Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1133 lines
32 KiB

  1. /*---------------------------------------------------------------------------
  2. File: UserRights.cpp
  3. Comments: COM object to update user rights.
  4. (c) Copyright 1999, Mission Critical Software, Inc., All Rights Reserved
  5. Proprietary and confidential to Mission Critical Software, Inc.
  6. REVISION LOG ENTRY
  7. Revision By: Christy Boles
  8. Revised on 02/15/99 11:34:35
  9. ---------------------------------------------------------------------------
  10. */
  11. // UserRights.cpp : Implementation of CUserRights
  12. #include "stdafx.h"
  13. #include "WorkObj.h"
  14. #include "UserRts.h"
  15. #include "Common.hpp"
  16. #include "TNode.hpp"
  17. #include "UString.hpp"
  18. #include "ErrDct.hpp"
  19. #include "TxtSid.h"
  20. #include "LSAUtils.h"
  21. #include "EaLen.hpp"
  22. #include "ntsecapi.h"
  23. #include <lm.h>
  24. #ifdef _DEBUG
  25. #define new DEBUG_NEW
  26. #undef THIS_FILE
  27. static char THIS_FILE[] = __FILE__;
  28. #endif
  29. extern TErrorDct err;
  30. #define LEN_SID 200
  31. #ifndef SE_DENY_INTERACTIVE_LOGON_NAME
  32. #define SE_DENY_INTERACTIVE_LOGON_NAME TEXT("SeDenyInteractiveLogonRight")
  33. #endif
  34. #ifndef SE_DENY_NETWORK_LOGON_NAME
  35. #define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
  36. #endif
  37. #ifndef SE_DENY_BATCH_LOGON_NAME
  38. #define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
  39. #endif
  40. #ifndef SE_DENY_SERVICE_LOGON_NAME
  41. #define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
  42. #endif
  43. //
  44. // this function wasn't defined in the header file.
  45. extern "C" {
  46. NTSTATUS
  47. NTAPI
  48. LsaEnumeratePrivileges(
  49. LSA_HANDLE PolicyHandle,
  50. LSA_ENUMERATION_HANDLE * eHandle,
  51. LPVOID * enumBuffer,
  52. ULONG prefMaxLen,
  53. ULONG * countReturned
  54. );
  55. };
  56. //The following definition was in ntsecapi.h but was mistakenly taken out
  57. //in the W2K build version.
  58. //
  59. // The following data type is used to return information about privileges
  60. // defined on a system.
  61. //
  62. typedef struct _POLICY_PRIVILEGE_DEFINITION {
  63. LSA_UNICODE_STRING Name;
  64. LUID LocalValue;
  65. } POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
  66. class PrivNode : public TNode
  67. {
  68. WCHAR name[200];
  69. public:
  70. PrivNode(WCHAR * str, USHORT length ) { UStrCpy(name,str,length+1); name[length] = 0; }
  71. WCHAR * Name() { return name; }
  72. };
  73. class PrivList : public TNodeListSortable
  74. {
  75. protected:
  76. static TNodeCompare(CompareName)
  77. {
  78. PrivNode * p1 = (PrivNode *)v1;
  79. PrivNode * p2 = (PrivNode *)v2;
  80. return UStrICmp(p1->Name(),p2->Name());
  81. }
  82. static TNodeCompareValue(CompareValue)
  83. {
  84. PrivNode * p = (PrivNode *)tnode;
  85. WCHAR * str = (WCHAR *)value;
  86. return UStrICmp(p->Name(),str);
  87. }
  88. public:
  89. PrivList() { TypeSetSorted(); CompareSet(&CompareName); }
  90. ~PrivList() { DeleteAllListItems(PrivNode); }
  91. void InsertPrivilege(PrivNode * p) { SortedInsertIfNew((TNode *)p); }
  92. BOOL Contains(WCHAR * priv) { return ( NULL != Find(&CompareValue,(void*)priv) ); }
  93. };
  94. DWORD
  95. BuildPrivilegeList(
  96. LSA_HANDLE policy, // in - handle to LSA
  97. WCHAR * account, // in - account to list privileges for
  98. WCHAR * strSid, // in - textual form of account's sid, if known
  99. WCHAR * computer, // in - computer name
  100. PrivList * privList, // i/o- list of privileges
  101. PSID * ppSid // out- SID for the account
  102. );
  103. DWORD
  104. BuildPrivilegeList(
  105. LSA_HANDLE policy, // in - handle to LSA
  106. PSID pSid, // in - sid of account to list privileges for
  107. PrivList * privList // i/o- list of privileges
  108. );
  109. NTSTATUS
