archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
3.8 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntsetup/syssetup/security.c

1154 lines
28 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1995 Microsoft Corporation
  5. Module Name:
  7. security.c
  9. Abstract:
  11. Routines to deal with security, user accounts, etc.
  13. Externally exposed routines:
  15. SignalLsa
  16. CreateSamEvent
  17. WaitForSam
  19. SetAccountsDomainSid
  20. CreateLocalAdminAccount
  21. CreateLocalUserAccount
  22. SetLocalUserPassword
  24. Author:
  26. Ted Miller (tedm) 5-Apr-1995
  27. adapted from legacy\dll\security.c
  29. Revision History:
  31. --*/
  33. #include "setupp.h"
  34. #include <Lmaccess.h>
  35. #pragma hdrstop
  38. PCWSTR SamEventName = L"\\SAM_SERVICE_STARTED";
  40. PCWSTR SsiAccountNamePostfix = L"$";
  41. PCWSTR SsiSecretName = L"$MACHINE.ACC";
  43. #define DOMAIN_NAME_MAX 33
  44. #define PASSWORD_MAX 14
  46. //
  47. // Constants used for logging that are specific to this source file.
  48. //
  49. PCWSTR szLsaOpenPolicy = L"LsaOpenPolicy";
  50. PCWSTR szLsaSetInformationPolicy = L"LsaSetInformationPolicy";
  51. PCWSTR szLsaQueryInformationPolicy = L"LsaQueryInformationPolicy";
  52. PCWSTR szNtSetEvent = L"NtSetEvent";
  53. PCWSTR szNtCreateEvent = L"NtCreateEvent";
  54. PCWSTR szSamConnect = L"SamConnect";
  55. PCWSTR szGetAccountsDomainName = L"GetAccountsDomainName";
  56. PCWSTR szSamLookupDomainInSamServer = L"SamLookupDomainInSamServer";
  57. PCWSTR szSamOpenDomain = L"SamOpenDomain";
  58. PCWSTR szSamEnumerateUsersInDomain = L"SamEnumerateUsersInDomain";
  59. PCWSTR szSamOpenUser = L"SamOpenUser";
  60. PCWSTR szSamChangePasswordUser = L"SamChangePasswordUser";
  61. PCWSTR szSamCreateUserInDomain = L"SamCreateUserInDomain";
  62. PCWSTR szSamQueryInformationUser = L"SamQueryInformationUser";
  63. PCWSTR szSamSetInformationUser = L"SamSetInformationUser";
  64. PCWSTR szMyAddLsaSecretObject = L"MyAddLsaSecretObject";
  67. VOID
  68. SetupLsaInitObjectAttributes(
  69. IN OUT POBJECT_ATTRIBUTES ObjectAttributes,
  70. IN OUT PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
  71. );
  73. BOOL
  74. GetAccountsDomainName(
  75. IN LSA_HANDLE hPolicy, OPTIONAL
  76. OUT PWSTR Name,
  77. IN DWORD NameBufferSize
  78. );
  80. LSA_HANDLE
  81. OpenLsaPolicy(
  82. VOID
  83. );
  85. PSID
  86. CreateSidFromSidAndRid(
  87. IN PSID DomainSid,
  88. IN DWORD Rid
  89. );
  91. NTSTATUS
  92. MyAddLsaSecretObject(
  93. IN PCWSTR Password
  94. );
  97. BOOL
  98. SetAccountsDomainSid(
  99. IN DWORD Seed,
  100. IN PCWSTR DomainName
  101. )
  103. /*++
  105. Routine Description:
  107. Routine to set the sid of the AccountDomain.
  109. Arguments:
  111. Seed - The seed is used to generate a unique Sid. The seed should
  112. be generated by looking at the systemtime before and after
  113. a dialog and subtracting the milliseconds field.
  115. DomainName - supplies name to give to local domain
  117. Return value:
  119. Boolean value indicating outcome.
  121. --*/
  123. {
  124. PSID Sid;
  125. PSID SidPrimary ;
  126. OBJECT_ATTRIBUTES ObjectAttributes;
  127. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  128. LSA_HANDLE PolicyHandle = NULL;
  129. PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
  130. NTSTATUS Status;
  131. BOOL bResult;
  133. //
  134. //
  135. // Open the LSA Policy object to set the account domain sid. The access
  136. // mask needed for this is POLICY_TRUST_ADMIN.
