Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

400 lines
15 KiB

//*************************************************************
//
// Policy specific headers
//
// Microsoft Confidential
// Copyright (c) Microsoft Corporation 1997-1998
// All rights reserved
//
//*************************************************************
#include "uenv.h"
#include "reghash.h"
#include "rsop.h"
#include "chkacc.h"
#include "collect.h"
#include "Indicate.h"
#include "rsopsec.h"
#include "gpfilter.h"
#include "locator.h"
#include "rsopinc.h"
#define GPO_LPARAM_FLAG_DELETE 0x00000001
//
// Structures
//
typedef struct _GPINFOHANDLE
{
LPGPOINFO pGPOInfo;
} GPINFOHANDLE, *LPGPINFOHANDLE;
typedef struct _DNENTRY {
LPTSTR pwszDN; // Distinguished name
union {
PGROUP_POLICY_OBJECT pDeferredGPO; // GPO corresponding to this DN
struct _DNENTRY * pDeferredOU; // OU correspdonding to this DN
};
PLDAPMessage pOUMsg; // Message for evaluating deferred OU
GPO_LINK gpoLink; // Type of GPO
struct _DNENTRY * pNext; // Singly linked list pointer
} DNENTRY;
typedef struct _LDAPQUERY {
LPTSTR pwszDomain; // Domain of subtree search
LPTSTR pwszFilter; // Ldap filter for search
DWORD cbAllocLen; // Allocated size of pwszFilter in bytes
DWORD cbLen; // Size of pwszFilter currently used in bytes
PLDAP pLdapHandle; // Ldap bind handle
BOOL bOwnLdapHandle; // Does this struct own pLdapHandle ?
PLDAPMessage pMessage; // Ldap message handle
DNENTRY * pDnEntry; // Distinguished name entry
struct _LDAPQUERY * pNext; // Singly linked list pointer
} LDAPQUERY;
typedef struct _POLICYCHANGEDINFO {
HANDLE hToken;
BOOL bMachine;
} POLICYCHANGEDINFO, *LPPOLICYCHANGEDINFO;
//
// Verison number for the registry file format
//
#define REGISTRY_FILE_VERSION 1
//
// File signature
//
#define REGFILE_SIGNATURE 0x67655250
//
// Default refresh rate (minutes)
//
// Client machines will refresh every 90 minutes
// Domain controllers will refresh every 5 minutes
//
#define GP_DEFAULT_REFRESH_RATE 90
#define GP_DEFAULT_REFRESH_RATE_DC 5
//
// Default refresh rate max offset
//
// To prevent many clients from querying policy at the exact same
// time, a random amount is added to the refresh rate. In the
// default case, a number between 0 and 30 will be added to
// 180 to determine when the next background refresh will occur
//
#define GP_DEFAULT_REFRESH_RATE_OFFSET 30
#define GP_DEFAULT_REFRESH_RATE_OFFSET_DC 0
//
// Max keyname size
//
#define MAX_KEYNAME_SIZE 2048
#define MAX_VALUENAME_SIZE 512
//
// Max time to wait for the network to start (in ms)
//
#define MAX_WAIT_TIME 120000
//
// Extension registry path
//
#define GP_EXTENSIONS TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions")
//
// Path for extension preference policies
//
#define GP_EXTENSIONS_POLICIES TEXT("Software\\Policies\\Microsoft\\Windows\\Group Policy\\%s")
//
// Group Policy Object option flags
//
// Note, this was taken from sdk\inc\gpedit.h
//
#define GPO_OPTION_DISABLE_USER 0x00000001 // The user portion of this GPO is disabled
#define GPO_OPTION_DISABLE_MACHINE 0x00000002 // The machine portion of this GPO is disabled
//
// DS Object class types
//
extern TCHAR szDSClassAny[];
extern TCHAR szDSClassGPO[];
extern TCHAR szDSClassSite[];
extern TCHAR szDSClassDomain[];
extern TCHAR szDSClassOU[];
extern TCHAR szObjectClass[];
//
// Extension name properties
//
#define GPO_MACHEXTENSION_NAMES L"gPCMachineExtensionNames"
#define GPO_USEREXTENSION_NAMES L"gPCUserExtensionNames"
#define GPO_FUNCTIONALITY_VERSION L"gPCFunctionalityVersion"
#define MACHPOLICY_DENY_USERS L"DenyUsersFromMachGP"
extern TCHAR wszKerberos[];
#define POLICY_GUID_PATH TEXT("Software\\Microsoft\\Windows NT\\CurrentVersion\\PolicyGuid")
//
// Global flags for Gpo shutdown processing. These are accessed outside
// the lock because its value is either 0 or 1. Even if there is a race,
// all it means is that shutdown will start one iteration later.
