|
|
/*
File adsi.cpp
Com interaction with adsi
Paul Mayfield, 4/14/98*/
#include "dsrights.h"
#include "sddl.h"
#include "mprapip.h"
#include "dsgetdc.h"
// Definition for convenience
//
#define DSR_ADS_RIGHT_GENERIC_READ (ADS_RIGHT_READ_CONTROL | \
ADS_RIGHT_DS_LIST_OBJECT | \ ADS_RIGHT_DS_READ_PROP | \ ADS_RIGHT_ACTRL_DS_LIST )
#define DSR_ADS_ACE_INHERITED (ADS_ACEFLAG_INHERIT_ONLY_ACE | \
ADS_ACEFLAG_INHERIT_ACE)
//
// Describes an Access control entry
//
typedef struct _DSR_ACE_DESCRIPTOR{ LONG dwAccessMask; LONG dwAceType; LONG dwAceFlags; LONG dwFlags; BSTR bstrTrustee; BSTR bstrObjectType; BSTR bstrInheritedObjectType;} DSR_ACE_DESCRIPTOR;
//
// Structure maps a domain object to the ACES that should be
// added or removed from it in order to enable/disable NT4
// ras servers in the domain
//
typedef struct _DSR_ACE_APPLICATION{ IADs* pObject; DSR_ACE_DESCRIPTOR Ace;
} DSR_ACE_APPLICATION;
//
// Parameters used to generate a DSR_ACE_APPLICATION
//
typedef struct _DSR_ACE_APPLICATION_DESC{ PWCHAR pszObjectCN; // NULL means domain root
PWCHAR pszObjectClass; DSR_ACE_DESCRIPTOR Ace;
} DSR_ACE_APPLICATION_DESC;
//
// Structure contains the information needed to have
// ACL's in the AD of a given domain adjusted such that
// the various modes (MPR_DOMAIN_*) of access are granted.
//
typedef struct _DSR_DOMAIN_ACCESS_INFO{ // The name of a DC in the target domain
//
PWCHAR pszDC;
// Aces derived from the default user SD
// These are added in all modes but never removed.
//
DSR_ACE_APPLICATION* pAcesUser; DWORD dwAceCountUser;
// Aces for MPRFLAG_DOMAIN_NT4_SERVERS mode
//
DSR_ACE_APPLICATION* pAcesNt4; DWORD dwAceCountNt4;
// Aces for MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS mode
//
DSR_ACE_APPLICATION* pAcesW2k; DWORD dwAceCountW2k;
// Stored here for convenience, pointers
// to common ds objects
//
IADs* pDomain; IADs* pRootDse; IADs* pUserClass;
} DSR_DOMAIN_ACCESS_INFO;
//
// Strings used in DS queries
//
static const WCHAR pszLdapPrefix[] = L"LDAP://";static const WCHAR pszLdap[] = L"LDAP:";static const WCHAR pszCN[] = L"CN=";static const WCHAR pszGCPrefix[] = L"GC://";static const WCHAR pszGC[] = L"GC:";static const WCHAR pszRootDse[] = L"RootDSE";static const WCHAR pszSecurityDesc[] = L"ntSecurityDescriptor";static const WCHAR pszDefSecurityDesc[] = L"defaultSecurityDescriptor";static const WCHAR pszDn[] = L"distinguishedName";static const WCHAR pszSid[] = L"objectSid";static const WCHAR pszEveryone[] = L"S-1-1-0";static const WCHAR pszDefaultNamingContext[] = L"defaultNamingContext";static const WCHAR pszSchemaNamingCtx[] = L"schemaNamingContext";
static const WCHAR pszBecomeSchemaMaster[] = L"becomeSchemaMaster";static const WCHAR pszUpdateSchemaCache[] = L"schemaUpdateNow";static const WCHAR pszRegValSchemaLock[] = L"Schema Update Allowed";static const WCHAR pszRegKeySchemaLock[] = L"System\\CurrentControlSet\\Services\\NTDS\\Parameters";
static const WCHAR pszSystemClass[] = L"Container";static const WCHAR pszSystemCN[] = L"CN=System";
static const WCHAR pszBuiltinClass[] = L"builtinDomain";static const WCHAR pszBuiltinCN[] = L"CN=Builtin";
static const WCHAR pszSamSvrClass[] = L"samServer";static const WCHAR pszSamSvrCN[] = L"CN=Server,CN=System";
static const WCHAR pszUserClass[] = L"classSchema";static const WCHAR pszUserCN[] = L"CN=user";
static const WCHAR pszAccessChkClass[] = L"Container";static const WCHAR pszAccessChkCN[] = L"CN=RAS and IAS Servers Access Check,CN=System";
static const WCHAR pszGuidUserParms[] = L"{BF967A6D-0DE6-11D0-A285-00AA003049E2}";
static const WCHAR pszGuidUserClass[] = L"{BF967ABA-0DE6-11D0-A285-00aa003049E2}";
//
// This GUID is the property set of the following
// attributes needed for w2k level access.
//
// Token-Groups
// msNPAllowDialin
// msNPCallingStationID
// msRADIUSCallbackNumber
// msRADIUSFramedIPAddress
// msRADIUSFramedRoute
// msRADIUSServiceType
//
static const WCHAR pszGuidRasPropSet1[] = L"{037088F8-0AE1-11D2-B422-00A0C968F939}";
//
// This GUID is the property set of the following
// attributes needed for w2k level access
//
// User-Account-Control
// Account-Expires
//
static const WCHAR pszGuidRasPropSet2[] = L"{4C164200-20C0-11D0-A768-00AA006E0529}";
//
// This GUID is the property of the following
// attribute needed for w2k level access
//
// Logon-Hours
//
static const WCHAR pszGuidLogonHours[] = L"{BF9679AB-0DE6-11D0-A285-00AA003049E2}";
//
// This GUID is the value of the samAccountName
// attribute needed for w2k level access.
//
// samAccountName
//
static const WCHAR pszGuidSamAccountName[] = L"{3E0ABFD0-126A-11D0-A060-00AA006C33ED}";
// The optimal means for searching for a computer
// in a domain is to lookup its sam account name which
// is indexed. The optimal means for searching for a
// group of a given sid is to lookup its SID which is indexed.
//
const WCHAR pszCompFilterFmt[] = L"(samaccountname=%s$)";const WCHAR pszGroupFilterFmt[] = L"(objectSid=%s)";const WCHAR pszUserClassFmt[] = L"(&(objectClass=user)(!(objectClass=computer)))";
//
// The table of aces to be applied for MPRFLAG_DOMAIN_NT4_SERVERS
//
DSR_ACE_APPLICATION_DESC g_pAcesNt4[] ={ // Grant list options to everyone for the root domain
// object
//
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_ACTRL_DS_LIST, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
0, // dwAceFlags
0, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
NULL, // bstrObjectType
NULL // bstrInheritedObjectType
} },
// Grant list contents to everyone for the builtin
// object
//
{ (PWCHAR)pszBuiltinCN, // Object
(PWCHAR)pszBuiltinClass, // Object class
{ ADS_RIGHT_ACTRL_DS_LIST, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
0, // dwAceFlags
0, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
NULL, // bstrObjectType
NULL // bstrInheritedObjectType
} },
// Grant generic read to everyone on the sam server
// object
//
{ (PWCHAR)pszSamSvrCN, // Object
(PWCHAR)pszSamSvrClass, // Object class
{ DSR_ADS_RIGHT_GENERIC_READ, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
0, // dwAceFlags
0, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
NULL, // bstrObjectType
NULL // bstrInheritedObjectType
} },
// Allow everyone to read the userparms property of the
// user class by enabling this inheritable ACE to the
// root domain object
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_DS_READ_PROP, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, // dwAceType
DSR_ADS_ACE_INHERITED, // dwAceFlags
ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
(PWCHAR)pszGuidUserParms, // bstrObjectType
(PWCHAR)pszGuidUserClass // bstrInheritedObjectType
} }
};
//
// The table of aces to be applied for
// MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS
//
DSR_ACE_APPLICATION_DESC g_pAcesW2k[] ={ // Grant list contents to Everyone for the System
// container
//
{ (PWCHAR)pszSystemCN, // Object
(PWCHAR)pszSystemClass, // Object class
{ ADS_RIGHT_ACTRL_DS_LIST, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
0, // dwAceFlags
0, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
NULL, // bstrObjectType
NULL // bstrInheritedObjectType
} },
// Grant generic read to Everyone for the 'RAS and IAS Servers
// Access Check' container
//
{ (PWCHAR)pszAccessChkCN, // Object
(PWCHAR)pszAccessChkClass, // Object class
{ DSR_ADS_RIGHT_GENERIC_READ, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
0, // dwAceFlags
0, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
NULL, // bstrObjectType
NULL // bstrInheritedObjectType
} },
// Users should expose their RAS properties
//
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_DS_READ_PROP, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, // dwAceType
DSR_ADS_ACE_INHERITED, // dwAceFlags
ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
(PWCHAR)pszGuidRasPropSet1, // bstrObjectType
(PWCHAR)pszGuidUserClass // bstrInheritedObjectType
} },
// Users should expose their RAS properties
//
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_DS_READ_PROP, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, // dwAceType
DSR_ADS_ACE_INHERITED, // dwAceFlags
ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
(PWCHAR)pszGuidRasPropSet2, // bstrObjectType
(PWCHAR)pszGuidUserClass // bstrInheritedObjectType
} },
// Users should expose their logon hours property
//
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_DS_READ_PROP, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, // dwAceType
DSR_ADS_ACE_INHERITED, // dwAceFlags
ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
(PWCHAR)pszGuidLogonHours, // bstrObjectType
(PWCHAR)pszGuidUserClass // bstrInheritedObjectType
} },
// Grant list contents to everything in the domain.