  110. OpenPolicy(
  111. LPWSTR ServerName, // machine to open policy on (Unicode)
  112. DWORD DesiredAccess, // desired access to policy
  113. PLSA_HANDLE PolicyHandle // resultant policy handle
  114. );
  115. BOOL
  116. GetAccountSid(
  117. LPTSTR SystemName, // where to lookup account
  118. LPTSTR AccountName, // account of interest
  119. PSID *Sid // resultant buffer containing SID
  120. );
  121. NTSTATUS
  122. SetPrivilegeOnAccount(
  123. LSA_HANDLE PolicyHandle, // open policy handle
  124. PSID AccountSid, // SID to grant privilege to
  125. LPWSTR PrivilegeName, // privilege to grant (Unicode)
  126. BOOL bEnable // enable or disable
  127. );
  128. /////////////////////////////////////////////////////////////////////////////
  129. // CUserRights
  130. CUserRights::~CUserRights()
  131. {
  132. if ( m_SrcPolicy )
  133. {
  134. LsaClose(m_SrcPolicy);
  135. }
  136. if ( m_TgtPolicy )
  137. {
  138. LsaClose(m_TgtPolicy);
  139. }
  140. }
  141. STDMETHODIMP
  142. CUserRights::OpenSourceServer(
  143. BSTR serverName // in - computer name (DC) for source domain
  144. )
  145. {
  146. DWORD rc;
  147. if ( m_SrcPolicy )
  148. {
  149. LsaClose(m_SrcPolicy);
  150. m_SrcPolicy = NULL;
  151. }
  152. rc = OpenPolicy( serverName, POLICY_LOOKUP_NAMES, &m_SrcPolicy );
  153. m_SourceComputer = serverName;
  154. return HRESULT_FROM_WIN32(rc);
  155. }
  156. STDMETHODIMP
  157. CUserRights::OpenTargetServer(
  158. BSTR computerName // in - computer name (DC) for target domain
  159. )
  160. {
  161. DWORD rc;
  162. if ( m_TgtPolicy )
  163. {
  164. LsaClose(m_TgtPolicy);
  165. m_TgtPolicy = NULL;
  166. }
  167. rc = OpenPolicy( computerName,POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES ,&m_TgtPolicy);
  168. m_TargetComputer = computerName;
  169. return HRESULT_FROM_WIN32(rc);
  170. }
  171. STDMETHODIMP
  172. CUserRights::CopyUserRights(
  173. BSTR sourceUserName, // in - source domain account to copy rights from
  174. BSTR targetUserName // in - target domain account to copy rights to
  175. )
  176. {
  177. HRESULT hr = S_OK;
  178. DWORD rc;
  179. // Make sure source and target are open
  180. if ( m_SrcPolicy && m_TgtPolicy )
  181. {
  182. rc = CopyUserRightsInternal(sourceUserName,targetUserName,L"",L"",m_bNoChange,m_bRemove);
  183. hr = HRESULT_FROM_WIN32(rc);
  184. }
  185. else
  186. {
  187. hr = E_FAIL;
  188. }
  189. return S_OK;
  190. }
  191. STDMETHODIMP
  192. CUserRights::CopyUserRightsWithSids(
  193. BSTR sourceUserName, // in - source domain account to copy rights from
  194. BSTR sourceSID, // in - source account SID (in string format)
  195. BSTR targetUserName, // in - target domain account to copy rights to
  196. BSTR targetSID // in - target account SID (in string format)
  197. )
  198. {
  199. HRESULT hr = S_OK;
  200. DWORD rc;
  201. // Make sure source and target are open
  202. if ( m_SrcPolicy && m_TgtPolicy )
  203. {
  204. rc = CopyUserRightsInternal(sourceUserName,targetUserName,sourceSID,targetSID,m_bNoChange,m_bRemove);
  205. hr = HRESULT_FROM_WIN32(rc);
  206. }
  207. else
  208. {
  209. hr = E_FAIL;
  210. }
  211. return S_OK;
  212. }
  213. STDMETHODIMP CUserRights::get_NoChange(BOOL *pVal) // out- value
  214. {
  215. (*pVal) = m_bNoChange;
  216. return S_OK;
  217. }
  218. STDMETHODIMP CUserRights::put_NoChange(BOOL newVal) // in - new value
  219. {
  220. m_bNoChange = newVal;
  221. return S_OK;
  222. }
  223. STDMETHODIMP CUserRights::get_RemoveOldRightsFromTargetAccounts(BOOL *pVal) // out- value
  224. {
  225. (*pVal) = m_bRemove;
  226. return S_OK;
  227. }
  228. STDMETHODIMP CUserRights::put_RemoveOldRightsFromTargetAccounts(BOOL newVal) // in - new value
  229. {
  230. m_bRemove = newVal;
  231. return S_OK;
  232. }
  233. STDMETHODIMP
  234. CUserRights::ExportUserRights(
  235. BSTR server, // in - computer to read rights from
