set the information bits - User Password not required is cleared
// The normal account bit is enabled and the account disabled bit
// is also reset
//
UserControlInfo->UserAccountControl &= ~USER_PASSWORD_NOT_REQUIRED;
UserControlInfo->UserAccountControl &= ~USER_ACCOUNT_DISABLED;
UserControlInfo->UserAccountControl |= USER_NORMAL_ACCOUNT;
Status = SamSetInformationUser(UserHandle,UserControlInformation,UserControlInfo);
if(!NT_SUCCESS(Status)) {
goto err5;
}
// Set the description is one is given
//
if ( Description[0])
{
// Convert description to unicode string
//
RtlInitUnicodeString(&AdminCommentInfo.AdminComment,Description);
// We do not care if this fails and therefore will not set the status
//
SamSetInformationUser(UserHandle,UserAdminCommentInformation,&AdminCommentInfo);
}
//
// If this is a non-standlone server we're done.
//
if(ISDC(ProductType)) {
Status = STATUS_SUCCESS;
goto err5;
}
//
// Finally add this to the administrators alias in the BuiltIn Domain
//
RtlInitUnicodeString(&UnicodeString,L"Builtin");
Status = SamLookupDomainInSamServer(ServerHandle,&UnicodeString,&BuiltinDomainId);
if(!NT_SUCCESS(Status)) {
goto err5;
}
Status = SamOpenDomain(
ServerHandle,
DOMAIN_READ | DOMAIN_ADMINISTER_SERVER | DOMAIN_EXECUTE,
BuiltinDomainId,
&BuiltinDomainHandle
);
if(!NT_SUCCESS(Status)) {
goto err6;
}
UserSid = CreateSidFromSidAndRid(PolicyCurrentAccountDomainInfo->DomainSid,User_RID);
if(!UserSid) {
goto err7;
}
Status = SamOpenAlias(BuiltinDomainHandle,ALIAS_ADD_MEMBER,DOMAIN_ALIAS_RID_ADMINS,&AliasHandle);
if(!NT_SUCCESS(Status)) {
goto err8;
}
Status = SamAddMemberToAlias(AliasHandle,UserSid);
if(!NT_SUCCESS(Status)) {
goto err9;
}
MYASSERT(NT_SUCCESS(Status));
err9:
SamCloseHandle(AliasHandle);
err8:
if(NT_SUCCESS(Status) && (PointerToUserSid != NULL )) {
*PointerToUserSid = UserSid;
} else {
MyFree(UserSid);
}
err7:
SamCloseHandle(BuiltinDomainHandle);
err6:
SamFreeMemory(BuiltinDomainId);
err5:
SamFreeMemory(UserControlInfo);
err4:
SamCloseHandle(UserHandle);
err3:
SamCloseHandle(DomainHandle);
err2:
LsaFreeMemory( PolicyCurrentAccountDomainInfo );
err1:
SamCloseHandle(ServerHandle);
err0:
return(Status);
}
NTSTATUS
CreateLocalAdminAccount(
IN PCWSTR UserName,
IN PCWSTR Password,
IN PSID* PointerToUserSid OPTIONAL
)
/*++
Routine Description:
Please see CreateLocalAdminAccountEx description.
--*/
{
return ( CreateLocalAdminAccountEx(UserName, Password, L"", PointerToUserSid) );
}
BOOL
GetAccountsDomainName(
IN LSA_HANDLE PolicyHandle, OPTIONAL
OUT PWSTR Name,
IN DWORD NameBufferSize
)
{
POLICY_ACCOUNT_DOMAIN_INFO *pPadi;
NTSTATUS Status ;
BOOL PolicyOpened;
PolicyOpened = FALSE;
if(PolicyHandle == NULL) {
if((PolicyHandle = OpenLsaPolicy()) == NULL) {
return(FALSE);
}
PolicyOpened = TRUE;
}
Status = LsaQueryInformationPolicy(PolicyHandle,PolicyAccountDomainInformation,&pPadi);
if(NT_SUCCESS(Status)) {
if(NameBufferSize <= (pPadi->DomainName.Length/sizeof(WCHAR))) {
Status = STATUS_BUFFER_TOO_SMALL;
} else {
wcsncpy(Name,pPadi->DomainName.Buffer,pPadi->DomainName.Length/sizeof(WCHAR));
Name[pPadi->DomainName.Length/sizeof(WCHAR)] = 0;
}
LsaFreeMemory(pPadi);
}
if(PolicyOpened) {
LsaClose(PolicyHandle);
}
return(NT_SUCCESS(Status));
}
LSA_HANDLE
OpenLsaPolicy(
VOID
)
{
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
LSA_HANDLE PolicyHandle;
NTSTATUS Status;
PolicyHandle = NULL;
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
Status = LsaOpenPolicy(NULL,&ObjectAttributes,GENERIC_EXECUTE,&PolicyHandle);
return(NT_SUCCESS(Status) ? PolicyHandle : NULL);
}
PSID
CreateSidFromSidAndRid(
IN PSID DomainSid,
IN DWORD Rid
)
/*++
Routine Description:
This function creates a domain account sid given a domain sid and
the relative id of the account within the domain.