//
//{
// NULL, // Object
// NULL, // Object class
// {
// ADS_RIGHT_ACTRL_DS_LIST, // dwAccessMask
// ADS_ACETYPE_ACCESS_ALLOWED, // dwAceType
// DSR_ADS_ACE_INHERITED, // dwAceFlags
// 0, // dwFlags
// (PWCHAR)pszEveryone, // bstrTrustee
// NULL, // bstrObjectType
// NULL // bstrInheritedObjectType
// }
//},
// Users should expose their samAccountName
//
{ NULL, // Object (NULL = root)
NULL, // Object class
{ ADS_RIGHT_DS_READ_PROP, // dwAccessMask
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, // dwAceType
DSR_ADS_ACE_INHERITED, // dwAceFlags
ADS_FLAG_OBJECT_TYPE_PRESENT | ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT, // dwFlags
(PWCHAR)pszEveryone, // bstrTrustee
(PWCHAR)pszGuidSamAccountName, // bstrObjectType
(PWCHAR)pszGuidUserClass // bstrInheritedObjectType
} }};
DWORDDsrAccessInfoCleanup( IN DSR_DOMAIN_ACCESS_INFO* pSecurityInfo);
DWORDDsrAceDescClear( IN DSR_ACE_DESCRIPTOR* pParams);
HRESULTDsrAceDescCopy( OUT DSR_ACE_DESCRIPTOR* pDst, IN DSR_ACE_DESCRIPTOR* pSrc); VOIDDsrAceDescTrace( IN IADs* pIads, IN DSR_ACE_DESCRIPTOR* pA); HRESULTDsrAceAdd( IN PWCHAR pszDC, IN IADs* pIads, IN DSR_ACE_DESCRIPTOR * pAceParams); HRESULTDsrAceCreate( IN DSR_ACE_DESCRIPTOR * pAceParams, OUT IDispatch** ppAce); HRESULTDsrAceFind( IN PWCHAR pszDC, IN IADs* pObject, IN DSR_ACE_DESCRIPTOR* pAceParams, OUT VARIANT* pVarSD, OUT IADsSecurityDescriptor** ppSD, OUT IADsAccessControlList** ppAcl, OUT IDispatch** ppAce); HRESULTDsrAceFindInAcl( IN PWCHAR pszDC, IN IADsAccessControlList* pAcl, IN DSR_ACE_DESCRIPTOR* pAceDesc, OUT IDispatch** ppAce); HRESULTDsrAceRemove( IN PWCHAR pszDC, IN IADs* pIads, IN DSR_ACE_DESCRIPTOR * pAceParams); HRESULTDsrDomainQueryAccessEx( IN PWCHAR pszDomain, OUT LPDWORD lpdwAccessFlags, OUT DSR_DOMAIN_ACCESS_INFO** ppInfo);
//
// Allocates memory for use with dsr functions
//
PVOID DsrAlloc(DWORD dwSize, BOOL bZero) { return GlobalAlloc (bZero ? GPTR : GMEM_FIXED, dwSize);}
//
// Free memory used by dsr functions
//
DWORD DsrFree(PVOID pvBuf) { GlobalFree(pvBuf); return NO_ERROR;} //
// Compares to optional strings
//
INTDsrStrCompare( IN BSTR bstrS1, IN BSTR bstrS2){ if ((!!bstrS1) != (!!bstrS2)) { return -1; }
if (bstrS1 == NULL) { return 0; }
return lstrcmpi(bstrS1, bstrS2);}
//
// Adds or removes a substring from the given string
//
HRESULTDsrStrAddRemoveSubstring( IN BSTR bstrSrc, IN PWCHAR pszSubString, IN BOOL bAdd, OUT BSTR* pbstrResult){ HRESULT hr = S_OK; PWCHAR pszBuffer = NULL, pszStart = NULL, pszEnd = NULL; PWCHAR pszSrc, pszDst; DWORD dwSize = 0, dwLen = 0;
// Find out if the sub string is already in the
// string
pszStart = wcsstr(bstrSrc, pszSubString);
// The substring already exists in the string
//
if (pszStart) { // No need to add it since it's already there.
if (bAdd) { *pbstrResult = SysAllocString(bstrSrc); }
// Remove the substring
else { dwLen = wcslen(pszSubString); pszEnd = pszStart + dwLen; dwSize = (DWORD)(pszStart - bstrSrc) + wcslen(pszEnd) + 1; dwSize *= sizeof(WCHAR);
pszBuffer = (PWCHAR) DsrAlloc(dwSize, FALSE); if (pszBuffer == NULL) { return E_OUTOFMEMORY; }
// Copy everything up to the substring
//
for (pszSrc = bstrSrc, pszDst = pszBuffer; pszSrc != pszStart; pszSrc++, pszDst++) { *pszDst = *pszSrc; }
// Copy everything after the substring
for (pszSrc = pszEnd; *pszSrc; pszSrc++, pszDst++) { *pszDst = *pszSrc; }
// Null terminate
*pszDst = L'\0';
*pbstrResult = SysAllocString(pszBuffer); DsrFree(pszBuffer); } }
// The substring does not already exist in the
// string
else { // Append the string
//
if (bAdd) { dwSize = wcslen(bstrSrc) + wcslen(pszSubString) + 1; dwSize *= sizeof(WCHAR);
pszBuffer = (PWCHAR) DsrAlloc(dwSize, FALSE); if (pszBuffer == NULL) { return E_OUTOFMEMORY; }
wcscpy(pszBuffer, bstrSrc); wcscat(pszBuffer, pszSubString); *pbstrResult = SysAllocString(pszBuffer); DsrFree(pszBuffer); }
// Or nothing to do since the substring was
// already removed
else { *pbstrResult = SysAllocString(bstrSrc); } }
return (*pbstrResult) ? S_OK : E_OUTOFMEMORY;}
//
// Converts a SID into a buffer
//
DWORDDsrStrFromSID( IN PSID pSid, OUT PWCHAR pszString, IN DWORD dwSize){ NTSTATUS nStatus = STATUS_SUCCESS; UNICODE_STRING UnicodeString;
// Initialize the unicode string
//
RtlInitUnicodeString(&UnicodeString, NULL);
do { // Convert the string
//
nStatus = RtlConvertSidToUnicodeString( &UnicodeString, pSid, TRUE); if (! NT_SUCCESS(nStatus)) { break; }
// Validate the result
//
if (UnicodeString.Buffer == NULL) { nStatus = ERROR_CAN_NOT_COMPLETE; break; } if (UnicodeString.Length > dwSize) { nStatus = STATUS_BUFFER_OVERFLOW; break; }
// Copy the result
//
wcscpy(pszString, UnicodeString.Buffer); nStatus = STATUS_SUCCESS; } while (FALSE);
// Cleanup
{ if (UnicodeString.Buffer != NULL) { RtlFreeUnicodeString(&UnicodeString); } }
return RtlNtStatusToDosError(nStatus);}
//
// Generates an LDAP path based on a domain and a
// distinguished name
//
// Form of value returned: LDAP://<domain or dc>/dn
HRESULTDsrDomainGenLdapPath( IN PWCHAR pszDomain, IN PWCHAR pszDN, OUT PWCHAR* ppszObject){ DWORD dwSize;
// Calculate the size needed
//
dwSize = (wcslen(pszLdapPrefix) + wcslen(pszDN) + 1) * sizeof(WCHAR); if (pszDomain) { dwSize += (wcslen(pszDomain) + 1) * sizeof(WCHAR); // +1 for '/'
}
// Allocate the return value
//
*ppszObject = (PWCHAR) DsrAlloc(dwSize, FALSE); if (*ppszObject == NULL) { return E_OUTOFMEMORY; }
// Format the return value
if (pszDomain == NULL) { wsprintfW(*ppszObject, L"%s%s", pszLdapPrefix, pszDN); } else { wsprintfW(*ppszObject, L"%s%s/%s", pszLdapPrefix, pszDomain, pszDN); }
return S_OK;}
//
// Returns a reference to rootDse of the given
// domain
//
HRESULTDsrDomainGetRootDse( IN PWCHAR pszDomain, OUT IADs** ppRootDse){ HRESULT hr = S_OK; PWCHAR pszPath = NULL; DWORD dwSize = 0;
do { // Get the object path
//
hr = DsrDomainGenLdapPath(pszDomain, (PWCHAR)pszRootDse, &pszPath); DSR_BREAK_ON_FAILED_HR(hr); // Get RootDSE
//
hr = ADsGetObject(pszPath, IID_IADs, (VOID**)ppRootDse); DSR_BREAK_ON_FAILED_HR( hr );
} while (FALSE);
// Cleanup
{ DSR_FREE(pszPath);
if (FAILED (hr)) { DSR_RELEASE(*ppRootDse); } }
return hr;}
//
// Returns a reference to the root domain object
//
HRESULTDsrDomainGetContainers( IN PWCHAR pszDomain, OUT IADs** ppRootDse, OUT IADsContainer** ppDomain, OUT IADsContainer** ppSchema){ PWCHAR pszDomainObj = NULL, pszSchemaObj = NULL; HRESULT hr = S_OK; DWORD dwSize = 0; VARIANT var;
// Iniatialize
//
{ *ppRootDse = NULL; *ppDomain = NULL; *ppSchema = NULL; VariantInit(&var); }
do { // Get RootDSE
//
hr = DsrDomainGetRootDse(pszDomain, ppRootDse); DSR_BREAK_ON_FAILED_HR(hr);
// Use RootDSE to figure out the name of the domain object
// to query
hr = (*ppRootDse)->Get((PWCHAR)pszDefaultNamingContext, &var); DSR_BREAK_ON_FAILED_HR( hr );
// Compute the distinguished name of the root domain object
//
hr = DsrDomainGenLdapPath(pszDomain, V_BSTR(&var), &pszDomainObj); DSR_BREAK_ON_FAILED_HR(hr); // Use RootDSE to figure out the name of the schema context
//
VariantClear(&var); hr = (*ppRootDse)->Get((PWCHAR)pszSchemaNamingCtx, &var); DSR_BREAK_ON_FAILED_HR( hr );
// Compute the distinguished name of the root schema object
//
hr = DsrDomainGenLdapPath(pszDomain, V_BSTR(&var), &pszSchemaObj); DSR_BREAK_ON_FAILED_HR(hr);
// Get the objects
//
hr = ADsGetObject(pszDomainObj, IID_IADsContainer, (VOID**)ppDomain); DSR_BREAK_ON_FAILED_HR( hr );
hr = ADsGetObject(pszSchemaObj, IID_IADsContainer, (VOID**)ppSchema); DSR_BREAK_ON_FAILED_HR( hr );
} while (FALSE);
// Cleanup
//
{ if (FAILED( hr )) { DSR_RELEASE(*ppRootDse); DSR_RELEASE(*ppDomain); DSR_RELEASE(*ppSchema); *ppRootDse = NULL; *ppDomain = NULL; *ppSchema = NULL; }
DSR_FREE(pszDomainObj); DSR_FREE(pszSchemaObj); VariantClear(&var); }
return hr;}
//
// Initializes COM
//
HRESULTDsrComIntialize(){ HRESULT hr;
hr = CoInitializeEx (NULL, COINIT_APARTMENTTHREADED); if (hr == RPC_E_CHANGED_MODE) { hr = CoInitializeEx (NULL, COINIT_MULTITHREADED); }
if ((hr != S_FALSE) && (FAILED(hr))) { return hr; }
return NO_ERROR;}
//
// Unitializes COM
//
VOIDDsrComUninitialize(){ CoUninitialize();}
//
// Creates a SID based on the array of bytes
// stored in a variant.