  137. //
  138. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  140. Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
  141. if(!NT_SUCCESS(Status)) {
  143. SetuplogError(
  144. LogSevError,
  145. SETUPLOG_USE_MESSAGEID,
  146. MSG_LOG_SETACCOUNTDOMAINSID, NULL,
  147. SETUPLOG_USE_MESSAGEID,
  148. MSG_LOG_X_RETURNED_NTSTATUS,
  149. szLsaOpenPolicy,
  150. Status,
  151. NULL,NULL);
  153. return(FALSE);
  154. }
  156. Status = LsaQueryInformationPolicy(
  157. PolicyHandle,
  158. PolicyAccountDomainInformation,
  159. &PolicyCurrentAccountDomainInfo
  160. );
  162. if(NT_SUCCESS(Status)) {
  164. RtlInitUnicodeString(&PolicyCurrentAccountDomainInfo->DomainName,DomainName);
  167. Status = LsaSetInformationPolicy(
  168. PolicyHandle,
  169. PolicyAccountDomainInformation,
  170. (PVOID) PolicyCurrentAccountDomainInfo
  171. );
  173. LsaFreeMemory( PolicyCurrentAccountDomainInfo );
  174. }
  176. if(NT_SUCCESS(Status)) {
  177. bResult = TRUE;
  178. } else {
  179. bResult = FALSE;
  180. SetuplogError(
  181. LogSevError,
  182. SETUPLOG_USE_MESSAGEID,
  183. MSG_LOG_SETACCOUNTDOMAINSID, NULL,
  184. SETUPLOG_USE_MESSAGEID,
  185. MSG_LOG_X_RETURNED_NTSTATUS,
  186. szLsaSetInformationPolicy,
  187. Status,
  188. NULL,NULL);
  189. }
  191. LsaClose(PolicyHandle);
  192. return(bResult);
  193. }
  196. VOID
  197. SetupLsaInitObjectAttributes(
  198. IN OUT POBJECT_ATTRIBUTES ObjectAttributes,
  199. IN OUT PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
  200. )
  202. /*++
  204. Routine Description:
  206. This function initializes the given Object Attributes structure, including
  207. Security Quality Of Service. Memory must be allcated for both
  208. ObjectAttributes and Security QOS by the caller. Borrowed from
  209. lsa
  211. Arguments:
  213. ObjectAttributes - Pointer to Object Attributes to be initialized.
  215. SecurityQualityOfService - Pointer to Security QOS to be initialized.
  217. Return Value:
  219. None.
  221. --*/
  223. {
  224. SecurityQualityOfService->Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  225. SecurityQualityOfService->ImpersonationLevel = SecurityImpersonation;
  226. SecurityQualityOfService->ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
  227. SecurityQualityOfService->EffectiveOnly = FALSE;
  229. InitializeObjectAttributes(ObjectAttributes,NULL,0,NULL,NULL);
  230. //
  231. // The InitializeObjectAttributes macro presently stores NULL for
  232. // the SecurityQualityOfService field, so we must manually copy that
  233. // structure for now.
  234. //
  235. ObjectAttributes->SecurityQualityOfService = SecurityQualityOfService;
  236. }
  239. BOOL
  240. CreateLocalUserAccount(
  241. IN PCWSTR UserName,
  242. IN PCWSTR Password,
  243. IN PSID* PointerToUserSid OPTIONAL
  244. )
  245. /*++
  247. Routine Description:
  249. Routine to add a local user account to the AccountDomain. This account
  250. is created with the password indicated.
  252. Arguments:
  254. UserName - supplies name for user account
  256. Password - supplies initial password for user account.
  258. PointerToUserSid - If this argument is present, then on return it will contain the
  259. pointer to the user sid. It is the responsibility of the caller
  260. to free the Sid, using MyFree.
  262. Return value:
  264. Boolean value indicating outcome.
  266. --*/
  268. {
  269. return (NT_SUCCESS(CreateLocalAdminAccount(UserName,
  270. Password,
  271. PointerToUserSid
  272. )
  273. )
  274. );
  275. }
  277. NTSTATUS
  278. CreateLocalAdminAccountEx(
  279. IN PCWSTR UserName,
  280. IN PCWSTR Password,
  281. IN PCWSTR Description,
  282. IN PSID* PointerToUserSid OPTIONAL
  283. )
  285. /*++
  287. Routine Description:
  289. Routine to add a local user account to the AccountDomain. This account
  290. has ADMINISTRATOR priveledges and is created with the password indicated.
  292. Arguments:
  294. UserName - supplies name for user account
  296. Password - supplies initial password for user account.
  298. Description - Description that appears in user manager.
  300. PointerToUserSid - If this argument is present, then on return it will contain the
  301. pointer to the user sid. It is the responsibility of the caller
  302. to free the Sid, using MyFree.