  236. BSTR filename, // in - filename to export list of rights to
  237. BOOL bAppendToFile // in - flag, append or overwrite file if it exists
  238. )
  239. {
  240. LSA_HANDLE policy;
  241. HRESULT hr = S_OK;
  242. DWORD rc;
  243. rc = OpenPolicy(server,POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,&policy);
  244. if ( ! rc )
  245. {
  246. CommaDelimitedLog log;
  247. if ( log.LogOpen(filename,FALSE,bAppendToFile) )
  248. {
  249. // Enumerate the privileges on this machine
  250. // arguments for LsaEnumeratePrivileges
  251. ULONG countOfRights;
  252. DWORD prefMax = 0xffffffff;
  253. LSA_ENUMERATION_HANDLE handle = 0;
  254. POLICY_PRIVILEGE_DEFINITION * pRights = NULL;
  255. do
  256. {
  257. rc = LsaEnumeratePrivileges(policy,&handle,(LPVOID*)&pRights,prefMax,&countOfRights);
  258. if ( rc )
  259. {
  260. rc = LsaNtStatusToWinError(rc);
  261. if ( rc == ERROR_NO_MORE_ITEMS )
  262. rc = 0;
  263. break;
  264. }
  265. // For each right, enumerate the accounts that have that right
  266. if ( ! rc )
  267. {
  268. for ( UINT right = 0 ;right < countOfRights ; right++ )
  269. {
  270. rc = EnumerateAccountsWithRight(policy,server,&pRights[right].Name,&log);
  271. }
  272. LsaFreeMemory(pRights);
  273. LSA_UNICODE_STRING lsaRight;
  274. // For some reason, LsaEnumeratePrivileges doesn't return these rights
  275. // They are defined in "ntsecapi.h", and not with the rest of the privileges in "winnt.h"
  276. if ( ! rc )
  277. {
  278. InitLsaString(&lsaRight,SE_INTERACTIVE_LOGON_NAME);
  279. rc = EnumerateAccountsWithRight(policy,server,&lsaRight,&log);
  280. }
  281. if ( ! rc )
  282. {
  283. InitLsaString(&lsaRight,SE_NETWORK_LOGON_NAME);
  284. rc = EnumerateAccountsWithRight(policy,server,&lsaRight,&log);
  285. }
  286. if ( ! rc )
  287. {
  288. InitLsaString(&lsaRight,SE_BATCH_LOGON_NAME);
  289. rc = EnumerateAccountsWithRight(policy,server,&lsaRight,&log);
  290. }
  291. if ( ! rc )
  292. {
  293. InitLsaString(&lsaRight,SE_SERVICE_LOGON_NAME);
  294. rc = EnumerateAccountsWithRight(policy,server,&lsaRight,&log);
  295. }
  296. }
  297. else
  298. {
  299. rc = LsaNtStatusToWinError(rc);
  300. }
  301. }
  302. while ( ! rc );
  303. log.LogClose();
  304. }
  305. else
  306. {
  307. rc = GetLastError();
  308. }
  309. LsaClose(policy);
  310. }
  311. hr = HRESULT_FROM_WIN32(rc);
  312. return hr;
  313. }
  314. DWORD
  315. CUserRights::EnumerateAccountsWithRight(
  316. LSA_HANDLE policy, // in - handle to LSA
  317. WCHAR * server, // in - computer name
  318. LSA_UNICODE_STRING * pRight, // in - user right
  319. CommaDelimitedLog * pLog // in - pointer to log object to log information to
  320. )
  321. {
  322. DWORD rc = 0;
  323. WCHAR account[LEN_Account];
  324. WCHAR domain[LEN_Domain];
  325. WCHAR domacct[LEN_Domain + LEN_Account];
  326. WCHAR szRight[LEN_Account];
  327. WCHAR szDisplayName[LEN_DisplayName];
  328. DWORD lenAccount = DIM(account);
  329. DWORD lenDomain = DIM(domain);
  330. DWORD lenDisplayName = DIM(szDisplayName);
  331. SID_NAME_USE snu;
  332. DWORD lid;
  333. BOOL bUseDisplayName;
  334. // arguments for LsaEnumerateAccountsWithUserRight
  335. ULONG countOfUsers;
  336. LSA_ENUMERATION_INFORMATION * pInfo = NULL;
  337. UStrCpy(szRight,pRight->Buffer,pRight->Length/(sizeof WCHAR) + 1);
  338. bUseDisplayName = m_bUseDisplayName && LookupPrivilegeDisplayName(server,szRight,szDisplayName,&lenDisplayName,&lid);
  339. rc = LsaEnumerateAccountsWithUserRight(policy,pRight,(PVOID*)&pInfo,&countOfUsers);
  340. if ( ! rc )
  341. {
  342. for ( UINT user = 0 ; user < countOfUsers ; user++ )
  343. {
  344. if ( ! pInfo[user].Sid )
  345. {
  346. break; // something is wrong
  347. }
  348. domain[0] = 0;
  349. account[0] = 0;
  350. lenDomain = DIM(domain);
  351. lenAccount = DIM(account);