//
DWORDDsrSidInit ( IN VARIANT * pVar, OUT PBYTE* ppbSid){ SAFEARRAY * pArray = V_ARRAY(pVar); DWORD dwSize, dwLow, dwHigh, i; HRESULT hr; BYTE* pbRet = NULL; VARIANT var;
DsrTraceEx (0, "DsrSidInit: entered.");
// Get the array of bytes
i = 0; hr = SafeArrayGetElement(pArray, (LONG*)&i, (VOID*)&var); if (FAILED (hr)) return hr;
// Initialize the return buffer accordingly
pArray = V_ARRAY(&var); dwSize = SafeArrayGetDim(pArray); hr = SafeArrayGetLBound(pArray, 1, (LONG*)&dwLow); if (FAILED (hr)) return DsrTraceEx(hr, "DsrSidInit: %x unable to get lbound", hr);
hr = SafeArrayGetUBound(pArray, 1, (LONG*)&dwHigh); if (FAILED (hr)) return DsrTraceEx(hr, "DsrSidInit: %x unable to get ubound", hr);
DsrTraceEx ( 0, "DsrSidInit: Dim=%d, Low=%d, High=%d", dwSize, dwLow, dwHigh);
// Allocate the sid
if ((pbRet = (BYTE*)DsrAlloc((dwHigh - dwLow) + 2, TRUE)) == NULL) { return DsrTraceEx ( ERROR_NOT_ENOUGH_MEMORY, "DsrSidInit: Unable to alloc"); }
// Copy in the bytes of the SID
i = dwLow; while (TRUE) { hr = SafeArrayGetElement(pArray, (LONG*)&i, (VOID*)(&(pbRet[i]))); if (FAILED (hr)) break; i++; }
DsrTraceEx(0, "DsrSidInit: copied %d bytes", i);
*ppbSid = pbRet;
{ PUCHAR puSA;
DsrTraceEx (0, "DsrSidInit: Sid Length: %d", GetLengthSid(pbRet));
puSA = GetSidSubAuthorityCount(pbRet); if (puSA) DsrTraceEx (0, "DsrSidInit: Sid SA Count: %d", *puSA); }
return NO_ERROR;}
//
// Generates the ascii equivalent (suitable for submission as part of
// a query against the DS) of a SID based on a base SID and a sub authority
// to be appeneded.
//
HRESULTDsrSidInitAscii( IN LPBYTE pBaseSid, IN DWORD dwSubAuthority, OUT PWCHAR* ppszSid){ DWORD dwLen, dwSidLen, i; WCHAR* pszRet = NULL; PUCHAR puCount; LPBYTE pByte;
// Calculate the length of the returned buffer
dwSidLen = GetLengthSid(pBaseSid); dwLen = (dwSidLen * 2) + sizeof(DWORD) + 1; dwLen *= sizeof (WCHAR);
// we put '\' before each byte, so double the size
dwLen *= 2;
// Allocate the return buffer
pszRet = (PWCHAR) DsrAlloc(dwLen, TRUE); if (pszRet == NULL) return E_OUTOFMEMORY;
// Increment the sub authority count
puCount = GetSidSubAuthorityCount(pBaseSid); *puCount = *puCount + 1;
// Copy the bytes
for (i = 0; i < dwSidLen; i++) { pszRet[i*3] = L'\\'; wsprintfW(&(pszRet[i*3+1]), L"%02x", (DWORD)pBaseSid[i]); }
// Append the bytes for the new sub authority
pByte = (LPBYTE)&(dwSubAuthority); for (; i < dwSidLen + sizeof(DWORD); i++) { pszRet[i*3] = L'\\'; wsprintfW(&(pszRet[i*3+1]), L"%02x", (DWORD)pByte[i-dwSidLen]); }
// Decrement the sub authority count -- restoring the
// base sid.
*puCount = *puCount - 1;
*ppszSid = pszRet;
return NO_ERROR;}
//
// Searches given domain for a computer account
// with the given name and returns its ADsPath
// if found.
//
DWORDDsrFindDomainComputer ( IN PWCHAR pszDomain, IN PWCHAR pszComputer, OUT PWCHAR* ppszADsPath){ HRESULT hr = S_OK; DWORD dwLen, dwSrchAttribCount; IDirectorySearch * pSearch = NULL; PWCHAR pszDomainPath = NULL, pszFilter = NULL; PWCHAR pszBase, pszPrefix; ADS_SEARCH_HANDLE hSearch = NULL; ADS_SEARCH_COLUMN adsColumn; PWCHAR ppszSrchAttribs[] = { (PWCHAR)pszDn, NULL }; BOOL bSearchGC = FALSE;
do { // Validate parameters
if (!pszDomain || !pszComputer || !ppszADsPath) { hr = ERROR_INVALID_PARAMETER; break; }
// Decide whether to search the GC or the domain
// object
if (bSearchGC) { pszBase = (PWCHAR)pszGC; pszPrefix = (PWCHAR)pszGCPrefix; } else { pszBase = (PWCHAR)pszLdap; pszPrefix = (PWCHAR)pszLdapPrefix; }
// Allocate the domain path
dwLen = (pszDomain) ? wcslen(pszDomain) : 0; dwLen += wcslen(pszPrefix) + 1; dwLen *= sizeof(WCHAR); pszDomainPath = (PWCHAR) DsrAlloc(dwLen, FALSE); if (pszDomainPath == NULL) { hr = ERROR_NOT_ENOUGH_MEMORY; break; }
// Format the domain path
if (pszDomain) { wcscpy(pszDomainPath, pszPrefix); wcscat(pszDomainPath, pszDomain); } else wcscpy(pszDomainPath, pszBase);
// Get a reference to the object to search
// (either domain object or GC)
hr = ADsGetObject ( pszDomainPath, IID_IDirectorySearch, (VOID**)&pSearch); if (FAILED (hr)) break;
// Prepare the search filter
//
dwLen = wcslen(pszCompFilterFmt) + wcslen(pszComputer) + 1; dwLen *= sizeof(WCHAR); pszFilter = (PWCHAR) DsrAlloc(dwLen, FALSE); if (pszFilter == NULL) { hr = ERROR_NOT_ENOUGH_MEMORY; break; } wsprintfW(pszFilter, pszCompFilterFmt, pszComputer);
// Count the number of attributes we're searching
// for
if (ppszSrchAttribs == NULL) dwSrchAttribCount = (DWORD)-1; else { for (dwSrchAttribCount = 0; ppszSrchAttribs[dwSrchAttribCount]; dwSrchAttribCount++); }
// Search the DS
hr = pSearch->ExecuteSearch( pszFilter, ppszSrchAttribs, dwSrchAttribCount, &hSearch); if (FAILED (hr)) break;
// Get the first result
hr = pSearch->GetNextRow(hSearch); if (hr == S_ADS_NOMORE_ROWS) { hr = ERROR_NOT_FOUND; break; }
// Get the attribute we're interested in
hr = pSearch->GetColumn(hSearch, (PWCHAR)pszDn, &adsColumn); if (SUCCEEDED (hr)) { dwLen = wcslen(adsColumn.pADsValues[0].PrintableString) + wcslen(pszLdapPrefix) + 1; dwLen *= 2; *ppszADsPath = (PWCHAR) DsrAlloc(dwLen, FALSE); if (*ppszADsPath == NULL) { pSearch->FreeColumn(&adsColumn); hr = ERROR_NOT_ENOUGH_MEMORY; break; } wcscpy(*ppszADsPath, pszLdapPrefix); wcscat(*ppszADsPath, adsColumn.pADsValues[0].PrintableString); pSearch->FreeColumn (&adsColumn); hr = NO_ERROR; }
} while (FALSE);
// Cleanup
{ if (hSearch) pSearch->CloseSearchHandle(hSearch); DSR_FREE (pszDomainPath); DSR_FREE (pszFilter); DSR_RELEASE (pSearch); }
return DSR_ERROR(hr);}
//
// Searches given domain for the well known
// "RAS and IAS Servers" group and returns
// its ADsPath if found.
//
DWORDDsrFindRasServersGroup ( IN PWCHAR pszDomain, OUT PWCHAR* ppszADsPath){ HRESULT hr = S_OK; DWORD dwLen, dwSrchAttribCount, dwErr; IDirectorySearch * pSearch = NULL; IADs * pIads = NULL; PWCHAR pszDomainPath = NULL, pszFilter = NULL; PWCHAR pszBase, pszPrefix, pszGroupSid = NULL; ADS_SEARCH_HANDLE hSearch = NULL; ADS_SEARCH_COLUMN adsColumn; PWCHAR ppszSrchAttribs[] = { (PWCHAR)pszDn, NULL }; BOOL bSearchGC = FALSE; VARIANT var; LPBYTE pDomainSid = NULL; BSTR bstrSid = NULL;
do { // Validate parameters
if (!pszDomain || !ppszADsPath) { hr = ERROR_INVALID_PARAMETER; break; }
// Decide whether to search the GC or the domain
// object
if (bSearchGC) { pszBase = (PWCHAR)pszGC; pszPrefix = (PWCHAR)pszGCPrefix; } else { pszBase = (PWCHAR)pszLdap; pszPrefix = (PWCHAR)pszLdapPrefix; }
// Allocate the domain path
dwLen = wcslen(pszDomain) + wcslen(pszPrefix) + 1; dwLen *= sizeof(WCHAR); pszDomainPath = (PWCHAR) DsrAlloc(dwLen, FALSE); if (pszDomainPath == NULL) { hr = ERROR_NOT_ENOUGH_MEMORY; break; }
// Format the domain path
wcscpy(pszDomainPath, pszPrefix); wcscat(pszDomainPath, pszDomain);
// Get a reference to the object to search
// (either domain object or GC)
hr = ADsGetObject ( pszDomainPath, IID_IDirectorySearch, (VOID**)&pSearch); if (FAILED (hr)) break;
// Get IADs reference to domain object
hr = pSearch->QueryInterface(IID_IADs, (VOID**)&pIads); if (FAILED (hr)) break;
// Get the SID of the domain object
VariantInit(&var); bstrSid = SysAllocString(pszSid); if (bstrSid == NULL) { hr = ERROR_NOT_ENOUGH_MEMORY; break; } hr = pIads->GetEx(bstrSid, &var); if (FAILED (hr)) { break; } dwErr = DsrSidInit(&var, &pDomainSid); if (dwErr != NO_ERROR) { hr = dwErr; break; } VariantClear(&var);
// Prepare the ascii version of the "RAS and IAS Servers" SID
// for use in querying the DC
hr = DsrSidInitAscii( pDomainSid, DOMAIN_ALIAS_RID_RAS_SERVERS, &pszGroupSid); if (FAILED (hr)) break; DsrTraceEx(0, "GroupSid = %ls", pszGroupSid);
// Prepare the search filter
//
dwLen = (wcslen(pszGroupFilterFmt) + wcslen(pszGroupSid) + 1); dwLen *= sizeof(WCHAR); pszFilter = (PWCHAR) DsrAlloc(dwLen, FALSE); if (pszFilter == NULL) { hr = ERROR_NOT_ENOUGH_MEMORY; break; } wsprintfW(pszFilter, pszGroupFilterFmt, pszGroupSid);
// Count the number of attributes we're searching
// for
if (ppszSrchAttribs == NULL) dwSrchAttribCount = (DWORD)-1; else { for (dwSrchAttribCount = 0; ppszSrchAttribs[dwSrchAttribCount]; dwSrchAttribCount++); }
// Search the DS
hr = pSearch->ExecuteSearch( pszFilter, ppszSrchAttribs, dwSrchAttribCount, &hSearch); if (FAILED (hr)) break;
// Get the first result
hr = pSearch->GetNextRow(hSearch); if (hr == S_ADS_NOMORE_ROWS) { hr = ERROR_NOT_FOUND; break; }
// Get the attribute we're interested in
hr = pSearch->GetColumn(hSearch, (PWCHAR)pszDn, &adsColumn); if (SUCCEEDED (hr)) { dwLen = wcslen(adsColumn.pADsValues[0].PrintableString) + wcslen(pszLdapPrefix) + 1; dwLen *= sizeof(WCHAR); *ppszADsPath = (PWCHAR) DsrAlloc(dwLen, FALSE); if (*ppszADsPath == NULL) { pSearch->FreeColumn(&adsColumn); hr = ERROR_NOT_ENOUGH_MEMORY; break; } wsprintfW( *ppszADsPath, L"%s%s", pszLdapPrefix, adsColumn.pADsValues[0].PrintableString); pSearch->FreeColumn(&adsColumn); hr = NO_ERROR; }
} while (FALSE);
// Cleanup
{ if (hSearch) pSearch->CloseSearchHandle(hSearch); DSR_FREE (pszDomainPath); DSR_FREE (pszFilter); DSR_FREE (pDomainSid); DSR_FREE (pszGroupSid); DSR_RELEASE (pSearch); DSR_RELEASE (pIads); if (bstrSid) SysFreeString(bstrSid); }
return DSR_ERROR(hr);}
//
// Adds or removes a given object from a given group.