  304. Return value:
  306. Boolean value indicating outcome.
  308. --*/
  309. {
  310. OBJECT_ATTRIBUTES ObjectAttributes;
  311. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  312. UNICODE_STRING UnicodeString;
  313. SAM_HANDLE ServerHandle;
  314. SAM_HANDLE DomainHandle;
  315. SAM_HANDLE UserHandle;
  316. SAM_HANDLE AliasHandle;
  317. SAM_HANDLE BuiltinDomainHandle;
  318. WCHAR AccountsDomainName[DOMAIN_NAME_MAX];
  319. NTSTATUS Status;
  320. PSID BuiltinDomainId;
  321. PSID UserSid;
  322. ULONG User_RID;
  323. PUSER_CONTROL_INFORMATION UserControlInfo;
  324. USER_SET_PASSWORD_INFORMATION UserPasswordInfo;
  325. LSA_HANDLE PolicyHandle = NULL;
  326. PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
  327. USER_ADMIN_COMMENT_INFORMATION AdminCommentInfo;
  329. //
  330. // Use SamConnect to connect to the local domain ("") and get a handle
  331. // to the local sam server.
  332. //
  333. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  334. RtlInitUnicodeString(&UnicodeString,L"");
  335. Status = SamConnect(
  336. &UnicodeString,
  337. &ServerHandle,
  338. SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
  339. &ObjectAttributes
  340. );
  342. if(!NT_SUCCESS(Status)) {
  343. goto err0;
  344. }
  346. //
  347. // Use the LSA to retrieve the name of the Accounts domain.
  348. //
  349. if(!GetAccountsDomainName(NULL,AccountsDomainName,DOMAIN_NAME_MAX)) {
  350. goto err1;
  351. }
  353. //
  354. // Open the AccountDomain. First find the Sid for this
  355. // in the Sam and then open the domain using this sid
  356. //
  357. //
  358. // Open the LSA Policy object to set the account domain sid.
  359. //
  360. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  362. Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
  363. if(NT_SUCCESS(Status)) {
  365. Status = LsaQueryInformationPolicy(
  366. PolicyHandle,
  367. PolicyAccountDomainInformation,
  368. &PolicyCurrentAccountDomainInfo
  369. );
  371. if(NT_SUCCESS(Status)) {
  373. Status = SamOpenDomain(
  374. ServerHandle,
  375. DOMAIN_READ | DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP |
  376. DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_CREATE_USER,
  377. PolicyCurrentAccountDomainInfo->DomainSid,
  378. &DomainHandle
  379. );
  380. }
  382. LsaClose( PolicyHandle );
  383. }
  385. if (!NT_SUCCESS(Status)) {
  386. goto err2;
  387. }
  389. //
  390. // Use SamCreateUserInDomain to create a new user with the username
  391. // specified. This user account is created disabled with the
  392. // password not required.
  393. //
  394. RtlInitUnicodeString(&UnicodeString,UserName);
  395. Status = SamCreateUserInDomain(
  396. DomainHandle,
  397. &UnicodeString,
  398. //USER_READ_ACCOUNT | USER_WRITE_ACCOUNT | USER_FORCE_PASSWORD_CHANGE,
  399. USER_ALL_ACCESS,
  400. &UserHandle,
  401. &User_RID
  402. );
  404. if(!NT_SUCCESS(Status)) {
  405. goto err3;
  406. }
  408. //
  409. // Query all the default control information about the user added
  410. //
  411. Status = SamQueryInformationUser(UserHandle,UserControlInformation,&UserControlInfo);
  412. if(!NT_SUCCESS(Status)) {
  413. goto err4;
  414. }
  416. //
  417. // If the password is a Null password, make sure the
  418. // password_not required bit is set before the null
  419. // password is set.