  352. if ( LookupAccountSid(server,pInfo[user].Sid,account,&lenAccount,domain,&lenDomain,&snu) )
  353. {
  354. if ( *account )
  355. {
  356. swprintf(domacct,L"%s\\%s",domain,account);
  357. }
  358. else
  359. {
  360. lenAccount = DIM(account);
  361. GetTextualSid(pInfo[user].Sid,account,&lenAccount);
  362. if ( snu == SidTypeDeletedAccount )
  363. {
  364. swprintf(domacct,L"%s\\<Deleted Account: %s>",domain,account);
  365. }
  366. else
  367. {
  368. swprintf(domacct,L"%s\\<%s>",domain,account);
  369. }
  370. }
  371. }
  372. else
  373. {
  374. lenAccount = DIM(account);
  375. GetTextualSid(pInfo[user].Sid,domacct,&lenAccount);
  376. }
  377. if ( bUseDisplayName )
  378. {
  379. pLog->MsgWrite(L"%s, %s, %s",server,domacct,szDisplayName);
  380. }
  381. else
  382. {
  383. pLog->MsgWrite(L"%s, %s, %s",server,domacct,szRight);
  384. }
  385. }
  386. LsaFreeMemory(pInfo);
  387. }
  388. else
  389. {
  390. rc = LsaNtStatusToWinError(rc);
  391. if ( rc == ERROR_NO_MORE_ITEMS )
  392. rc = 0;
  393. }
  394. return rc;
  395. }
  396. DWORD
  397. CUserRights::CopyUserRightsInternal(
  398. WCHAR * srcAccount, // in - source account to copy rights from
  399. WCHAR * tgtAccount, // in - account to copy rights to
  400. WCHAR * srcSidStr, // in - sid for source account, in string format
  401. WCHAR * tgtSidStr, // in - sid for target account, in string format
  402. BOOL bNoChange, // in - flag, whether to write changes
  403. BOOL bRemove // in - flag, whether to revoke rights from target if not held by source
  404. )
  405. {
  406. DWORD rc = 0;
  407. PrivList srcList;
  408. PrivList tgtList;
  409. PSID pSidSrc = NULL;
  410. PSID pSidTgt = NULL;
  411. // Get a list of the privileges held by srcAccount
  412. rc = BuildPrivilegeList(m_SrcPolicy,srcAccount,srcSidStr,m_SourceComputer,&srcList,&pSidSrc);
  413. if ( ! rc )
  414. {
  415. rc = BuildPrivilegeList(m_TgtPolicy,tgtAccount,tgtSidStr,m_TargetComputer,&tgtList,&pSidTgt);
  416. if ( ! rc )
  417. {
  418. if ( bRemove )
  419. {
  420. // Get a list of privileges held by tgtAccount
  421. // Remove old privileges
  422. TNodeListEnum tEnum;
  423. PrivNode * p;
  424. for ( p = (PrivNode *)tEnum.OpenFirst(&tgtList) ; p ; p = (PrivNode*)tEnum.Next() )
  425. {
  426. if ( ! srcList.Contains(p->Name()) )
  427. {
  428. // The source account doesn't have this privilege - remove it
  429. if (! bNoChange )
  430. {
  431. rc = SetPrivilegeOnAccount(m_TgtPolicy,pSidTgt,p->Name(),FALSE);
  432. }
  433. if ( rc )
  434. {
  435. rc = LsaNtStatusToWinError(rc);
  436. err.MsgWrite(ErrE,DCT_MSG_REMOVE_RIGHT_FAILED_SSD,p->Name(),tgtAccount,rc);
  437. break;
  438. }
  439. else
  440. {
  441. err.MsgWrite(0,DCT_MSG_REMOVED_RIGHT_SS,p->Name(), tgtAccount);
  442. }
  443. }
  444. else
  445. {
  446. err.MsgWrite(0,DCT_MSG_USER_HAS_RIGHT_SS,tgtAccount,p->Name());
  447. }
  448. }
  449. }
  450. // Grant privileges to new account
  451. TNodeListEnum tEnum;
  452. PrivNode * p;
  453. for ( p = (PrivNode *)tEnum.OpenFirst(&srcList) ; p ; p = (PrivNode*)tEnum.Next() )
  454. {
  455. if ( ! tgtList.Contains(p->Name()) )
  456. {
  457. if ( ! bNoChange )
  458. {
  459. rc = SetPrivilegeOnAccount(m_TgtPolicy,pSidTgt,p->Name(),TRUE);
  460. if ( rc )
  461. {
  462. rc = LsaNtStatusToWinError(rc);
  463. err.MsgWrite(ErrE,DCT_MSG_ADD_RIGHT_FAILED_SSD,p->Name(),tgtAccount,rc);
  464. break;
  465. }
  466. else
  467. {
  468. err.MsgWrite(0,DCT_MSG_RIGHT_GRANTED_SS,p->Name(),tgtAccount);
  469. }
  470. }
  471. }
  472. }
  473. }
  474. }
  475. // Clean up SIDs
  476. if(pSidSrc != NULL)
  477. {
  478. HeapFree(GetProcessHeap(), 0, pSidSrc);
  479. }
  480. if(pSidTgt != NULL)
  481. {
  482. HeapFree(GetProcessHeap(), 0, pSidTgt);
  483. }
  484. return rc;
  485. }
  486. /*++
  487. Managing user privileges can be achieved programmatically using the
  488. following steps:
  489. 1. Open the policy on the target machine with LsaOpenPolicy(). To grant
  490. privileges, open the policy with POLICY_CREATE_ACCOUNT and
  491. POLICY_LOOKUP_NAMES access. To revoke privileges, open the policy with
  492. POLICY_LOOKUP_NAMES access.
  493. 2. Obtain a SID (security identifier) representing the user/group of
  494. interest. The LookupAccountName() and LsaLookupNames() APIs can obtain a
  495. SID from an account name.
  496. 3. Call LsaAddAccountRights() to grant privileges to the user(s)
  497. represented by the supplied SID.
  498. 4. Call LsaRemoveAccountRights() to revoke privileges from the user(s)
  499. represented by the supplied SID.
  500. 5. Close the policy with LsaClose().
  501. To successfully grant and revoke privileges, the caller needs to be an
  502. administrator on the target system.
  503. The LSA API LsaEnumerateAccountRights() can be used to determine which
  504. privileges have been granted to an account.
  505. The LSA API LsaEnumerateAccountsWithUserRight() can be used to determine
  506. which accounts have been granted a specified privilege.
  507. Documentation and header files for these LSA APIs is provided in the
  508. Windows 32 SDK in the MSTOOLS\SECURITY directory.
  509. --*/
  510. #define RTN_OK 0
  511. #define RTN_USAGE 1
  512. #define RTN_ERROR 13
  513. DWORD
  514. BuildPrivilegeList(
  515. LSA_HANDLE policy, // in - handle to LSA
  516. PSID pSid, // in - SID for account
  517. PrivList * privList // i/o- list of rights held by the account
  518. )
  519. {
  520. DWORD rc = 0;
  521. ULONG countOfRights = 0;
  522. PLSA_UNICODE_STRING pUserRights = NULL;
  523. rc = LsaEnumerateAccountRights(policy,pSid,&pUserRights,&countOfRights);
  524. rc = LsaNtStatusToWinError(rc);
  525. if ( rc == ERROR_FILE_NOT_FOUND )
  526. {
  527. // This account has no privileges
  528. rc = 0;
  529. countOfRights = 0;
  530. }
  531. if ( ! rc )
  532. {
  533. for ( UINT i = 0 ; i < countOfRights ; i++ )
  534. {
  535. PrivNode * p = new PrivNode(pUserRights[i].Buffer,pUserRights[i].Length/2);
  536. privList->InsertPrivilege(p);
  537. }
  538. LsaFreeMemory(pUserRights);
  539. }
  540. return rc;
  541. }
  542. DWORD
  543. BuildPrivilegeList(
  544. LSA_HANDLE policy, // in - handle to LSA
  545. WCHAR * account, // in - account name to list rights for
  546. WCHAR * strSid, // in - text format of the accounts SID, if known
  547. WCHAR * computer, // in - computer to list rights on
  548. PrivList * privList, // i/o- list of rights held by account
  549. PSID * ppSid // out- SID for account
  550. )
  551. {
  552. DWORD rc = 0;
  553. PSID pSid = NULL;
  554. if ( strSid && (*strSid) )
  555. {
  556. // use the provided SID
  557. pSid = SidFromString(strSid);
  558. if ( ! pSid )
  559. {
  560. rc = GetLastError();
  561. }
  562. }
  563. else
  564. {
  565. // no SID provided, so look it up on the domain
  566. if ( !GetAccountSid(computer,account,&pSid) )
  567. {
  568. rc = GetLastError();
  569. }
  570. }
  571. if ( rc )
  572. {
  573. (*ppSid) = NULL;
  574. if(pSid != NULL)
  575. {
  576. HeapFree(GetProcessHeap(), 0, pSid);
  577. }
  578. }
  579. else
  580. {
  581. (*ppSid) = pSid;
  582. }
  583. if ( pSid )
  584. {
  585. rc = BuildPrivilegeList(policy,pSid,privList);
  586. }
  587. return rc;
  588. }
  589. BOOL
  590. GetAccountSid(
  591. LPTSTR SystemName, // in - computer name to lookup sid on
  592. LPTSTR AccountName, // in - account name
  593. PSID *Sid // out- SID for account
  594. )
  595. {
  596. WCHAR ReferencedDomain[LEN_Domain];
  597. DWORD cbSid=128; // initial allocation attempt
  598. DWORD cbReferencedDomain=DIM(ReferencedDomain); // initial allocation size
  599. SID_NAME_USE peUse;
  600. BOOL bSuccess=FALSE; // assume this function will fail
  601. __try {
  602. //
  603. // initial memory allocations
  604. //
  605. if((*Sid=HeapAlloc(
  606. GetProcessHeap(),
  607. 0,
  608. cbSid
  609. )) == NULL) __leave;
  610. //
  611. // Obtain the SID of the specified account on the specified system.