//
DWORD DsrGroupAddRemoveMember( IN PWCHAR pszGroupDN, IN PWCHAR pszNewMemberDN, IN BOOL bAdd){ VARIANT_BOOL vbIsMember = VARIANT_FALSE; IADsGroup* pGroup = NULL; HRESULT hr = S_OK;
DsrTraceEx ( 0, "DsrGroupAddRemoveMember entered for [%S] [%S]", pszGroupDN, pszNewMemberDN);
do { // Get a reference to the group
hr = ADsGetObject (pszGroupDN, IID_IADsGroup, (VOID**)&pGroup); if (FAILED (hr)) { DsrTraceEx( hr, "DsrGroupAddRemoveMember: %x from ADsGetObject(%S)", hr, pszGroupDN); break; } // Find out if the given new member is in the group
hr = pGroup->IsMember (pszNewMemberDN, &vbIsMember); if (FAILED (hr)) { DsrTraceEx ( hr, "DsrGroupAddRemoveMember: %x from IsMember\n", hr); break; }
// Add the object to the group and flush the cache
if (bAdd) { if (vbIsMember == VARIANT_FALSE) { hr = pGroup->Add (pszNewMemberDN); } } else { if (vbIsMember == VARIANT_TRUE) { hr = pGroup->Remove (pszNewMemberDN); } }
// If the new member is already in the group, the error code
// is ERROR_DS_CONSTRAINT_VIOLATION. I suspect this may change.
//
if (hr == ERROR_DS_CONSTRAINT_VIOLATION) { hr = ERROR_ALREADY_EXISTS; break; }
if (FAILED (hr)) { DsrTraceEx( hr, "DsrGroupAddRemoveMember: %x from Add/Remove", hr); break; } } while (FALSE);
// Cleanup
{ DSR_RELEASE(pGroup); }
return DSR_ERROR(hr);}
//
// Returns whether the given object is a member of
// the given group.
//
DWORD DsrGroupIsMember( IN PWCHAR pszGroupDN, IN PWCHAR pszObjectDN, OUT PBOOL pbIsMember){ IADsGroup * pGroup = NULL; HRESULT hr = S_OK; VARIANT_BOOL vbIsMember = VARIANT_FALSE;
DsrTraceEx ( 0, "DsrGroupIsMember: entered [%S] [%S].", pszGroupDN, pszObjectDN);
do { // Get a reference to the group
hr = ADsGetObject (pszGroupDN, IID_IADsGroup, (VOID**)&pGroup); if (FAILED (hr)) { DsrTraceEx ( hr, "DsrGroupIsMember: %x returned when opening %S", hr, pszGroupDN); *pbIsMember = FALSE; hr = NO_ERROR; break; }
// Find out if the object is a member
hr = pGroup->IsMember (pszObjectDN, &vbIsMember); if (FAILED (hr)) { DsrTraceEx (hr, "DsrGroupIsMember: %x from IsMember\n", hr); break; }
*pbIsMember = (vbIsMember == VARIANT_TRUE) ? TRUE : FALSE; } while (FALSE);
// Cleanup
{ DSR_RELEASE(pGroup); }
return DSR_ERROR(hr);}
//
// Applies the aces in the given access settings to the
// appropriate domain.
//
HRESULTDsrAceAppAdd( IN PWCHAR pszDC, IN DSR_ACE_APPLICATION* pAces, IN DWORD dwCount){ HRESULT hr = S_OK; DSR_ACE_APPLICATION* pAceApp = NULL; DWORD i; // Output the aces that we'll set
//
DsrTraceEx(0, "Adding %d aces...", dwCount);
do { // Add the ACES to the domain objects
//
for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { hr = DsrAceAdd( pszDC, pAceApp->pObject, &(pAceApp->Ace)); DSR_BREAK_ON_FAILED_HR( hr ); } DSR_BREAK_ON_FAILED_HR( hr );
// Commit the ACE's to the domain objects.
//
for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { hr = pAceApp->pObject->SetInfo(); DSR_BREAK_ON_FAILED_HR( hr ); } DSR_BREAK_ON_FAILED_HR( hr ); } while (FALSE);
// Cleanup
{ }
return hr;}
//
// Releases the resources held by an ace application
//
HRESULTDsrAceAppCleanup( IN DSR_ACE_APPLICATION* pAces, IN DWORD dwCount){ DSR_ACE_APPLICATION* pAceApp = NULL; DWORD i;
if (pAces) { for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { DSR_RELEASE(pAceApp->pObject); DsrAceDescClear(&(pAceApp->Ace)); }
DSR_FREE(pAces); }
return NO_ERROR;}
//
// Generates a list of ace applications based on a list
// of ace application descriptions
//
HRESULTDsrAceAppFromAppDesc( IN DSR_ACE_APPLICATION_DESC* pDesc, IN DWORD dwCount, IN IADsContainer* pContainer, IN IADs* pDefault, OUT DSR_ACE_APPLICATION** ppAceApp, OUT LPDWORD lpdwCount){ DSR_ACE_APPLICATION* pAceApp = NULL, *pCurApp = NULL; DSR_ACE_APPLICATION_DESC* pAceAppDesc = NULL; IDispatch* pDispatch = NULL; HRESULT hr = S_OK; DWORD i;
do { // Allocate and zero the ACE list
//
pAceApp = (DSR_ACE_APPLICATION*) DsrAlloc(sizeof(DSR_ACE_APPLICATION) * dwCount, TRUE); if (pAceApp == NULL) { DSR_BREAK_ON_FAILED_HR(hr = E_OUTOFMEMORY); }
// Set up the ACE applications
//
for (i = 0, pAceAppDesc = pDesc, pCurApp = pAceApp; i < dwCount; i++, pAceAppDesc++, pCurApp++) { // Get the desired object in the DS
//
if (pAceAppDesc->pszObjectCN) { hr = pContainer->GetObject( pAceAppDesc->pszObjectClass, pAceAppDesc->pszObjectCN, &pDispatch); DSR_BREAK_ON_FAILED_HR( hr );
hr = pDispatch->QueryInterface( IID_IADs, (VOID**)&(pCurApp->pObject)); DSR_BREAK_ON_FAILED_HR( hr );
pDispatch->Release(); pDispatch = NULL; } else { pCurApp->pObject = pDefault; pCurApp->pObject->AddRef(); }
// Copy over the ACE information
hr = DsrAceDescCopy( &(pCurApp->Ace), &(pAceAppDesc->Ace)); DSR_BREAK_ON_FAILED_HR( hr ); } DSR_BREAK_ON_FAILED_HR( hr );
// Assign the return values
*ppAceApp = pAceApp; *lpdwCount = dwCount; } while (FALSE);
// Cleanup
{ if (FAILED(hr)) { DsrAceAppCleanup(pAceApp, i); } }
return hr;}
//
// Discovers whether a set of aces is present in the given
// domain.
//
HRESULTDsrAceAppQueryPresence( IN PWCHAR pszDC, IN DSR_ACE_APPLICATION* pAces, IN DWORD dwCount, OUT PBOOL pbPresent){ DSR_ACE_APPLICATION* pAceApp = NULL; IADsSecurityDescriptor* pSD = NULL; IADsAccessControlList* pAcl = NULL; IDispatch* pAce = NULL; VARIANT varSD; HRESULT hr = S_OK; BOOL bEnabled = FALSE, bOk = TRUE; DWORD i;
do { // Initialize
*pbPresent = FALSE; VariantInit(&varSD);
// Find out if the ACES are set
//
for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { hr = DsrAceFind( pszDC, pAceApp->pObject, &(pAceApp->Ace), &varSD, &pSD, &pAcl, &pAce); DSR_BREAK_ON_FAILED_HR( hr );
// We're enabled so long as we don't find
// a missing ACE
//
bOk = (pAce != NULL);
// Cleanup
//
DSR_RELEASE( pAce ); DSR_RELEASE( pAcl ); DSR_RELEASE( pSD ); VariantClear(&varSD); pAce = NULL; pAcl = NULL; pSD = NULL;
// Break if we find out we're not enabled
//
if (bOk == FALSE) { break; } } DSR_BREAK_ON_FAILED_HR( hr );
*pbPresent = bOk; } while (FALSE);
// Cleanup
{ }
return hr;}
//
// Applies the aces in the given access settings to the
// appropriate domain.
//
HRESULTDsrAceAppRemove( IN PWCHAR pszDC, IN DSR_ACE_APPLICATION* pAces, IN DWORD dwCount){ HRESULT hr = S_OK; DSR_ACE_APPLICATION* pAceApp = NULL; DWORD i; // Output the aces that we'll set
//
DsrTraceEx(0, "Removing %d aces...", dwCount);
do { // Add/Del the ACES to the domain objects
//
for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { hr = DsrAceRemove( pszDC, pAceApp->pObject, &(pAceApp->Ace)); DSR_BREAK_ON_FAILED_HR( hr ); } DSR_BREAK_ON_FAILED_HR( hr );
// Commit the ACE's to the domain objects.