  420. //
  421. if(!Password[0]) {
  422. UserControlInfo->UserAccountControl |= USER_PASSWORD_NOT_REQUIRED;
  423. Status = SamSetInformationUser(UserHandle,UserControlInformation,UserControlInfo);
  424. if(!NT_SUCCESS(Status)) {
  425. goto err5;
  426. }
  427. }
  429. //
  430. // Set the password ( NULL or non NULL )
  431. //
  432. RtlInitUnicodeString(&UserPasswordInfo.Password,Password);
  433. UserPasswordInfo.PasswordExpired = FALSE;
  434. Status = SamSetInformationUser(UserHandle,UserSetPasswordInformation,&UserPasswordInfo);
  435. if(!NT_SUCCESS(Status)) {
  436. goto err5;
  437. }
  440. //
  441. // Set the information bits - User Password not required is cleared
  442. // The normal account bit is enabled and the account disabled bit
  443. // is also reset
  444. //
  445. UserControlInfo->UserAccountControl &= ~USER_PASSWORD_NOT_REQUIRED;
  446. UserControlInfo->UserAccountControl &= ~USER_ACCOUNT_DISABLED;
  447. UserControlInfo->UserAccountControl |= USER_NORMAL_ACCOUNT;
  448. Status = SamSetInformationUser(UserHandle,UserControlInformation,UserControlInfo);
  449. if(!NT_SUCCESS(Status)) {
  450. goto err5;
  451. }
  454. // Set the description is one is given
  455. //
  456. if ( Description[0])
  457. {
  458. // Convert description to unicode string
  459. //
  460. RtlInitUnicodeString(&AdminCommentInfo.AdminComment,Description);
  462. // We do not care if this fails and therefore will not set the status
  463. //
  464. SamSetInformationUser(UserHandle,UserAdminCommentInformation,&AdminCommentInfo);
  465. }
  467. //
  468. // If this is a non-standlone server we're done.
  469. //
  470. if(ISDC(ProductType)) {
  471. Status = STATUS_SUCCESS;
  472. goto err5;
  473. }
  475. //
  476. // Finally add this to the administrators alias in the BuiltIn Domain
  477. //
  478. RtlInitUnicodeString(&UnicodeString,L"Builtin");
  479. Status = SamLookupDomainInSamServer(ServerHandle,&UnicodeString,&BuiltinDomainId);
  480. if(!NT_SUCCESS(Status)) {
  481. goto err5;
  482. }
  484. Status = SamOpenDomain(
  485. ServerHandle,
  486. DOMAIN_READ | DOMAIN_ADMINISTER_SERVER | DOMAIN_EXECUTE,
  487. BuiltinDomainId,
  488. &BuiltinDomainHandle
  489. );
  491. if(!NT_SUCCESS(Status)) {
  492. goto err6;
  493. }
  495. UserSid = CreateSidFromSidAndRid(PolicyCurrentAccountDomainInfo->DomainSid,User_RID);
  496. if(!UserSid) {
  497. goto err7;
  498. }
  500. Status = SamOpenAlias(BuiltinDomainHandle,ALIAS_ADD_MEMBER,DOMAIN_ALIAS_RID_ADMINS,&AliasHandle);
  501. if(!NT_SUCCESS(Status)) {
  502. goto err8;
  503. }
  505. Status = SamAddMemberToAlias(AliasHandle,UserSid);
  506. if(!NT_SUCCESS(Status)) {
  507. goto err9;
  508. }
  510. MYASSERT(NT_SUCCESS(Status));
  512. err9:
  513. SamCloseHandle(AliasHandle);
  514. err8:
  515. if(NT_SUCCESS(Status) && (PointerToUserSid != NULL )) {
  516. *PointerToUserSid = UserSid;
  517. } else {
  518. MyFree(UserSid);
  519. }
  520. err7:
  521. SamCloseHandle(BuiltinDomainHandle);
  522. err6:
  523. SamFreeMemory(BuiltinDomainId);
  524. err5:
  525. SamFreeMemory(UserControlInfo);
  526. err4:
  527. SamCloseHandle(UserHandle);
  528. err3:
  529. SamCloseHandle(DomainHandle);
  530. err2:
  531. LsaFreeMemory( PolicyCurrentAccountDomainInfo );
  532. err1:
  533. SamCloseHandle(ServerHandle);
  534. err0:
  535. return(Status);
  536. }
  539. NTSTATUS
  540. CreateLocalAdminAccount(
  541. IN PCWSTR UserName,
  542. IN PCWSTR Password,
  543. IN PSID* PointerToUserSid OPTIONAL
  544. )