//
extern BOOL g_bStopMachGPOProcessing;
extern BOOL g_bStopUserGPOProcessing;
//
// Critical section for handling concurrent, asynchronous completion
//
extern CRITICAL_SECTION g_GPOCS;
//
// Global pointers for maintaining asynchronous completion context
//
extern LPGPINFOHANDLE g_pMachGPInfo;
extern LPGPINFOHANDLE g_pUserGPInfo;
//
// Status UI critical section, callback, and proto-types
//
extern CRITICAL_SECTION g_StatusCallbackCS;
extern PFNSTATUSMESSAGECALLBACK g_pStatusMessageCallback;
DWORD UserPolicyCallback (BOOL bVerbose, LPWSTR lpMessage);
DWORD MachinePolicyCallback (BOOL bVerbose, LPWSTR lpMessage);
//
// Function proto-types
//
DWORD WINAPI GPOThread (LPGPOINFO lpGPOInfo);
extern "C" BOOL ProcessGPOs (LPGPOINFO lpGPOInfo);
DWORD WINAPI PolicyChangedThread (LPPOLICYCHANGEDINFO lpPolicyChangedInfo);
BOOL ResetPolicies (LPGPOINFO lpGPOInfo, LPTSTR lpArchive);
BOOL SetupGPOFilter (LPGPOINFO lpGPOInfo );
void FilterGPOs( LPGPEXT lpExt, LPGPOINFO lpGPOInfo );
void FreeLists( LPGPOINFO lpGPOInfo );
void FreeExtList(LPEXTLIST pExtList );
BOOL CheckGPOs (LPGPEXT lpExt, LPGPOINFO lpGPOInfo, DWORD dwTime, BOOL *pbProcessGPOs,
BOOL *pbNoChanges, PGROUP_POLICY_OBJECT *ppDeletedGPOList);
BOOL CheckForChangedSid( LPGPOINFO lpGPOInfo, CLocator *plocator );
BOOL CheckForSkippedExtensions( LPGPOINFO lpGPOInfo, BOOL bRsopPlanningMode );
BOOL ReadGPExtensions( LPGPOINFO lpGPOInfo );
BOOL LoadGPExtension (LPGPEXT lpExt, BOOL bRsopPlanningMode );
BOOL UnloadGPExtensions (LPGPOINFO lpGPOInfo);
BOOL WriteStatus( TCHAR *lpExtName, LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, LPGPEXTSTATUS lpExtStatus );
void ReadStatus ( TCHAR *lpExtName, LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, LPGPEXTSTATUS lpExtStatus );
DWORD ProcessGPOList (LPGPEXT lpExt, LPGPOINFO lpGPOInfo, PGROUP_POLICY_OBJECT pDeletedGPOList,
PGROUP_POLICY_OBJECT pChangedGPOList, BOOL bNoChanges,
ASYNCCOMPLETIONHANDLE pAsyncHandle, HRESULT *phrCSERsopStatus );
BOOL ProcessGPORegistryPolicy (LPGPOINFO lpGPOInfo, PGROUP_POLICY_OBJECT pChangedGPOList, HRESULT *phrRsopLogging);
BOOL SaveGPOList (TCHAR *pszExtName, LPGPOINFO lpGPOInfo,
HKEY hKeyRootMach, LPTSTR lpwszSidUser, BOOL bShadow, PGROUP_POLICY_OBJECT lpGPOList);
BOOL AddGPO (PGROUP_POLICY_OBJECT * lpGPOList,
DWORD dwFlags, BOOL bFound, BOOL bAccessGranted, BOOL bDisabled, DWORD dwOptions,
DWORD dwVersion, LPTSTR lpDSPath, LPTSTR lpFileSysPath,
LPTSTR lpDisplayName, LPTSTR lpGPOName, LPTSTR lpExtensions,
PSECURITY_DESCRIPTOR pSD, DWORD cbSDLen,
GPO_LINK GPOLink, LPTSTR lpLink,
LPARAM lParam, BOOL bFront, BOOL bBlock, BOOL bVerbose, BOOL bProcessGPO);
BOOL RefreshDisplay (LPGPOINFO lpGPOInfo);
extern "C" DWORD IsSlowLink (HKEY hKeyRoot, LPTSTR lpDCAddress, BOOL *bSlow, DWORD* pdwAdapterIndex );