//
for (i = 0, pAceApp = pAces; i < dwCount; i++, pAceApp++) { hr = pAceApp->pObject->SetInfo(); DSR_BREAK_ON_FAILED_HR( hr ); } DSR_BREAK_ON_FAILED_HR( hr ); } while (FALSE);
// Cleanup
{ }
return hr;}
//
// Clear the dsr ace parameters
//
DWORDDsrAceDescClear( IN DSR_ACE_DESCRIPTOR* pParams){ if (pParams) { if (pParams->bstrTrustee) { SysFreeString(pParams->bstrTrustee); } if (pParams->bstrObjectType) { SysFreeString(pParams->bstrObjectType); } if (pParams->bstrInheritedObjectType) { SysFreeString(pParams->bstrInheritedObjectType); }
ZeroMemory(pParams, sizeof(DSR_ACE_DESCRIPTOR)); }
return NO_ERROR;}
//
// Returns 0 if ACE descriptors are describing the same ACE.
// FALSE, otherwise.
//
HRESULTDsrAceDescCompare( IN DSR_ACE_DESCRIPTOR* pAce1, IN DSR_ACE_DESCRIPTOR* pAce2){ DWORD dw1, dw2; // Compare the non-string fields so that we can rule things
// out w/o string compares if possible
//
if ( (pAce1->dwAccessMask != pAce2->dwAccessMask) || (pAce1->dwAceFlags != pAce2->dwAceFlags) || (pAce1->dwAceType != pAce2->dwAceType) || (pAce1->dwFlags != pAce2->dwFlags) ) { return 1; }
// Compare the strings
//
if ((DsrStrCompare(pAce1->bstrTrustee, pAce2->bstrTrustee)) || (DsrStrCompare(pAce1->bstrObjectType, pAce2->bstrObjectType)) || (DsrStrCompare(pAce1->bstrInheritedObjectType, pAce2->bstrInheritedObjectType)) ) { return 1; }
// Return success
//
return 0;}
//
// Copy over the ACE information
//
HRESULTDsrAceDescCopy( OUT DSR_ACE_DESCRIPTOR* pDst, IN DSR_ACE_DESCRIPTOR* pSrc){ HRESULT hr = S_OK;
do { // Initialize the ACE parameters
*pDst = *pSrc;
if (pSrc->bstrTrustee) { pDst->bstrTrustee = SysAllocString(pSrc->bstrTrustee);
if (pDst->bstrTrustee == NULL) { DSR_BREAK_ON_FAILED_HR(hr = E_OUTOFMEMORY); } }
if (pSrc->bstrObjectType) { pDst->bstrObjectType = SysAllocString(pSrc->bstrObjectType);
if (pDst->bstrObjectType == NULL) { DSR_BREAK_ON_FAILED_HR(hr = E_OUTOFMEMORY); } }
if (pSrc->bstrInheritedObjectType) { pDst->bstrInheritedObjectType = SysAllocString(pSrc->bstrInheritedObjectType);
if (pDst->bstrInheritedObjectType == NULL) { DSR_BREAK_ON_FAILED_HR(hr = E_OUTOFMEMORY); } }
} while (FALSE);
// Cleanup
{ if (FAILED( hr )) { if (pDst->bstrTrustee) { SysFreeString(pDst->bstrTrustee); } if (pDst->bstrObjectType) { SysFreeString(pDst->bstrObjectType); } if (pDst->bstrInheritedObjectType) { SysFreeString(pDst->bstrInheritedObjectType); } } }
return hr;}
//
// Populates the given ACE descriptor with the values from
// the given ACE.
//
HRESULTDsrAceDescFromIadsAce( IN PWCHAR pszDC, IN IADsAccessControlEntry* pAce, IN DSR_ACE_DESCRIPTOR* pAceParams){ HRESULT hr = S_OK; BSTR bstrTrustee = NULL; WCHAR pszSid[1024], pszDomain[1024]; BYTE pbSid[1024]; DWORD dwSidSize, dwDomainSize; BOOL bOk; SID_NAME_USE SidNameUse;
do { hr = pAce->get_AccessMask(&(pAceParams->dwAccessMask)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_AceType(&(pAceParams->dwAceType)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_AceFlags(&(pAceParams->dwAceFlags)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_Flags(&(pAceParams->dwFlags)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_ObjectType(&(pAceParams->bstrObjectType)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_InheritedObjectType( &(pAceParams->bstrInheritedObjectType)); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->get_Trustee(&bstrTrustee); DSR_BREAK_ON_FAILED_HR( hr );
// Get the SID of the trustee
//
dwSidSize = sizeof(pbSid); dwDomainSize = sizeof(pszDomain) / sizeof(WCHAR); bOk = LookupAccountName( pszDC, bstrTrustee, (PSID)pbSid, &dwSidSize, pszDomain, &dwDomainSize, &SidNameUse); if (bOk == FALSE) { hr = GetLastError(); break; }
// Convert the sid to a string
//
hr = DsrStrFromSID((PSID)pbSid, pszSid, sizeof(pszSid)); if (hr != NO_ERROR) { break; }
// Create the trustee accordingly
//
pAceParams->bstrTrustee = SysAllocString(pszSid); if (pAceParams->bstrTrustee == NULL) { hr = E_OUTOFMEMORY; break; }
} while (FALSE);
// Cleanup
{ if (bstrTrustee) { SysFreeString(bstrTrustee); }
if (FAILED(hr)) { DsrAceDescClear(pAceParams); } }
return hr;} //
// Initialize an ace descriptor from a W2K Ace
//
HRESULTDsrAceDescFromW2KAce( IN PWCHAR pszDC, IN PVOID pvAce, OUT DSR_ACE_DESCRIPTOR* pAceDesc){ PACCESS_ALLOWED_ACE pAaAce = NULL; PACCESS_DENIED_ACE pAdAce = NULL; PACCESS_ALLOWED_OBJECT_ACE pAaoAce = NULL; PACCESS_DENIED_OBJECT_ACE pAdoAce = NULL; PSID pSID = NULL; DWORD dwFlags = 0, dwNameSize, dwDomainSize, dwAccessMask; BYTE bAceType, bAceFlags; SID_NAME_USE SidNameUse; WCHAR pszGuid[64], pszName[512], pszDomain[512], pszTrustee[1024]; HRESULT hr = S_OK; GUID* pgObj = NULL, *pgInhObj = NULL; BOOL bOk = TRUE;
// Read in the ace values
//
bAceType = ((ACE_HEADER *)pvAce)->AceType; bAceFlags = ((ACE_HEADER *)pvAce)->AceFlags; switch (bAceType) { case ACCESS_ALLOWED_ACE_TYPE: pAaAce = (PACCESS_ALLOWED_ACE)pvAce; dwAccessMask = pAaAce->Mask; pSID = (PSID)&(pAaAce->SidStart); break; case ACCESS_DENIED_ACE_TYPE: pAdAce = (PACCESS_DENIED_ACE)pvAce; dwAccessMask = pAdAce->Mask; pSID = (PSID)&(pAdAce->SidStart); break;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE: pAaoAce = (PACCESS_ALLOWED_OBJECT_ACE)pvAce; dwAccessMask = pAaoAce->Mask; dwFlags = pAaoAce->Flags;
// Determine the location of the guids
// and SIDs. They are arranged such that they
// take up as little memory as possible
//
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) { pgObj = (GUID*)&(pAaoAce->ObjectType); pSID = (PSID)&(pAaoAce->InheritedObjectType); if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) { pgInhObj = (GUID*)&(pAaoAce->InheritedObjectType); pSID = (PSID)&(pAaoAce->SidStart); } } else { pSID = (PSID)&(pAaoAce->ObjectType); if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) { pgInhObj = (GUID*)&(pAaoAce->ObjectType); pSID = (PSID)&(pAaoAce->InheritedObjectType); } } break; case ACCESS_DENIED_OBJECT_ACE_TYPE: pAdoAce = (PACCESS_DENIED_OBJECT_ACE)pvAce; dwAccessMask = pAdoAce->Mask; dwFlags = pAdoAce->Flags;
// Determine the location of the guids
// and SIDs. They are arranged such that they
// take up as little memory as possible
//
if (dwFlags & ACE_OBJECT_TYPE_PRESENT) { pgObj = (GUID*)&(pAdoAce->ObjectType); pSID = (PSID)&(pAdoAce->InheritedObjectType); if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) { pgInhObj = (GUID*)&(pAdoAce->InheritedObjectType); pSID = (PSID)&(pAdoAce->SidStart); } } else { pSID = (PSID)&(pAdoAce->ObjectType); if (dwFlags & ACE_INHERITED_OBJECT_TYPE_PRESENT) { pgInhObj = (GUID*)&(pAdoAce->ObjectType); pSID = (PSID)&(pAdoAce->InheritedObjectType); } } break; default: DsrTraceEx(0, "Unknown ACE TYPE %x", bAceType); bOk = FALSE; break; } if (bOk == FALSE) { return E_FAIL; }
// Lookup the account name of the sid
//
hr = DsrStrFromSID(pSID, pszTrustee, sizeof(pszTrustee)); if (hr != NO_ERROR) { return HRESULT_FROM_WIN32(hr); }
// Fill in the ACE fields
pAceDesc->dwAceType = (LONG)bAceType; pAceDesc->dwAceFlags = (LONG)bAceFlags; pAceDesc->dwAccessMask = (LONG)dwAccessMask; pAceDesc->dwFlags = (LONG)dwFlags; pAceDesc->bstrTrustee = SysAllocString(pszTrustee); if (pgObj) { StringFromGUID2( *pgObj, pszGuid, sizeof(pszGuid)/sizeof(WCHAR)); pAceDesc->bstrObjectType = SysAllocString(pszGuid); } if (pgInhObj) { StringFromGUID2( *pgInhObj, pszGuid, sizeof(pszGuid)/sizeof(WCHAR)); pAceDesc->bstrInheritedObjectType = SysAllocString(pszGuid); }
return hr;}
//
// Generates a list of ace descriptors based on a stringized
// SD
//
HRESULT DsrAceDescListFromString( IN PWCHAR pszDC, IN PWCHAR pszSD, OUT DSR_ACE_DESCRIPTOR** ppAceList, OUT LPDWORD lpdwAceCount){ BOOL bOk = TRUE, bPresent = FALSE, bDefaulted = FALSE; DSR_ACE_DESCRIPTOR* pAceList = NULL, *pCurAce = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PVOID pvAce = NULL; ULONG ulSize = 0; PACL pDacl = NULL; HRESULT hr = S_OK; DWORD i;
do { // First, convert the stringized security descriptor to a
// plain old vanilla security descriptor. ADSI doesn't
// support this for W2K, so we have to do it with SDDL
// api's
//
bOk = ConvertStringSecurityDescriptorToSecurityDescriptorW( pszSD, SDDL_REVISION_1, &pSD, &ulSize); if (bOk == FALSE) { hr = E_FAIL; break; }
// Get the DACL from the SD.