  545. /*++
  547. Routine Description:
  549. Please see CreateLocalAdminAccountEx description.
  552. --*/
  553. {
  554. return ( CreateLocalAdminAccountEx(UserName, Password, L"", PointerToUserSid) );
  555. }
  557. BOOL
  558. GetAccountsDomainName(
  559. IN LSA_HANDLE PolicyHandle, OPTIONAL
  560. OUT PWSTR Name,
  561. IN DWORD NameBufferSize
  562. )
  563. {
  564. POLICY_ACCOUNT_DOMAIN_INFO *pPadi;
  565. NTSTATUS Status ;
  566. BOOL PolicyOpened;
  568. PolicyOpened = FALSE;
  569. if(PolicyHandle == NULL) {
  570. if((PolicyHandle = OpenLsaPolicy()) == NULL) {
  571. return(FALSE);
  572. }
  574. PolicyOpened = TRUE;
  575. }
  577. Status = LsaQueryInformationPolicy(PolicyHandle,PolicyAccountDomainInformation,&pPadi);
  578. if(NT_SUCCESS(Status)) {
  579. if(NameBufferSize <= (pPadi->DomainName.Length/sizeof(WCHAR))) {
  580. Status = STATUS_BUFFER_TOO_SMALL;
  581. } else {
  582. wcsncpy(Name,pPadi->DomainName.Buffer,pPadi->DomainName.Length/sizeof(WCHAR));
  583. Name[pPadi->DomainName.Length/sizeof(WCHAR)] = 0;
  584. }
  585. LsaFreeMemory(pPadi);
  586. }
  588. if(PolicyOpened) {
  589. LsaClose(PolicyHandle);
  590. }
  592. return(NT_SUCCESS(Status));
  593. }
  596. LSA_HANDLE
  597. OpenLsaPolicy(
  598. VOID
  599. )
  600. {
  601. OBJECT_ATTRIBUTES ObjectAttributes;
  602. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  603. LSA_HANDLE PolicyHandle;
  604. NTSTATUS Status;
  606. PolicyHandle = NULL;
  607. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  608. Status = LsaOpenPolicy(NULL,&ObjectAttributes,GENERIC_EXECUTE,&PolicyHandle);
  610. return(NT_SUCCESS(Status) ? PolicyHandle : NULL);
  611. }
  614. PSID
  615. CreateSidFromSidAndRid(
  616. IN PSID DomainSid,
  617. IN DWORD Rid
  618. )
  620. /*++
  622. Routine Description:
  624. This function creates a domain account sid given a domain sid and
  625. the relative id of the account within the domain.
  627. Arguments:
  629. DomainSid - supplies sid for domain of account
  631. Rid - supplies relative id of account
  633. Return Value:
  635. Pointer to Sid, or NULL on failure.
  636. The returned Sid must be freed with MyFree.
  638. --*/
  639. {
  641. NTSTATUS Status;
  642. PSID AccountSid;
  643. UCHAR AccountSubAuthorityCount;
  644. ULONG AccountSidLength;
  645. PULONG RidLocation;
  647. AccountSubAuthorityCount = *RtlSubAuthorityCountSid(DomainSid) + (UCHAR)1;
  648. AccountSidLength = RtlLengthRequiredSid(AccountSubAuthorityCount);
  650. if(AccountSid = (PSID)MyMalloc(AccountSidLength)) {
  651. //
  652. // Copy the domain sid into the first part of the account sid
  653. //
  654. Status = RtlCopySid(AccountSidLength, AccountSid, DomainSid);
  656. //
  657. // Increment the account sid sub-authority count
  658. //
  659. *RtlSubAuthorityCountSid(AccountSid) = AccountSubAuthorityCount;
  661. //
  662. // Add the rid as the final sub-authority
  663. //
  664. RidLocation = RtlSubAuthoritySid(AccountSid, AccountSubAuthorityCount - 1);
  665. *RidLocation = Rid;
  666. }
  668. return(AccountSid);
  669. }
  672. BOOL
  673. SetLocalUserPassword(
  674. IN PCWSTR AccountName,
  675. IN PCWSTR OldPassword,
  676. IN PCWSTR NewPassword
  677. )
  679. /*++
  681. Routine Description:
  683. Change the password for the local user account.
  685. Arguments:
  687. Return value:
  689. Boolean value indicating outcome.
  691. --*/
  693. {
  694. NTSTATUS Status;
  695. BOOL b;
  696. UNICODE_STRING UnicodeString;
  697. UNICODE_STRING OtherUnicodeString;
  698. SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  699. OBJECT_ATTRIBUTES ObjectAttributes;
  700. WCHAR AccountsDomainName[DOMAIN_NAME_MAX];
  701. SAM_HANDLE ServerHandle;
  702. SAM_HANDLE DomainHandle;
  703. SAM_HANDLE UserHandle;
  704. BOOL UserFound;
  705. SAM_ENUMERATE_HANDLE EnumerationContext;
  706. SAM_RID_ENUMERATION *SamRidEnumeration;
  707. UINT i;
  708. UINT CountOfEntries;
  709. ULONG UserRid;
  710. LSA_HANDLE PolicyHandle = NULL;
  711. PPOLICY_ACCOUNT_DOMAIN_INFO PolicyCurrentAccountDomainInfo = NULL;
  713. b = FALSE;
  715. //
  716. // Use SamConnect to connect to the local domain ("") and get a handle
  717. // to the local sam server
  718. //
  719. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  720. RtlInitUnicodeString(&UnicodeString,L"");
  721. Status = SamConnect(
  722. &UnicodeString,
  723. &ServerHandle,
  724. SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN,
  725. &ObjectAttributes
  726. );
  728. if(!NT_SUCCESS(Status)) {
  729. SetuplogError(
  730. LogSevWarning,
  731. SETUPLOG_USE_MESSAGEID,
  732. MSG_LOG_CHANGING_PW_FAIL,
  733. AccountName, NULL,
  734. SETUPLOG_USE_MESSAGEID,
  735. MSG_LOG_X_RETURNED_NTSTATUS,
  736. szSamConnect,
  737. Status,
  738. NULL,NULL);
  739. goto err0;
  740. }
  742. //
  743. // Use the LSA to retrieve the name of the Accounts domain.