  612. //
  613. while(!LookupAccountName(
  614. SystemName, // machine to lookup account on
  615. AccountName, // account to lookup
  616. *Sid, // SID of interest
  617. &cbSid, // size of SID
  618. ReferencedDomain, // domain account was found on
  619. &cbReferencedDomain,
  620. &peUse
  621. )) {
  622. if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
  623. //
  624. // reallocate memory
  625. //
  626. if((*Sid=HeapReAlloc(
  627. GetProcessHeap(),
  628. 0,
  629. *Sid,
  630. cbSid
  631. )) == NULL) __leave;
  632. }
  633. else __leave;
  634. }
  635. //
  636. // Indicate success.
  637. //
  638. bSuccess=TRUE;
  639. } // finally
  640. __finally {
  641. //
  642. // Cleanup and indicate failure, if appropriate.
  643. //
  644. if(!bSuccess) {
  645. if(*Sid != NULL) {
  646. HeapFree(GetProcessHeap(), 0, *Sid);
  647. *Sid = NULL;
  648. }
  649. }
  650. } // finally
  651. return bSuccess;
  652. }
  653. NTSTATUS
  654. SetPrivilegeOnAccount(
  655. LSA_HANDLE PolicyHandle, // open policy handle
  656. PSID AccountSid, // SID to grant privilege to
  657. LPWSTR PrivilegeName, // privilege to grant (Unicode)
  658. BOOL bEnable // enable or disable
  659. )
  660. {
  661. LSA_UNICODE_STRING PrivilegeString;
  662. //
  663. // Create a LSA_UNICODE_STRING for the privilege name.
  664. //
  665. InitLsaString(&PrivilegeString, PrivilegeName);
  666. //
  667. // grant or revoke the privilege, accordingly
  668. //
  669. if(bEnable) {
  670. return LsaAddAccountRights(
  671. PolicyHandle, // open policy handle
  672. AccountSid, // target SID
  673. &PrivilegeString, // privileges
  674. 1 // privilege count
  675. );
  676. }
  677. else {
  678. return LsaRemoveAccountRights(
  679. PolicyHandle, // open policy handle
  680. AccountSid, // target SID
  681. FALSE, // do not disable all rights
  682. &PrivilegeString, // privileges
  683. 1 // privilege count
  684. );
  685. }
  686. }
  687. STDMETHODIMP
  688. CUserRights::AddUserRight(
  689. BSTR server, // in - computer to grant right on
  690. BSTR strSid, // in - textual form of sid for account to grant right to
  691. BSTR right // in - right to grant to account
  692. )
  693. {
  694. LSA_HANDLE policy;
  695. HRESULT hr = S_OK;
  696. DWORD rc;
  697. PSID pSid = SidFromString(strSid);
  698. rc = OpenPolicy(server,POLICY_ALL_ACCESS /*POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION*/,&policy);
  699. if ( ! rc )
  700. {
  701. if ( ! m_bNoChange )
  702. {
  703. rc = SetPrivilegeOnAccount(policy,pSid,right,TRUE);
  704. }
  705. if ( rc )
  706. {
  707. rc = LsaNtStatusToWinError(rc);
  708. hr = HRESULT_FROM_WIN32(rc);
  709. }
  710. LsaClose(policy);
  711. }
  712. FreeSid(pSid);
  713. return HRESULT_FROM_WIN32(rc);
  714. }
  715. STDMETHODIMP
  716. CUserRights::RemoveUserRight(
  717. BSTR server, // in - computer to revoke right on
  718. BSTR strSid, // in - textual sid of account to revoke right for
  719. BSTR right // in - right to revoke
  720. )
  721. {
  722. LSA_HANDLE policy;
  723. HRESULT hr = S_OK;
  724. DWORD rc;
  725. PSID pSid = SidFromString(strSid);
  726. rc = OpenPolicy(server,POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,&policy);
  727. if ( ! rc )
  728. {
  729. if ( ! m_bNoChange )
  730. {
  731. rc = SetPrivilegeOnAccount(policy,pSid,right,FALSE);
  732. }
  733. if ( rc )
  734. {
  735. rc = LsaNtStatusToWinError(rc);
  736. hr = HRESULT_FROM_WIN32(rc);
  737. }
  738. LsaClose(policy);
  739. }
  740. FreeSid(pSid);