//
bOk = GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaulted); if (bOk == FALSE) { hr = E_FAIL; break; }
// If there are no aces, then there's nothing to do
//
if (pDacl->AceCount == 0) { break; }
// Allocate the list that we'll return if everything goes well.
//
pAceList = (DSR_ACE_DESCRIPTOR*) DsrAlloc(pDacl->AceCount * sizeof(DSR_ACE_DESCRIPTOR), TRUE); if (pAceList == NULL) { hr = E_OUTOFMEMORY; break; } // Initialize the list of aces
//
for (i = 0, pCurAce = pAceList; i < pDacl->AceCount; i++, pCurAce++) { // Get a reference to the current
// ACE
//
if (! GetAce(pDacl, i, &pvAce)) { continue; }
// Initialize the ACE descriptor accordingly
//
hr = DsrAceDescFromW2KAce(pszDC, pvAce, pCurAce); DSR_BREAK_ON_FAILED_HR(hr);
//DsrAceDescTrace(pCurAce);
} DSR_BREAK_ON_FAILED_HR(hr);
// Set the return values. Clear pAceList so it doesn't
// get cleaned up.
//
*ppAceList = pAceList; *lpdwAceCount = pDacl->AceCount; pAceList = NULL;
} while (FALSE);
// Cleanup
{ if (pSD) { LocalFree(pSD); }
if (pAceList) { for (i = 0; i < pDacl->AceCount; i++) { DsrAceDescClear(&(pAceList[i])); } DsrFree(pAceList); } } return hr;}
PWCHAR DsrAceAttrToString( IN PWCHAR pszObjectType){ if (pszObjectType == NULL) { return L"All"; } else if (lstrcmpi(pszObjectType, pszGuidUserParms) == 0) { return L"UserParms (BF967A6D-0DE6-11D0-A285-00AA003049E2)"; } else if (lstrcmpi(pszObjectType, pszGuidRasPropSet1) == 0) { return L"Ras user properties (037088F8-0AE1-11D2-B422-00A0C968F939)"; } else if (lstrcmpi(pszObjectType, pszGuidRasPropSet2) == 0) { return L"Misc user properties (4C164200-20C0-11D0-A768-00AA006E0529)"; } else if (lstrcmpi(pszObjectType, pszGuidLogonHours) == 0) { return L"Logon-Hours (BF9679AB-0DE6-11D0-A285-00AA003049E2)"; } else if (lstrcmpi(pszObjectType, pszGuidSamAccountName) == 0) { return L"Sam account name (3E0ABFD0-126A-11D0-A060-00AA006C33ED)"; }
return pszObjectType;}
PWCHAR DsrAceApplyToString( IN PWCHAR pszApply){ if (pszApply == NULL) { return L"This object"; } else if (lstrcmpi(pszApply, pszGuidUserClass) == 0) { return L"User objects (BF967ABA-0DE6-11D0-A285-00aa003049E2)"; }
return pszApply;}
PWCHARDsrAceMaskToString( IN DWORD dwType, IN DWORD dwMask, IN PWCHAR pszBuf){ WCHAR pszTemp[64]; *pszBuf = L'\0';
switch (dwType) { case ADS_ACETYPE_ACCESS_ALLOWED: wcscpy(pszBuf, L"Allow: "); break; case ADS_ACETYPE_ACCESS_DENIED: wcscpy(pszBuf, L"Deny: "); break; case ADS_ACETYPE_SYSTEM_AUDIT: wcscpy(pszBuf, L"Audit: "); break; case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: wcscpy(pszBuf, L"Allow obj: "); break; case ADS_ACETYPE_ACCESS_DENIED_OBJECT: wcscpy(pszBuf, L"Deny obj: "); break; case ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: wcscpy(pszBuf, L"Audit obj: "); break; }
wsprintfW(pszTemp, L"(%x): ", dwMask); wcscat(pszBuf, pszTemp);
if (dwMask == DSR_ADS_RIGHT_GENERIC_READ) { wcscat(pszBuf, L"Generic read"); } else if (dwMask == 0xffffffff) { wcscat(pszBuf, L"Full control"); } else { if (dwMask & ADS_RIGHT_READ_CONTROL) wcscat(pszBuf, L"R ctrl, "); if (dwMask & ADS_RIGHT_WRITE_DAC) wcscat(pszBuf, L"R/W dac, "); if (dwMask & ADS_RIGHT_WRITE_OWNER) wcscat(pszBuf, L"W own, "); if (dwMask & ADS_RIGHT_SYNCHRONIZE) wcscat(pszBuf, L"Sync, "); if (dwMask & ADS_RIGHT_ACCESS_SYSTEM_SECURITY) wcscat(pszBuf, L"Sys, "); if (dwMask & ADS_RIGHT_GENERIC_READ) wcscat(pszBuf, L"R (gen), "); if (dwMask & ADS_RIGHT_GENERIC_WRITE) wcscat(pszBuf, L"W (gen), "); if (dwMask & ADS_RIGHT_GENERIC_EXECUTE) wcscat(pszBuf, L"Ex, "); if (dwMask & ADS_RIGHT_GENERIC_ALL) wcscat(pszBuf, L"All, "); if (dwMask & ADS_RIGHT_DS_CREATE_CHILD) wcscat(pszBuf, L"Cr cld, "); if (dwMask & ADS_RIGHT_DS_DELETE_CHILD) wcscat(pszBuf, L"Del cld, "); if (dwMask & ADS_RIGHT_ACTRL_DS_LIST) wcscat(pszBuf, L"List, "); if (dwMask & ADS_RIGHT_DS_SELF) wcscat(pszBuf, L"Self, "); if (dwMask & ADS_RIGHT_DS_READ_PROP) wcscat(pszBuf, L"R prop, "); if (dwMask & ADS_RIGHT_DS_WRITE_PROP) wcscat(pszBuf, L"W prop, "); if (dwMask & ADS_RIGHT_DS_DELETE_TREE) wcscat(pszBuf, L"Del tree, "); if (dwMask & ADS_RIGHT_DS_LIST_OBJECT) wcscat(pszBuf, L"List obj, "); if (dwMask & ADS_RIGHT_DS_CONTROL_ACCESS) wcscat(pszBuf, L"Ctrl acc, "); }
return pszBuf;}
PWCHARDsrAceFlagsToString( IN DWORD dwAceFlags, IN PWCHAR pszBuf){ WCHAR pszTemp[64]; *pszBuf = L'\0';
switch (dwAceFlags) { case 0: wcscpy(pszBuf, L"This object only"); break; case ADS_ACEFLAG_INHERIT_ACE: wcscpy(pszBuf, L"This object and children"); break; case ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE: wcscpy(pszBuf, L"No-prop inherit"); break; case ADS_ACEFLAG_INHERIT_ONLY_ACE: wcscpy(pszBuf, L"Inherit-only"); break; case ADS_ACEFLAG_INHERITED_ACE: wcscpy(pszBuf, L"Inherited"); break; case ADS_ACEFLAG_VALID_INHERIT_FLAGS: wcscpy(pszBuf, L"Valid inherit flags"); break; case ADS_ACEFLAG_SUCCESSFUL_ACCESS: wcscpy(pszBuf, L"Successful access"); break; case ADS_ACEFLAG_FAILED_ACCESS: wcscpy(pszBuf, L"Failed access"); break; }
wsprintfW(pszTemp, L" (%x)", dwAceFlags); wcscat(pszBuf, pszTemp);
return pszBuf;}
//
// Traces out the contents of an ACE
//
VOIDDsrAceDescTrace( IN IADs* pIads, IN DSR_ACE_DESCRIPTOR* pA){ VARIANT var; BSTR bstrProp = SysAllocString(pszDn); HRESULT hr = S_OK; WCHAR pszBuf[1024];
do { VariantInit(&var);
if (bstrProp == NULL) { hr = E_FAIL; break; }
hr = pIads->Get(bstrProp, &var); DSR_BREAK_ON_FAILED_HR( hr );
DsrTraceEx(0, "%ls", V_BSTR(&var)); DsrTraceEx(0, "%ls", DsrAceMaskToString(pA->dwAceType, pA->dwAccessMask, pszBuf)); DsrTraceEx(0, "To: %ls", pA->bstrTrustee); DsrTraceEx(0, "Attribute: %ls", DsrAceAttrToString(pA->bstrObjectType)); DsrTraceEx(0, "ApplyTo: %ls", DsrAceApplyToString(pA->bstrInheritedObjectType)); DsrTraceEx(0, "Inheritance: %ls", DsrAceFlagsToString(pA->dwAceFlags, pszBuf)); DsrTraceEx(0, "Flags: %x", pA->dwFlags); DsrTraceEx(0, " ");
} while (FALSE);
// Cleanup
//
{ SysFreeString(bstrProp); VariantClear(&var); }
if (FAILED(hr)) { DsrTraceEx( 0, "{ %-8x %-2x %-2x %-2x %-40ls %ls %ls }", pA->dwAccessMask, pA->dwAceType, pA->dwAceFlags, pA->dwFlags, pA->bstrTrustee, pA->bstrObjectType, pA->bstrInheritedObjectType); }}
//
// Adds the given ace to the given ds object
//
HRESULTDsrAceAdd( IN PWCHAR pszDC, IN IADs* pIads, IN DSR_ACE_DESCRIPTOR * pAceParams){ IADsSecurityDescriptor* pSD = NULL; IADsAccessControlList* pAcl = NULL; IDispatch* pAce = NULL; IDispatch* pDispatch = NULL; HRESULT hr = S_OK; VARIANT var;
// Initialize
VariantInit(&var);
do { // Get the security descriptor
//
pIads->Get((PWCHAR)pszSecurityDesc, &var); DSR_BREAK_ON_FAILED_HR( hr );
// Get the appropriate interface to the sd
//
V_DISPATCH(&var)->QueryInterface( IID_IADsSecurityDescriptor, (VOID**)&pSD); DSR_BREAK_ON_FAILED_HR( hr );
// Get a reference to the discretionary acl
//
hr = pSD->get_DiscretionaryAcl(&pDispatch); DSR_BREAK_ON_FAILED_HR( hr );
hr = pDispatch->QueryInterface( IID_IADsAccessControlList, (VOID**)&pAcl); DSR_BREAK_ON_FAILED_HR( hr );
// Don't add the ACE if it's already there.