  744. //
  745. if(!GetAccountsDomainName(NULL,AccountsDomainName,DOMAIN_NAME_MAX)) {
  746. SetuplogError(
  747. LogSevWarning,
  748. SETUPLOG_USE_MESSAGEID,
  749. MSG_LOG_CHANGING_PW_FAIL,
  750. AccountName, NULL,
  751. SETUPLOG_USE_MESSAGEID,
  752. MSG_LOG_X_RETURNED_STRING,
  753. szGetAccountsDomainName,
  754. szFALSE,
  755. NULL,NULL);
  756. goto err1;
  757. }
  759. //
  760. // Open the AccountDomain. First find the Sid for this
  761. // in the Sam and then open the domain using this sid.
  762. //
  764. //
  765. // Get the AccountDomainSid from the Lsa
  766. //
  768. //
  769. //
  770. // Open the LSA Policy object to set the account domain sid.
  771. //
  772. SetupLsaInitObjectAttributes(&ObjectAttributes,&SecurityQualityOfService);
  774. Status = LsaOpenPolicy(NULL,&ObjectAttributes,MAXIMUM_ALLOWED,&PolicyHandle);
  775. if(NT_SUCCESS(Status)) {
  777. Status = LsaQueryInformationPolicy(
  778. PolicyHandle,
  779. PolicyAccountDomainInformation,
  780. &PolicyCurrentAccountDomainInfo
  781. );
  783. if(NT_SUCCESS(Status)) {
  785. Status = SamOpenDomain(
  786. ServerHandle,
  787. DOMAIN_READ | DOMAIN_LIST_ACCOUNTS | DOMAIN_LOOKUP |
  788. DOMAIN_READ_PASSWORD_PARAMETERS,
  789. PolicyCurrentAccountDomainInfo->DomainSid,
  790. &DomainHandle
  791. );
  792. LsaFreeMemory( PolicyCurrentAccountDomainInfo );
  793. }
  795. LsaClose( PolicyHandle );
  796. }
  798. if(!NT_SUCCESS(Status)) {
  799. SetuplogError(
  800. LogSevWarning,
  801. SETUPLOG_USE_MESSAGEID,
  802. MSG_LOG_CHANGING_PW_FAIL,
  803. AccountName, NULL,
  804. SETUPLOG_USE_MESSAGEID,
  805. MSG_LOG_X_PARAM_RETURNED_NTSTATUS,
  806. szSamOpenDomain,
  807. Status,
  808. AccountsDomainName,
  809. NULL,NULL);
  810. goto err2;
  811. }
  813. //
  814. // Find the account name in this domain - and extract the rid.
  815. //
  816. UserFound = FALSE;
  817. EnumerationContext = 0;
  818. RtlInitUnicodeString(&UnicodeString,AccountName);
  819. do {
  820. Status = SamEnumerateUsersInDomain(
  821. DomainHandle,
  822. &EnumerationContext,
  823. 0L,
  824. &SamRidEnumeration,
  825. 0L,
  826. &CountOfEntries
  827. );
  829. if(!NT_SUCCESS(Status) && (Status != STATUS_MORE_ENTRIES)) {
  830. SetuplogError(
  831. LogSevWarning,
  832. SETUPLOG_USE_MESSAGEID,
  833. MSG_LOG_CHANGING_PW_FAIL,
  834. AccountName, NULL,
  835. SETUPLOG_USE_MESSAGEID,
  836. MSG_LOG_X_RETURNED_NTSTATUS,
  837. szSamEnumerateUsersInDomain,
  838. Status,
  839. NULL,NULL);
  840. goto err3;
  841. }
  843. //
  844. // go through the the SamRidEnumeration buffer for count entries.