  741. return HRESULT_FROM_WIN32(rc);
  742. }
  743. DWORD
  744. CUserRights::SafeArrayFromPrivList(
  745. PrivList * privList, // in - list of user rights
  746. SAFEARRAY ** pArray // out- safearray containing list contents
  747. )
  748. {
  749. DWORD rc = 0;
  750. HRESULT hr;
  751. TNodeListEnum e;
  752. SAFEARRAYBOUND bound;
  753. LONG ndx[1];
  754. bound.lLbound = 0;
  755. bound.cElements = privList->Count();
  756. (*pArray) = SafeArrayCreate(VT_BSTR,1,&bound);
  757. if ( (*pArray) )
  758. {
  759. PrivNode * p;
  760. UINT i;
  761. for ( p=(PrivNode*)e.OpenFirst(privList) , i = 0 ;
  762. p ;
  763. p = (PrivNode*)e.Next() , i++ )
  764. {
  765. ndx[0] = i;
  766. hr = SafeArrayPutElement((*pArray),ndx,SysAllocString(p->Name()));
  767. if ( FAILED(hr) )
  768. {
  769. rc = hr;
  770. break;
  771. }
  772. }
  773. e.Close();
  774. }
  775. else
  776. {
  777. rc = GetLastError();
  778. }
  779. return rc;
  780. }
  781. STDMETHODIMP
  782. CUserRights::GetRights(
  783. BSTR server, // in - computer
  784. SAFEARRAY ** pRightsArray // out- list of rights on computer
  785. )
  786. {
  787. HRESULT hr = S_OK;
  788. PrivList priv;
  789. DWORD rc = 0;
  790. LSA_HANDLE policy = NULL;
  791. rc = OpenPolicy(server,POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,&policy);
  792. // Enumerate the privileges on this machine
  793. // arguments for LsaEnumeratePrivileges
  794. ULONG countOfRights;
  795. DWORD prefMax = 0xffffffff;
  796. LSA_ENUMERATION_HANDLE handle = 0;
  797. POLICY_PRIVILEGE_DEFINITION * pRights = NULL;
  798. do
  799. {
  800. if ( rc )
  801. break;
  802. rc = LsaEnumeratePrivileges(policy,&handle,(LPVOID*)&pRights,prefMax,&countOfRights);
  803. if ( rc )
  804. {
  805. rc = LsaNtStatusToWinError(rc);
  806. if ( rc == ERROR_NO_MORE_ITEMS )
  807. rc = 0;
  808. break;
  809. }
  810. if ( ! rc )
  811. {
  812. PrivNode * p = NULL;
  813. for ( UINT right = 0 ;right < countOfRights ; right++ )
  814. {
  815. // Length is in bytes
  816. p = new PrivNode(pRights[right].Name.Buffer,pRights[right].Name.Length/2);
  817. priv.InsertPrivilege(p);
  818. }
  819. LsaFreeMemory(pRights);
  820. LSA_UNICODE_STRING lsaRight;
  821. // For some reason, LsaEnumeratePrivileges doesn't return these rights
  822. // They are defined in "ntsecapi.h", and not with the rest of the privileges in "winnt.h"
  823. if ( ! rc )
  824. {
  825. InitLsaString(&lsaRight,SE_INTERACTIVE_LOGON_NAME);
  826. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  827. priv.InsertPrivilege(p);
  828. }
  829. if ( ! rc )
  830. {
  831. InitLsaString(&lsaRight,SE_NETWORK_LOGON_NAME);
  832. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  833. priv.InsertPrivilege(p);
  834. }
  835. if ( ! rc )
  836. {
  837. InitLsaString(&lsaRight,SE_BATCH_LOGON_NAME);
  838. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  839. priv.InsertPrivilege(p);
  840. }
  841. if ( ! rc )
  842. {
  843. InitLsaString(&lsaRight,SE_SERVICE_LOGON_NAME);
  844. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  845. priv.InsertPrivilege(p);
  846. }
  847. // Check the OS version on the server
  848. WKSTA_INFO_100 * pInfo;
  849. BOOL bIsWin2K = TRUE;
  850. DWORD rcInfo = NetWkstaGetInfo(server,100,(LPBYTE*)&pInfo);
  851. if ( ! rcInfo )
  852. {
  853. if ( pInfo->wki100_ver_major < 5 )
  854. {
  855. bIsWin2K = FALSE;
  856. }
  857. NetApiBufferFree(pInfo);
  858. }
  859. // The 4 "deny" rights are only defined on Windows 2000.