//
hr = DsrAceFindInAcl( pszDC, pAcl, pAceParams, &pAce); if (SUCCEEDED(hr) && pAce) { hr = S_OK; break; }
// Trace out the ACE
DsrAceDescTrace(pIads, pAceParams);
// Create the ACE
hr = DsrAceCreate(pAceParams, &pAce); DSR_BREAK_ON_FAILED_HR( hr );
// Add the newly created ACE to the ACL
//
hr = pAcl->AddAce(pAce); DSR_BREAK_ON_FAILED_HR( hr );
// Now commit the result in the ACL
//
hr = pSD->put_DiscretionaryAcl(pDispatch); DSR_BREAK_ON_FAILED_HR( hr );
// Finally, commit the result in the ds object
//
hr = pIads->Put((PWCHAR)pszSecurityDesc, var); DSR_BREAK_ON_FAILED_HR( hr );
} while (FALSE);
// Cleanup
{ DSR_RELEASE( pAce ); DSR_RELEASE( pAcl ); DSR_RELEASE( pDispatch ); DSR_RELEASE( pSD );
VariantClear(&var); }
return DSR_ERROR(hr);}
//
// Creates a new ACE object from the given parameters
//
HRESULTDsrAceCreate( IN DSR_ACE_DESCRIPTOR * pAceParams, OUT IDispatch** ppAce){ IADsAccessControlEntry* pAce = NULL; IDispatch* pRet = NULL; HRESULT hr = S_OK;
do { // Create the new ACE
//
hr = CoCreateInstance( CLSID_AccessControlEntry, NULL, CLSCTX_INPROC_SERVER, IID_IADsAccessControlEntry, (VOID**) &pAce); DSR_BREAK_ON_FAILED_HR( hr );
// Initialize the values
//
hr = pAce->put_Trustee(pAceParams->bstrTrustee); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_AceFlags(pAceParams->dwAceFlags); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_Flags(pAceParams->dwFlags); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_AceType(pAceParams->dwAceType); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_AccessMask(pAceParams->dwAccessMask); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_ObjectType(pAceParams->bstrObjectType); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAce->put_InheritedObjectType( pAceParams->bstrInheritedObjectType); DSR_BREAK_ON_FAILED_HR( hr );
// Query the return value
//
hr = pAce->QueryInterface(IID_IDispatch, (VOID**)&pRet); DSR_BREAK_ON_FAILED_HR( hr );
// Assign the return value
*ppAce = pRet;
} while (FALSE);
// Cleanup
{ if (FAILED (hr)) { DSR_RELEASE(pRet); } DSR_RELEASE(pAce); }
return hr;}
//
// Finds the given ace in the given acl
//
HRESULTDsrAceFind( IN PWCHAR pszDC, IN IADs* pObject, IN DSR_ACE_DESCRIPTOR* pAceParams, OUT VARIANT* pVarSD, OUT IADsSecurityDescriptor** ppSD, OUT IADsAccessControlList** ppAcl, OUT IDispatch** ppAce){ IDispatch* pAcl = NULL; HRESULT hr = S_OK;
do { // Get the security descriptor
//
pObject->Get((PWCHAR)pszSecurityDesc, pVarSD); DSR_BREAK_ON_FAILED_HR( hr );
// Get the appropriate interface to the sd
//
V_DISPATCH(pVarSD)->QueryInterface( IID_IADsSecurityDescriptor, (VOID**)ppSD); DSR_BREAK_ON_FAILED_HR( hr );
// Get a reference to the discretionary acl
//
hr = (*ppSD)->get_DiscretionaryAcl(&pAcl); DSR_BREAK_ON_FAILED_HR( hr );
hr = pAcl->QueryInterface( IID_IADsAccessControlList, (VOID**)ppAcl); DSR_BREAK_ON_FAILED_HR( hr );
hr = DsrAceFindInAcl( pszDC, *ppAcl, pAceParams, ppAce); DSR_BREAK_ON_FAILED_HR(hr);
} while (FALSE);
// Cleanup
{ DSR_RELEASE( pAcl );
if (*ppAce == NULL) { VariantClear(pVarSD); DSR_RELEASE(*ppAcl); DSR_RELEASE(*ppSD); *ppAcl = NULL; *ppSD = NULL; } }
return hr;}
//
// Finds the given ACE in the given ACL
//
HRESULTDsrAceFindInAcl( IN PWCHAR pszDC, IN IADsAccessControlList* pAcl, IN DSR_ACE_DESCRIPTOR* pAceDesc, OUT IDispatch** ppAce){ DSR_ACE_DESCRIPTOR CurAceParams, *pCurAceDesc = &CurAceParams; IADsAccessControlEntry* pCurAce = NULL; HRESULT hr = S_OK; IUnknown* pUnknown = NULL; IEnumVARIANT* pEnumVar = NULL; IDispatch* pRet = NULL; DWORD dwRetrieved; VARIANT var;
do { // Get an enumerator of the aces
//
hr = pAcl->get__NewEnum(&pUnknown); DSR_BREAK_ON_FAILED_HR( hr );
// Get the right interface to enumerate the aces
//
hr = pUnknown->QueryInterface(IID_IEnumVARIANT, (VOID**)&pEnumVar); DSR_BREAK_ON_FAILED_HR( hr );
// Enumerate
//
pEnumVar->Reset(); VariantInit(&var); ZeroMemory(pCurAceDesc, sizeof(DSR_ACE_DESCRIPTOR)); while ((pEnumVar->Next(1, &var, &dwRetrieved) == S_OK) && (dwRetrieved == 1) ) { // Get the reference to the ace
//
hr = V_DISPATCH(&var)->QueryInterface( IID_IADsAccessControlEntry, (VOID**)&pCurAce);
if (SUCCEEDED (hr)) { // Read the ACE parameters
//
hr = DsrAceDescFromIadsAce(pszDC, pCurAce, pCurAceDesc); if (SUCCEEDED (hr)) { // Assign the ace if we have a match
//
if (DsrAceDescCompare(pCurAceDesc, pAceDesc) == 0) { pRet = V_DISPATCH(&var); }
DsrAceDescClear(pCurAceDesc); } pCurAce->Release(); }
if (pRet == NULL) { VariantClear(&var); } else { break; } }
// Assign the return value
//
*ppAce = pRet; } while (FALSE);
// Cleanup
{ DSR_RELEASE( pEnumVar ); DSR_RELEASE( pUnknown ); }
return hr;}
//
// Removes the given ace from the given ds object
//
HRESULTDsrAceRemove( IN PWCHAR pszDC, IN IADs* pIads, IN DSR_ACE_DESCRIPTOR * pAceParams){ IADsSecurityDescriptor* pSD = NULL; IADsAccessControlList* pAcl = NULL; IADsAccessControlEntry* pIadsAce = NULL; IDispatch* pAce = NULL; DSR_ACE_DESCRIPTOR CurAceParams; HRESULT hr = S_OK; VARIANT varSD;
do { VariantInit(&varSD);
hr = DsrAceFind(pszDC, pIads, pAceParams, &varSD, &pSD, &pAcl, &pAce); DSR_BREAK_ON_FAILED_HR( hr );
if (pAce) { // Make sure the ace is the same as we think
//
hr = pAce->QueryInterface( IID_IADsAccessControlEntry, (VOID**)&pIadsAce); if (SUCCEEDED(hr)) { DsrTraceEx(0, "ACE to be removed!"); DsrAceDescFromIadsAce(pszDC, pIadsAce, &CurAceParams); DsrAceDescTrace(pIads, &CurAceParams); DsrAceDescClear(&CurAceParams); } else { DsrTraceEx(0, "Unable to trace ACE that will be removed!\n"); } // Remove the ace found if any.
//
// Trace out the ACE
hr = pAcl->RemoveAce(pAce); DSR_BREAK_ON_FAILED_HR( hr );
// Now commit the result in the ACL
//
hr = pSD->put_DiscretionaryAcl(pAcl); DSR_BREAK_ON_FAILED_HR( hr );
// Finally, commit the result in the ds object
//
hr = pIads->Put((PWCHAR)pszSecurityDesc, varSD); DSR_BREAK_ON_FAILED_HR( hr ); } else { DsrTraceEx(0, "DsrAceRemove: unable to match ACE for removal:"); DsrAceDescTrace(pIads, pAceParams); }
} while (FALSE);
// Cleanup
{ DSR_RELEASE( pAce ); DSR_RELEASE( pIadsAce ); DSR_RELEASE( pAcl ); DSR_RELEASE( pSD ); VariantClear(&varSD); }
return DSR_ERROR(hr);}
//
// Cleans up after DsrAccessInfoInit
//
DWORDDsrAccessInfoCleanup( IN DSR_DOMAIN_ACCESS_INFO* pInfo){ if (pInfo) { // Cleanup the name of the DC
//
if (pInfo->pszDC) { DsrFree(pInfo->pszDC); } // Cleanup the ace applications
//
DsrAceAppCleanup(pInfo->pAcesUser, pInfo->dwAceCountUser); DsrAceAppCleanup(pInfo->pAcesNt4, pInfo->dwAceCountNt4); DsrAceAppCleanup(pInfo->pAcesW2k, pInfo->dwAceCountW2k);
// Release the hold on domain objects
//
DSR_RELEASE(pInfo->pUserClass); DSR_RELEASE(pInfo->pRootDse); DSR_RELEASE(pInfo->pDomain);
DsrFree(pInfo); }
return NO_ERROR;}
//
// Generates aces from the default user SD
//
HRESULTDsrAccessInfoGenerateUserAces( IN OUT DSR_DOMAIN_ACCESS_INFO* pInfo){ DSR_ACE_DESCRIPTOR* pAceSrc = NULL, *pAceList = NULL; DSR_ACE_APPLICATION* pAceApp = NULL; DWORD i, dwAceCount = 0; HRESULT hr = S_OK; VARIANT var;
VariantInit(&var);
do { // Read in the default user SD
//
hr = pInfo->pUserClass->Get((PWCHAR)pszDefSecurityDesc, &var); DSR_BREAK_ON_FAILED_HR(hr);
// Generate a list of ACE descriptors based on the
// default user SD.
//
hr = DsrAceDescListFromString( pInfo->pszDC, V_BSTR(&var), &pAceList, &dwAceCount); DSR_BREAK_ON_FAILED_HR(hr);
// Initialize a new array of ace applications big enough
// to hold the hard coded ones plus the ones we just read
// from the default SD of the user class.