  845. //
  846. for(i = 0; (i<CountOfEntries) && !UserFound; i++ ) {
  847. if(RtlEqualUnicodeString(&UnicodeString,&SamRidEnumeration[i].Name,TRUE)) {
  848. UserRid = SamRidEnumeration[i].RelativeId;
  849. UserFound = TRUE;
  850. }
  851. }
  853. SamFreeMemory(SamRidEnumeration);
  855. } while((Status == STATUS_MORE_ENTRIES) && !UserFound);
  857. if(!UserFound) {
  858. SetuplogError(
  859. LogSevWarning,
  860. SETUPLOG_USE_MESSAGEID,
  861. MSG_LOG_CHANGING_PW_FAIL,
  862. AccountName,NULL,
  863. SETUPLOG_USE_MESSAGEID,
  864. MSG_LOG_USERNOTFOUND,
  865. NULL,NULL);
  866. goto err3;
  867. }
  869. //
  870. // Open the user
  871. //
  872. Status = SamOpenUser(
  873. DomainHandle,
  874. USER_READ_ACCOUNT | USER_WRITE_ACCOUNT | USER_CHANGE_PASSWORD | USER_FORCE_PASSWORD_CHANGE,
  875. UserRid,
  876. &UserHandle
  877. );
  879. if(!NT_SUCCESS(Status)) {
  880. SetuplogError(
  881. LogSevWarning,
  882. SETUPLOG_USE_MESSAGEID,
  883. MSG_LOG_CHANGING_PW_FAIL,
  884. AccountName, NULL,
  885. SETUPLOG_USE_MESSAGEID,
  886. MSG_LOG_X_RETURNED_NTSTATUS,
  887. szSamOpenUser,
  888. Status,
  889. NULL,NULL);
  890. goto err3;
  891. }
  893. //
  894. // Use SAM API to change the password for this Account.
  895. //
  896. RtlInitUnicodeString(&UnicodeString,OldPassword);
  897. RtlInitUnicodeString(&OtherUnicodeString,NewPassword);
  898. Status = SamChangePasswordUser(UserHandle,&UnicodeString,&OtherUnicodeString);
  899. if(!NT_SUCCESS(Status)) {
  900. SetuplogError(
  901. LogSevWarning,
  902. SETUPLOG_USE_MESSAGEID,
  903. MSG_LOG_CHANGING_PW_FAIL,
  904. AccountName, NULL,
  905. SETUPLOG_USE_MESSAGEID,
  906. MSG_LOG_X_RETURNED_NTSTATUS,
  907. szSamChangePasswordUser,
  908. Status,
  909. NULL,NULL);
  910. goto err4;
  911. }
  913. b = TRUE;
  915. err4:
  916. SamCloseHandle(UserHandle);
  917. err3:
  918. SamCloseHandle(DomainHandle);
  919. err2:
  920. err1:
  921. SamCloseHandle(ServerHandle);
  922. err0:
  923. return(b);
  924. }
  928. VOID
  929. GenerateRandomPassword(
  930. OUT PWSTR Password
  931. )
  932. {
  933. static DWORD Seed = 98725757;
  934. static PCWSTR UsableChars = L"ABCDEFGHIJKLMOPQRSTUVWYZabcdefghijklmopqrstuvwyz0123456789";
  936. UINT UsableCount;
  937. UINT i;
  939. UsableCount = lstrlen(UsableChars);
  940. Seed ^= GetCurrentTime();
  942. for(i=0; i<PASSWORD_MAX; i++) {
  943. Password[i] = UsableChars[RtlRandom(&Seed) % UsableCount];
  944. }
  946. Password[i] = 0;
  947. }
  950. NTSTATUS
  951. MyAddLsaSecretObject(
  952. IN PCWSTR Password
  953. )
  955. /*++
  957. Routine Description:
  959. Create the Secret Object necessary to support a machine account
  960. on an NT domain.
  962. Arguments:
  964. Password - supplies password to machine account
  966. Return value:
  968. NT Status code indicating outcome.
  970. --*/
  971. {
  972. UNICODE_STRING SecretName;
  973. UNICODE_STRING UnicodePassword;
  974. NTSTATUS Status;
  975. LSA_HANDLE LsaHandle;
  976. LSA_HANDLE SecretHandle;
  977. OBJECT_ATTRIBUTES ObjAttr;
  979. RtlInitUnicodeString(&SecretName,SsiSecretName) ;
  980. RtlInitUnicodeString(&UnicodePassword,Password);
  982. InitializeObjectAttributes(&ObjAttr,NULL,0,NULL,NULL);
  984. Status = LsaOpenPolicy(NULL,&ObjAttr,MAXIMUM_ALLOWED,&LsaHandle);
  985. if(NT_SUCCESS(Status)) {
  987. Status = LsaCreateSecret(LsaHandle,&SecretName,SECRET_ALL_ACCESS,&SecretHandle);
  988. if(NT_SUCCESS(Status)) {
  990. Status = LsaSetSecret(SecretHandle,&UnicodePassword,&UnicodePassword);
  991. LsaClose(SecretHandle);
  992. }
  994. LsaClose(LsaHandle);
  995. }
  997. return(Status);
  998. }
  1001. BOOL
  1002. AdjustPrivilege(
  1003. IN PCWSTR Privilege,
  1004. IN BOOL Enable
  1005. )