Arguments:
DomainSid - supplies sid for domain of account
Rid - supplies relative id of account
Return Value:
Pointer to Sid, or NULL on failure.
The returned Sid must be freed with MyFree.
--*/
{
NTSTATUS Status;
PSID AccountSid;
UCHAR AccountSubAuthorityCount;
ULONG AccountSidLength;
PULONG RidLocation;
AccountSubAuthorityCount = *RtlSubAuthorityCountSid(DomainSid) + (UCHAR)1;
AccountSidLength = RtlLengthRequiredSid(AccountSubAuthorityCount);
if(AccountSid = (PSID)MyMalloc(AccountSidLength)) {
//
// Copy the domain sid into the first part of the account sid
//
Status = RtlCopySid(AccountSidLength, AccountSid, DomainSid);
//
// Increment the account sid sub-authority count
//
*RtlSubAuthorityCountSid(AccountSid) = AccountSubAuthorityCount;
//
// Add the rid as the final sub-authority
//
RidLocation = RtlSubAuthoritySid(AccountSid, AccountSubAuthorityCount - 1);
*RidLocation = Rid;
}
return(AccountSid);
}
BOOL
SetLocalUserPassword(
IN PCWSTR AccountName,
IN PCWSTR OldPassword,
IN PCWSTR NewPassword
)
/*++
Routine Description:
Change the password for the local user account.
Arguments:
Return value:
Boolean value indicating outcome.
--*/
{
NTSTATUS Status;
BOOL b;
UNICODE_STRING UnicodeString;
UNICODE_STRING OtherUnicodeString;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
OBJECT_ATTRIBUTES ObjectAttributes;
WCHAR AccountsDomainName[DOMAIN_NAME_MAX];
SAM_HANDLE ServerHandle;
SAM_HANDLE DomainHandle;
SAM_HANDLE UserHandle;
BOOL UserFound;
SAM_ENUMERATE_HANDLE EnumerationContext;
SAM_RID_ENUMERATION *SamRidEnumeration;
UINT i;
UINT CountOfEntries;
ULONG UserRid;
LSA_HANDLE PolicyHandle = NULL;
PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
b = FALSE;
//
// Use SamConnect to connect to the local domain ("") and get a handle
// to the local sam server
//
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
RtlInitUnicodeString(&UnicodeString,L"");
Status = SamConnect(
&UnicodeString,
&ServerHandle,
SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
&ObjectAttributes
);
if(!NT_SUCCESS(Status)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szSamConnect,
Status,
NULL,NULL);
goto err0;
}
//
// Use the LSA to retrieve the name of the Accounts domain.
//
if(!GetAccountsDomainName(NULL,AccountsDomainName,DOMAIN_NAME_MAX)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_STRING,
szGetAccountsDomainName,
szFALSE,
NULL,NULL);
goto err1;
}
//
// Open the AccountDomain. First find the Sid for this
// in the Sam and then open the domain using this sid.
//
//
// Get the AccountDomainSid from the Lsa
//
//
//
// Open the LSA Policy object to set the account domain sid.
//
SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
if(NT_SUCCESS(Status)) {
Status = LsaQueryInformationPolicy(
PolicyHandle,
PolicyAccountDomainInformation,
&PolicyCurrentAccountDomainInfo
);
if(NT_SUCCESS(Status)) {
Status = SamOpenDomain(
ServerHandle,
DOMAIN_READ | DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP |
DOMAIN_READ_PASSWORD_PARAMETERS,
PolicyCurrentAccountDomainInfo->DomainSid,
&DomainHandle
);
LsaFreeMemory( PolicyCurrentAccountDomainInfo );
}
LsaClose( PolicyHandle );
}
if(!NT_SUCCESS(Status)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_PARAM_RETURNED_NTSTATUS,
szSamOpenDomain,
Status,
AccountsDomainName,
NULL,NULL);
goto err2;
}
//
// Find the account name in this domain - and extract the rid.