  860. if ( bIsWin2K )
  861. {
  862. if ( ! rc )
  863. {
  864. InitLsaString(&lsaRight,SE_DENY_INTERACTIVE_LOGON_NAME);
  865. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  866. priv.InsertPrivilege(p);
  867. }
  868. if ( ! rc )
  869. {
  870. InitLsaString(&lsaRight,SE_DENY_NETWORK_LOGON_NAME);
  871. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  872. priv.InsertPrivilege(p);
  873. }
  874. if ( ! rc )
  875. {
  876. InitLsaString(&lsaRight,SE_DENY_BATCH_LOGON_NAME);
  877. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  878. priv.InsertPrivilege(p);
  879. }
  880. if ( ! rc )
  881. {
  882. InitLsaString(&lsaRight,SE_DENY_SERVICE_LOGON_NAME);
  883. p = new PrivNode(lsaRight.Buffer,lsaRight.Length/2);
  884. priv.InsertPrivilege(p);
  885. }
  886. }
  887. }
  888. else
  889. {
  890. rc = LsaNtStatusToWinError(rc);
  891. }
  892. } while ( false);
  893. if ( policy )
  894. {
  895. LsaClose(policy);
  896. }
  897. // Build a safearray of BSTRs from the priv-list
  898. rc = SafeArrayFromPrivList(&priv,pRightsArray);
  899. hr = HRESULT_FROM_WIN32(rc);
  900. return hr;
  901. }
  902. STDMETHODIMP
  903. CUserRights::GetUsersWithRight(
  904. BSTR server, // in - computer name
  905. BSTR right, // in - right to lookup
  906. SAFEARRAY ** users // out- list of accounts that hold right
  907. )
  908. {
  909. DWORD rc = 0;
  910. LSA_UNICODE_STRING Right;
  911. WCHAR strSid[LEN_SID];
  912. DWORD lenStrSid = DIM(strSid);
  913. PrivList plist;
  914. LSA_HANDLE policy = NULL;
  915. rc = OpenPolicy(server,POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,&policy);
  916. // arguments for LsaEnumerateAccountsWithUserRight
  917. ULONG countOfUsers;
  918. LSA_ENUMERATION_INFORMATION * pInfo = NULL;
  919. InitLsaString(&Right,right);
  920. rc = LsaEnumerateAccountsWithUserRight(policy,&Right,(PVOID*)&pInfo,&countOfUsers);
  921. if ( ! rc )
  922. {
  923. for ( UINT user = 0 ; user < countOfUsers ; user++ )
  924. {
  925. if ( ! pInfo[user].Sid )
  926. {
  927. continue; // something is wrong
  928. }
  929. GetTextualSid(pInfo[user].Sid,strSid,&lenStrSid);
  930. PrivNode * p = new PrivNode(strSid,(USHORT) UStrLen(strSid));
  931. plist.InsertPrivilege(p);
  932. }
  933. LsaFreeMemory(pInfo);
  934. }
  935. else
  936. {
  937. rc = LsaNtStatusToWinError(rc);
  938. if ( rc == ERROR_NO_MORE_ITEMS )
  939. rc = 0;
  940. }
  941. if ( ! rc )
  942. {
  943. rc = SafeArrayFromPrivList(&plist,users);
  944. }
  945. if ( policy )
  946. LsaClose(policy);
  947. return HRESULT_FROM_WIN32(rc);
  948. }
  949. STDMETHODIMP
  950. CUserRights::GetRightsOfUser(
  951. BSTR server, // in - computer name
  952. BSTR strSid, // in - textual sid for account
  953. SAFEARRAY ** rights // out- list of rights held by account on server
  954. )
  955. {
  956. DWORD rc = 0;
  957. PSID pSid = SidFromString(strSid);
  958. LSA_HANDLE policy = NULL;
  959. PrivList plist;
  960. rc = OpenPolicy(server,POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,&policy);
  961. if ( ! rc )
  962. {
  963. rc = BuildPrivilegeList(policy,pSid,&plist);
  964. if ( ! rc )
  965. {
  966. rc = SafeArrayFromPrivList(&plist,rights);
  967. }
  968. LsaClose(policy);
  969. }
  970. return HRESULT_FROM_WIN32(rc);
  971. }