  1006. /*++
  1008. Routine Description:
  1010. This routine enables or disable a priviliege of the current process.
  1012. Arguments:
  1014. Privilege - String with the name of the privilege to be adjusted.
  1016. Enable - TRUE if the privilege is to be enabled.
  1017. FALSE if the privilege is to be disabled.
  1019. Return Value:
  1021. Returns TRUE if the privilege could be adjusted.
  1022. Returns FALSE, otherwise.
  1025. --*/
  1026. {
  1027. HANDLE TokenHandle;
  1028. LUID_AND_ATTRIBUTES LuidAndAttributes;
  1030. TOKEN_PRIVILEGES TokenPrivileges;
  1033. if( !OpenProcessToken( GetCurrentProcess(),
  1034. TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
  1035. &TokenHandle ) ) {
  1036. SetupDebugPrint1(L"SYSSETUP: OpenProcessToken() failed. Error = %d \n", GetLastError() );
  1037. return( FALSE );
  1038. }
  1041. if( !LookupPrivilegeValue( NULL,
  1042. Privilege,
  1043. &( LuidAndAttributes.Luid ) ) ) {
  1044. SetupDebugPrint1(L"SYSSETUP: LookupPrivilegeValue failed, Error = %d \n", GetLastError() );
  1045. CloseHandle( TokenHandle );
  1046. return( FALSE );
  1047. }
  1049. if( Enable ) {
  1050. LuidAndAttributes.Attributes |= SE_PRIVILEGE_ENABLED;
  1051. } else {
  1052. LuidAndAttributes.Attributes &= ~SE_PRIVILEGE_ENABLED;
  1053. }
  1055. TokenPrivileges.PrivilegeCount = 1;
  1056. TokenPrivileges.Privileges[0] = LuidAndAttributes;
  1058. if( !AdjustTokenPrivileges( TokenHandle,
  1059. FALSE,
  1060. &TokenPrivileges,
  1061. 0,
  1062. NULL,
  1063. NULL ) ) {
  1064. SetupDebugPrint1(L"SYSSETUP: AdjustTokenPrivileges failed, Error = %d \n", GetLastError() );
  1065. CloseHandle( TokenHandle );
  1066. return( FALSE );
  1067. }
  1069. CloseHandle( TokenHandle );
  1070. return( TRUE );
  1071. }
  1074. NTSTATUS
  1075. DisableLocalUserAccount(
  1076. PWSTR AccountName
  1077. )
  1078. /*++
  1080. Routine Description:
  1082. This routine disables the local administrator account.
  1084. Arguments:
  1086. AccountName - Name of the local account to be disabled.
  1088. Return Value:
  1090. NTSTATUS, depending on the outcome of the operations.
  1092. --*/
  1094. {
  1095. LONG rc;
  1096. PUSER_INFO_1 ui1;
  1099. // Get the info.
  1100. rc = NetUserGetInfo( NULL,
  1101. AccountName,
  1102. 1,
  1103. (PBYTE *)(&ui1) );
  1105. if( rc == NO_ERROR ) {
  1107. // set the disable flag and store the info back out.
  1108. ui1->usri1_flags |= UF_ACCOUNTDISABLE;
  1110. rc = NetUserSetInfo( NULL,
  1111. AccountName,
  1112. 1,
  1113. (PBYTE)ui1,
  1114. NULL );
  1116. NetApiBufferFree((PVOID)ui1);
  1117. }
  1119. return rc;
  1120. }
  1123. NTSTATUS
  1124. DisableLocalAdminAccount(
  1125. VOID
  1126. )
  1127. /*++
  1129. Routine Description:
  1131. This routine disables the local administrator account.
  1133. Arguments:
  1135. None.
  1137. Return Value:
  1139. NTSTATUS, depending on the outcome of the operations.
  1141. --*/
  1143. {
  1144. NTSTATUS Status = STATUS_SUCCESS;
  1145. WCHAR AdminAccountName[MAX_PATH];
  1148. GetAdminAccountName( AdminAccountName );
  1150. Status = DisableLocalUserAccount( AdminAccountName );
  1152. return Status;
  1153. }