//
UserFound = FALSE;
EnumerationContext = 0;
RtlInitUnicodeString(&UnicodeString,AccountName);
do {
Status = SamEnumerateUsersInDomain(
DomainHandle,
&EnumerationContext,
0L,
&SamRidEnumeration,
0L,
&CountOfEntries
);
if(!NT_SUCCESS(Status) && (Status != STATUS_MORE_ENTRIES)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szSamEnumerateUsersInDomain,
Status,
NULL,NULL);
goto err3;
}
//
// go through the the SamRidEnumeration buffer for count entries.
//
for(i = 0; (i<CountOfEntries) && !UserFound; i++ ) {
if(RtlEqualUnicodeString(&UnicodeString,&SamRidEnumeration[i].Name,TRUE)) {
UserRid = SamRidEnumeration[i].RelativeId;
UserFound = TRUE;
}
}
SamFreeMemory(SamRidEnumeration);
} while((Status == STATUS_MORE_ENTRIES) && !UserFound);
if(!UserFound) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName,NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_USERNOTFOUND,
NULL,NULL);
goto err3;
}
//
// Open the user
//
Status = SamOpenUser(
DomainHandle,
USER_READ_ACCOUNT | USER_WRITE_ACCOUNT | USER_CHANGE_PASSWORD | USER_FORCE_PASSWORD_CHANGE,
UserRid,
&UserHandle
);
if(!NT_SUCCESS(Status)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szSamOpenUser,
Status,
NULL,NULL);
goto err3;
}
//
// Use SAM API to change the password for this Account.
//
RtlInitUnicodeString(&UnicodeString,OldPassword);
RtlInitUnicodeString(&OtherUnicodeString,NewPassword);
Status = SamChangePasswordUser(UserHandle,&UnicodeString,&OtherUnicodeString);
if(!NT_SUCCESS(Status)) {
SetuplogError(
LogSevWarning,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_CHANGING_PW_FAIL,
AccountName, NULL,
SETUPLOG_USE_MESSAGEID,
MSG_LOG_X_RETURNED_NTSTATUS,
szSamChangePasswordUser,
Status,
NULL,NULL);
goto err4;
}
b = TRUE;
err4:
SamCloseHandle(UserHandle);
err3:
SamCloseHandle(DomainHandle);
err2:
err1:
SamCloseHandle(ServerHandle);
err0:
return(b);
}
VOID
GenerateRandomPassword(
OUT PWSTR Password
)
{
static DWORD Seed = 98725757;
static PCWSTR UsableChars = L"ABCDEFGHIJKLMOPQRSTUVWYZabcdefghijklmopqrstuvwyz0123456789";
UINT UsableCount;
UINT i;
UsableCount = lstrlen(UsableChars);
Seed ^= GetCurrentTime();
for(i=0; i<PASSWORD_MAX; i++) {
Password[i] = UsableChars[RtlRandom(&Seed) % UsableCount];
}
Password[i] = 0;
}
NTSTATUS
MyAddLsaSecretObject(
IN PCWSTR Password
)
/*++
Routine Description:
Create the Secret Object necessary to support a machine account
on an NT domain.
Arguments:
Password - supplies password to machine account
Return value:
NT Status code indicating outcome.
--*/
{
UNICODE_STRING SecretName;
UNICODE_STRING UnicodePassword;
NTSTATUS Status;
LSA_HANDLE LsaHandle;
LSA_HANDLE SecretHandle;
OBJECT_ATTRIBUTES ObjAttr;
RtlInitUnicodeString(&SecretName,SsiSecretName) ;
RtlInitUnicodeString(&UnicodePassword,Password);
InitializeObjectAttributes(&ObjAttr,NULL,0,NULL,NULL);
Status = LsaOpenPolicy(NULL,&ObjAttr,MAXIMUM_ALLOWED,&LsaHandle);
if(NT_SUCCESS(Status)) {
Status = LsaCreateSecret(LsaHandle,&SecretName,SECRET_ALL_ACCESS,&SecretHandle);
if(NT_SUCCESS(Status)) {
Status = LsaSetSecret(SecretHandle,&UnicodePassword,&UnicodePassword);
LsaClose(SecretHandle);
}
LsaClose(LsaHandle);
}
return(Status);
}
BOOL
AdjustPrivilege(
IN PCWSTR Privilege,
IN BOOL Enable
)
/*++
Routine Description:
This routine enables or disable a priviliege of the current process.
Arguments:
Privilege - String with the name of the privilege to be adjusted.