BOOL GetGPOInfo (DWORD dwFlags, LPTSTR lpHostName, LPTSTR lpDNName,
LPCTSTR lpComputerName, PGROUP_POLICY_OBJECT *lpGPOList,
LPSCOPEOFMGMT *ppSOMList, LPGPCONTAINER *ppGpContainerList,
PNETAPI32_API pNetAPI32, BOOL bMachineTokenOk, PRSOPTOKEN pRsopToken, WCHAR *pwszSiteName,
CGpoFilter *pGpoFilter, CLocator *pLocator );
void WINAPI ShutdownGPOProcessing( BOOL bMachine );
void DebugPrintGPOList( LPGPOINFO lpGPOInfo );
typedef BOOL (*PFNREGFILECALLBACK)(LPGPOINFO lpGPOInfo, LPTSTR lpKeyName,
LPTSTR lpValueName, DWORD dwType,
DWORD dwDataLength, LPBYTE lpData,
WCHAR *pwszGPO,
WCHAR *pwszSOM, REGHASHTABLE *pHashTable);
BOOL ParseRegistryFile (LPGPOINFO lpGPOInfo, LPTSTR lpRegistry,
PFNREGFILECALLBACK pfnRegFileCallback,
HANDLE hArchive, WCHAR *pwszGPO,
WCHAR *pwszSOM, REGHASHTABLE *pHashTable,
BOOL bRsopPlanningMode);
BOOL ExtensionHasPerUserLocalSetting( LPTSTR pszExtension, HKEY hKeyRoot );
void CheckGroupMembership( LPGPOINFO lpGPOInfo, HANDLE hToken, BOOL *pbMemChanged, BOOL *pbUserLocalMemChanged, PTOKEN_GROUPS *pTokenGroups );
BOOL ReadMembershipList( LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, PTOKEN_GROUPS pGroups );
void SaveMembershipList( LPGPOINFO lpGPOInfo, LPTSTR lpwszSidUser, PTOKEN_GROUPS pGroups );
BOOL GroupInList( LPTSTR lpSid, PTOKEN_GROUPS pGroups );
DWORD GetCurTime();
extern "C" DWORD GetDomainControllerInfo( PNETAPI32_API pNetAPI32, LPTSTR szDomainName,
ULONG ulFlags, HKEY hKeyRoot, PDOMAIN_CONTROLLER_INFO* ppInfo,
BOOL* pfSlow,
DWORD* pdwAdapterIndex );
PLDAP GetMachineDomainDS( PNETAPI32_API pNetApi32, PLDAP_API pLdapApi );
extern "C" HANDLE GetMachineToken();
NTSTATUS CallDFS(LPWSTR lpDomainName, LPWSTR lpDCName);
BOOL AddLocalGPO( LPSCOPEOFMGMT *ppSOMList );
BOOL AddGPOToRsopList( LPGPCONTAINER *ppGpContainerList,
DWORD dwFlags,
BOOL bFound,
BOOL bAccessGranted,
BOOL bDisabled,
DWORD dwVersion,
LPTSTR lpDSPath,
LPTSTR lpFileSysPath,
LPTSTR lpDisplayName,
LPTSTR lpGPOName,
PSECURITY_DESCRIPTOR pSD,
DWORD cbSDLen,
BOOL bFilterAllowed,
WCHAR *pwszFilterId,
LPWSTR szSOM,
DWORD dwGPOOptions );
SCOPEOFMGMT *AllocSOM( LPWSTR pwszSOMId );
void FreeSOM( SCOPEOFMGMT *pSOM );
GPLINK *AllocGpLink( LPWSTR pwszGPO, DWORD dwOptions );
void FreeGpLink( GPLINK *pGpLink );
GPCONTAINER *AllocGpContainer( DWORD dwFlags,
BOOL bFound,
BOOL bAccessGranted,
BOOL bDisabled,
DWORD dwVersion,
LPTSTR lpDSPath,
LPTSTR lpFileSysPath,
LPTSTR lpDisplayName,
LPTSTR lpGpoName,
PSECURITY_DESCRIPTOR pSD,
DWORD cbSDLen,
BOOL bFilterAllowed,
WCHAR *pwszFilterId,
LPWSTR szSOM,
DWORD dwOptions );
void FreeGpContainer( GPCONTAINER *pGpContainer );
void FreeSOMList( SCOPEOFMGMT *pSOMList );
void FreeGpContainerList( GPCONTAINER *pGpContainerList );
LONG GPOExceptionFilter( PEXCEPTION_POINTERS pExceptionPtrs );