//
pInfo->pAcesUser = (DSR_ACE_APPLICATION*) DsrAlloc((sizeof(DSR_ACE_APPLICATION) * dwAceCount), TRUE); if (pInfo->pAcesUser == NULL) { hr = E_OUTOFMEMORY; break; }
// Add the ACEs we read from the default user SD
//
pAceApp = pInfo->pAcesUser; for (i = 0, pAceSrc = pAceList; i < dwAceCount; i++, pAceSrc++, pAceApp++) { pAceApp->pObject = pInfo->pDomain; pAceApp->pObject->AddRef(); CopyMemory( &(pAceApp->Ace), pAceSrc, sizeof(DSR_ACE_DESCRIPTOR)); pInfo->dwAceCountUser++;
// As we append the aces, we need to modify them
// so that they apply only to user objects in the
// domain.
pAceApp->Ace.bstrInheritedObjectType = SysAllocString(pszGuidUserClass); pAceApp->Ace.dwAceFlags = DSR_ADS_ACE_INHERITED; pAceApp->Ace.dwFlags |= ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT; if (pAceApp->Ace.dwAceType == ADS_ACETYPE_ACCESS_ALLOWED) { pAceApp->Ace.dwAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT; } else if (pAceApp->Ace.dwAceType == ADS_ACETYPE_ACCESS_DENIED) { pAceApp->Ace.dwAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT; } } } while (FALSE);
// Cleanup
{ DSR_FREE(pAceList); VariantClear(&var); }
return hr;}
//
// Generates the information needed to enable nt4 ras
// servers in a domain
//
HRESULTDsrAccessInfoInit( IN PWCHAR pszDomain, OUT DSR_DOMAIN_ACCESS_INFO** ppInfo){ DSR_DOMAIN_ACCESS_INFO* pInfo = NULL; IADsContainer* pDomContainer = NULL, *pSchemaContainer = NULL; IADs* pDomain = NULL; IDispatch* pDispatch = NULL; PDOMAIN_CONTROLLER_INFO pDomainInfo = NULL; HRESULT hr = S_OK;
do { // Allocate and zero the return value
//
pInfo = (DSR_DOMAIN_ACCESS_INFO*) DsrAlloc(sizeof(DSR_DOMAIN_ACCESS_INFO), TRUE); if (pInfo == NULL) { DSR_BREAK_ON_FAILED_HR(hr = E_OUTOFMEMORY); }
// Get the name of a DC to query when needed
//
hr = DsGetDcNameW( NULL, pszDomain, NULL, NULL, DS_DIRECTORY_SERVICE_REQUIRED, &pDomainInfo); if (hr != NO_ERROR) { hr = HRESULT_FROM_WIN32(hr); break; }
// Copy the string
//
pInfo->pszDC = (PWCHAR) DsrAlloc( (wcslen(pDomainInfo->DomainControllerName) + 1) * sizeof(WCHAR), FALSE); if (pInfo->pszDC == NULL) { hr = E_OUTOFMEMORY; break; } wcscpy(pInfo->pszDC, pDomainInfo->DomainControllerName);
// Get the well known domain containers
//
hr = DsrDomainGetContainers( pszDomain, &(pInfo->pRootDse), &pDomContainer, &pSchemaContainer); DSR_BREAK_ON_FAILED_HR( hr );
// Get the interface to the domain object
//
hr = pDomContainer->QueryInterface( IID_IADs, (VOID**)&pDomain); DSR_BREAK_ON_FAILED_HR( hr ); pInfo->pDomain = pDomain; pInfo->pDomain->AddRef();
// Get the reference to the user class in the
// schema
hr = pSchemaContainer->GetObject( (PWCHAR)pszUserClass, (PWCHAR)pszUserCN, &pDispatch); DSR_BREAK_ON_FAILED_HR( hr ); hr = pDispatch->QueryInterface( IID_IADs, (VOID**)&(pInfo->pUserClass)); DSR_BREAK_ON_FAILED_HR( hr );
// Generate the ACEs from the default user SD
//
hr = DsrAccessInfoGenerateUserAces(pInfo); DSR_BREAK_ON_FAILED_HR( hr );
// Create ace applications for all of the nt4
// aces
hr = DsrAceAppFromAppDesc( g_pAcesNt4, sizeof(g_pAcesNt4) / sizeof(*g_pAcesNt4), pDomContainer, pDomain, &(pInfo->pAcesNt4), &(pInfo->dwAceCountNt4)); DSR_BREAK_ON_FAILED_HR( hr );
// Create ace applications for all of the w2k
// aces
hr = DsrAceAppFromAppDesc( g_pAcesW2k, sizeof(g_pAcesW2k) / sizeof(*g_pAcesW2k), pDomContainer, pDomain, &(pInfo->pAcesW2k), &(pInfo->dwAceCountW2k)); DSR_BREAK_ON_FAILED_HR( hr );
// Assign the return value
*ppInfo = pInfo;
} while (FALSE);
// Cleanup
//
{ DSR_RELEASE(pDomain); DSR_RELEASE(pDomContainer); DSR_RELEASE(pSchemaContainer); DSR_RELEASE(pDispatch); if (FAILED (hr)) { DsrAccessInfoCleanup(pInfo); } if (pDomainInfo) { NetApiBufferFree(pDomainInfo); } }
return hr;}
//
// Discovers the access mode of the domain currently.
//
// Assumes COM is initialized
//
HRESULTDsrDomainQueryAccessEx( IN PWCHAR pszDomain, OUT LPDWORD lpdwAccessFlags, OUT DSR_DOMAIN_ACCESS_INFO** ppInfo){ DSR_DOMAIN_ACCESS_INFO* pInfo = NULL; HRESULT hr = S_OK; BOOL bOk = FALSE;
if (lpdwAccessFlags == NULL) { return ERROR_INVALID_PARAMETER; }
do { // Initialize
//
*lpdwAccessFlags = 0; // Read in the info that tells us what ACE's
// need to be set.
//
hr = DsrAccessInfoInit( pszDomain, &pInfo); DSR_BREAK_ON_FAILED_HR( hr );
// Check for nt4 level access
//
bOk = FALSE; hr = DsrAceAppQueryPresence( pInfo->pszDC, pInfo->pAcesNt4, pInfo->dwAceCountNt4, &bOk); DSR_BREAK_ON_FAILED_HR(hr);
// If we don't have nt4 access, we have no access
//
if (bOk == FALSE) { *lpdwAccessFlags = 0; break; } *lpdwAccessFlags |= MPRFLAG_DOMAIN_NT4_SERVERS;
// Check for w2k level access
//
bOk = FALSE; hr = DsrAceAppQueryPresence( pInfo->pszDC, pInfo->pAcesW2k, pInfo->dwAceCountW2k, &bOk); DSR_BREAK_ON_FAILED_HR(hr);
// If we don't have w2k access, no need to proceed
//
if (bOk == FALSE) { break; } *lpdwAccessFlags |= MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS;
} while (FALSE);
// Cleanup
{ if (FAILED(hr)) { if (pInfo) { DsrAccessInfoCleanup(pInfo); } } else { *ppInfo = pInfo; } }
return hr;}
//
// Returns the access level of the given domain
//
DWORDDsrDomainQueryAccess( IN PWCHAR pszDomain, OUT LPDWORD lpdwAccessFlags){ DSR_DOMAIN_ACCESS_INFO* pInfo = NULL; HRESULT hr = S_OK;
do { // Initialize
hr = DsrComIntialize(); DSR_BREAK_ON_FAILED_HR( hr );
// Query the access
hr = DsrDomainQueryAccessEx( pszDomain, lpdwAccessFlags, &pInfo); DSR_BREAK_ON_FAILED_HR(hr); } while (FALSE);
// Cleanup
{ if (pInfo) { DsrAccessInfoCleanup(pInfo); }
DsrComUninitialize(); }
return DSR_ERROR(hr);}
//
// Sets the ACES in the given domain to enable nt4 servers
//
DWORDDsrDomainSetAccess( IN PWCHAR pszDomain, IN DWORD dwAccessFlags){ DSR_DOMAIN_ACCESS_INFO* pInfo = NULL; HRESULT hr = S_OK; BOOL bClean = TRUE; DWORD dwCurAccess = 0;
do { // Initialize
hr = DsrComIntialize(); DSR_BREAK_ON_FAILED_HR( hr );
DsrTraceEx( 0, "DsrDomainSetAccess: Req: %x", dwAccessFlags); // W2k mode always implies nt4 mode as well
//
if (dwAccessFlags & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS) { dwAccessFlags |= MPRFLAG_DOMAIN_NT4_SERVERS; }
// Discover the current access on the domain and
// initialize the info we need
//
hr = DsrDomainQueryAccessEx( pszDomain, &dwCurAccess, &pInfo); DSR_BREAK_ON_FAILED_HR(hr);
DsrTraceEx( 0, "DsrDomainSetAccess: Cur: %x", dwCurAccess);
// Remove all appropriate aces if the requested access
// is none.
if (dwAccessFlags == 0) { // Remove the nt4 mode aces if needed
//
if (dwCurAccess & MPRFLAG_DOMAIN_NT4_SERVERS) { hr = DsrAceAppRemove( pInfo->pszDC, pInfo->pAcesUser, pInfo->dwAceCountUser); DSR_BREAK_ON_FAILED_HR(hr); hr = DsrAceAppRemove( pInfo->pszDC, pInfo->pAcesNt4, pInfo->dwAceCountNt4); DSR_BREAK_ON_FAILED_HR(hr); }
// Remove the w2k mode aces if needed
//
if (dwCurAccess & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS) { hr = DsrAceAppRemove( pInfo->pszDC, pInfo->pAcesW2k, pInfo->dwAceCountW2k); DSR_BREAK_ON_FAILED_HR(hr); } }
// Set nt4 mode if needed
//
if (dwAccessFlags & MPRFLAG_DOMAIN_NT4_SERVERS) { // Remove w2k level access if needed
//
if ((!(dwAccessFlags & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS)) && (dwCurAccess & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS)) { hr = DsrAceAppRemove( pInfo->pszDC, pInfo->pAcesW2k, pInfo->dwAceCountW2k); DSR_BREAK_ON_FAILED_HR(hr); }
// Add nt4 level access if needed
//
if (! (dwCurAccess & MPRFLAG_DOMAIN_NT4_SERVERS)) { hr = DsrAceAppAdd( pInfo->pszDC, pInfo->pAcesUser, pInfo->dwAceCountUser); DSR_BREAK_ON_FAILED_HR(hr); hr = DsrAceAppAdd( pInfo->pszDC, pInfo->pAcesNt4, pInfo->dwAceCountNt4); DSR_BREAK_ON_FAILED_HR(hr); } }
// Set w2k mode if needed
//
if (dwAccessFlags & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS) { if (!(dwCurAccess & MPRFLAG_DOMAIN_W2K_IN_NT4_DOMAINS)) { hr = DsrAceAppAdd( pInfo->pszDC, pInfo->pAcesW2k, pInfo->dwAceCountW2k); DSR_BREAK_ON_FAILED_HR(hr); } } } while (FALSE);
// Cleanup
{ if (pInfo) { DsrAccessInfoCleanup(pInfo); } DsrComUninitialize(); }
return DSR_ERROR(hr);}
|