Enable - TRUE if the privilege is to be enabled.
FALSE if the privilege is to be disabled.
Return Value:
Returns TRUE if the privilege could be adjusted.
Returns FALSE, otherwise.
--*/
{
HANDLE TokenHandle;
LUID_AND_ATTRIBUTES LuidAndAttributes;
TOKEN_PRIVILEGES TokenPrivileges;
if( !OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&TokenHandle ) ) {
SetupDebugPrint1(L"SYSSETUP: OpenProcessToken() failed. Error = %d \n", GetLastError() );
return( FALSE );
}
if( !LookupPrivilegeValue( NULL,
Privilege,
&( LuidAndAttributes.Luid ) ) ) {
SetupDebugPrint1(L"SYSSETUP: LookupPrivilegeValue failed, Error = %d \n", GetLastError() );
CloseHandle( TokenHandle );
return( FALSE );
}
if( Enable ) {
LuidAndAttributes.Attributes |= SE_PRIVILEGE_ENABLED;
} else {
LuidAndAttributes.Attributes &= ~SE_PRIVILEGE_ENABLED;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0] = LuidAndAttributes;
if( !AdjustTokenPrivileges( TokenHandle,
FALSE,
&TokenPrivileges,
0,
NULL,
NULL ) ) {
SetupDebugPrint1(L"SYSSETUP: AdjustTokenPrivileges failed, Error = %d \n", GetLastError() );
CloseHandle( TokenHandle );
return( FALSE );
}
CloseHandle( TokenHandle );
return( TRUE );
}
NTSTATUS
DisableLocalUserAccount(
PWSTR AccountName
)
/*++
Routine Description:
This routine disables the local administrator account.
Arguments:
AccountName - Name of the local account to be disabled.
Return Value:
NTSTATUS, depending on the outcome of the operations.
--*/
{
LONG rc;
PUSER_INFO_1 ui1;
// Get the info.
rc = NetUserGetInfo( NULL,
AccountName,
1,
(PBYTE *)(&ui1) );
if( rc == NO_ERROR ) {
// set the disable flag and store the info back out.
ui1->usri1_flags |= UF_ACCOUNTDISABLE;
rc = NetUserSetInfo( NULL,
AccountName,
1,
(PBYTE)ui1,
NULL );
NetApiBufferFree((PVOID)ui1);
}
return rc;
}
NTSTATUS
DisableLocalAdminAccount(
VOID
)
/*++
Routine Description:
This routine disables the local administrator account.
Arguments:
None.
Return Value:
NTSTATUS, depending on the outcome of the operations.
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
WCHAR AdminAccountName[MAX_PATH];
GetAdminAccountName( AdminAccountName );
Status = DisableLocalUserAccount( AdminAccountName );
return Status;
}
DWORD
StorePasswordAsLsaSecret (
IN PCWSTR Password
)
{
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
LSA_HANDLE LsaPolicyHandle;
LSA_UNICODE_STRING lusSecretName, lusSecretData;
USHORT SecretNameLength, SecretDataLength;
NTSTATUS ntsResult;
DWORD dwRetCode = ERROR_SUCCESS;
// Object attributes are reserved, so initialize to zeroes.
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
// Get a handle to the Policy object.
ntsResult = LsaOpenPolicy(
NULL, //local machine
&ObjectAttributes,
POLICY_CREATE_SECRET,
&LsaPolicyHandle);
if( STATUS_SUCCESS != ntsResult )
{
// An error occurred. Return the win32 error code.
return LsaNtStatusToWinError(ntsResult);
}
//Initialize an LSA_UNICODE_STRING
SecretNameLength = (USHORT)wcslen(L"DefaultPassword");
lusSecretName.Buffer = L"DefaultPassword";
lusSecretName.Length = SecretNameLength * sizeof(WCHAR);
lusSecretName.MaximumLength = (SecretNameLength+1) * sizeof(WCHAR);
//Initialize the Password LSA_UNICODE_STRING
SecretDataLength = (USHORT)wcslen(Password);
lusSecretData.Buffer = (PWSTR)Password;
lusSecretData.Length = SecretDataLength * sizeof(WCHAR);
lusSecretData.MaximumLength = (SecretDataLength+1) * sizeof(WCHAR);
ntsResult = LsaStorePrivateData(
LsaPolicyHandle,
&lusSecretName,
&lusSecretData);
if( STATUS_SUCCESS != ntsResult ) {
dwRetCode = LsaNtStatusToWinError(ntsResult);
}
LsaClose(LsaPolicyHandle);
return dwRetCode;
}