BOOL FreeGpoInfo( LPGPOINFO pGpoInfo );
BOOL ReadExtStatus(LPGPOINFO lpGPOInfo);
BOOL ReadGPOList ( TCHAR * pszExtName, HKEY hKeyRoot,
HKEY hKeyRootMach, LPTSTR lpwszSidUser, BOOL bShadow,
PGROUP_POLICY_OBJECT * lpGPOList);
BOOL GetDeletedGPOList (PGROUP_POLICY_OBJECT lpGPOList,
PGROUP_POLICY_OBJECT *ppDeletedGPOList);
BOOL HistoryPresent( LPGPOINFO lpGPOInfo, LPGPEXT lpExt );
extern "C" BOOL InitializePolicyProcessing(BOOL bMachine);
BOOL FilterCheck( PLDAP pld, PLDAP_API pLDAP,
PLDAPMessage pMessage,
PRSOPTOKEN pRsopToken,
LPTSTR szWmiFilter,
CGpoFilter *pGpoFilter,
CLocator *pLocator,
BOOL *pbFilterAllowed,
WCHAR **ppwszFilterId );
BOOL CheckGPOAccess (PLDAP pld, PLDAP_API pLDAP, HANDLE hToken, PLDAPMessage pMessage,
LPTSTR lpSDProperty, DWORD dwFlags,
PSECURITY_DESCRIPTOR *ppSD, DWORD *pcbSDLen,
BOOL *pbAccessGranted,
PRSOPTOKEN pRsopToken );
BOOL AddOU( DNENTRY **ppOUList, LPTSTR pwszOU, GPO_LINK gpoLink );
BOOL EvaluateDeferredGPOs (PLDAP pldBound,
PLDAP_API pLDAP,
LPTSTR pwszDomainBound,
DWORD dwFlags,
HANDLE hToken,
BOOL bVerbose,
PGROUP_POLICY_OBJECT pDeferredForcedList,
PGROUP_POLICY_OBJECT pDeferredNonForcedList,
PGROUP_POLICY_OBJECT *ppForcedList,
PGROUP_POLICY_OBJECT *ppNonForcedList,
LPGPCONTAINER *ppGpContainerList,
PRSOPTOKEN pRsopToken,
CGpoFilter *pGpoFilter,
CLocator *pLocator );
BOOL SearchDSObject (LPTSTR lpDSObject, DWORD dwFlags, HANDLE hToken, PGROUP_POLICY_OBJECT *pGPOForcedList,
PGROUP_POLICY_OBJECT *pGPONonForcedList,
LPSCOPEOFMGMT *ppSOMList, LPGPCONTAINER *ppGpContainerList,
BOOL bVerbose,
GPO_LINK GPOLink, PLDAP pld, PLDAP_API pLDAP, PLDAPMessage pLDAPMsg,BOOL *bBlock, PRSOPTOKEN pRsopToken );
BOOL EvaluateDeferredOUs( DNENTRY *pOUList,
DWORD dwFlags,
HANDLE hToken,
PGROUP_POLICY_OBJECT *ppDeferredForcedList,
PGROUP_POLICY_OBJECT *ppDeferredNonForcedList,
LPSCOPEOFMGMT *ppSOMList,
LPGPCONTAINER *ppGpContainerList,
BOOL bVerbose,
PLDAP pld,
PLDAP_API pLDAP,
BOOL *pbBlock,
PRSOPTOKEN pRsopToken);
void FreeDnEntry( DNENTRY *pDnEntry );
BOOL CheckOUAccess( PLDAP_API pLDAP,
PLDAP pld,
PLDAPMessage pMessage,
PRSOPTOKEN pRsopToken,
BOOL *pbAccessGranted );
BOOL AddAdmFile( WCHAR *pwszFile, WCHAR *pwszGPO, FILETIME *pftWrite, LPTSTR szComputer, ADMFILEINFO **ppAdmFileCache );
void FreeAdmFileCache( ADMFILEINFO *pAdmFileCache );
ADMFILEINFO * AllocAdmFileInfo( WCHAR *pwszFile, WCHAR *pwszGPO, FILETIME *pftWrite );
void FreeAdmFileInfo( ADMFILEINFO *pAdmFileInfo );
DWORD
SavePolicyState( LPGPOINFO pInfo );
DWORD
SaveLinkState( LPGPOINFO pInfo );
DWORD
ComparePolicyState( LPGPOINFO pInfo, BOOL* pbLinkChanged, BOOL* pbStateChanged, BOOL *pbNoState );
DWORD
DeletePolicyState( LPCWSTR szSid );
LPTSTR GetSomPath( LPTSTR szContainer );
HRESULT RsopSidsFromToken(PRSOPTOKEN pRsopToken,
PTOKEN_GROUPS* ppGroups);