mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1632 lines
52 KiB
1632 lines
52 KiB
//*************************************************************
|
|
//
|
|
// Group Policy Support for planning mode
|
|
//
|
|
// Microsoft Confidential
|
|
// Copyright (c) Microsoft Corporation 1997-1998
|
|
// All rights reserved
|
|
//
|
|
//*************************************************************
|
|
|
|
#include "gphdr.h"
|
|
|
|
|
|
DWORD GenerateRegistryPolicy( DWORD dwFlags,
|
|
BOOL *pbAbort,
|
|
WCHAR *pwszSite,
|
|
PRSOP_TARGET pComputerTarget,
|
|
PRSOP_TARGET pUserTarget );
|
|
|
|
BOOL GenerateGpoInfo( WCHAR *pwszDomain, WCHAR *pwszDomainDns, WCHAR *pwszAccount,
|
|
WCHAR *pwszNewSOM, SAFEARRAY *psaSecGroups,
|
|
DWORD dwFlags, BOOL bMachine, WCHAR *pwszSite, CGpoFilter *pGpoFilter, CLocator *pLocator,
|
|
WCHAR *pwszMachAccount, WCHAR *pwszNewMachSOM, LPGPOINFO pGpoInfo, PNETAPI32_API pNetAPI32 );
|
|
|
|
|
|
BOOL GetCategory( WCHAR *pwszDomain, WCHAR *pwszAccount, WCHAR **ppwszDNName );
|
|
|
|
DWORD ProcessMachAndUserGpoList( LPGPEXT lpExtMach, LPGPEXT lpExtUser, DWORD dwFlags, WCHAR *pwszSite,
|
|
WCHAR *pwszMach, WCHAR *pwszNewComputerOU, SAFEARRAY *psaComputerSecurityGroups, LPGPOINFO pGpoInfoMach,
|
|
WCHAR *pwszUser, WCHAR *pwszNewUserOU, SAFEARRAY *psaUserSecurityGroups, LPGPOINFO pGpoInfoUser );
|
|
|
|
|
|
BOOL ProcessRegistryFiles(PRSOP_TARGET pTarget, REGHASHTABLE *pHashTable);
|
|
BOOL ProcessRegistryValue ( void* pUnused,
|
|
LPTSTR lpKeyName,
|
|
LPTSTR lpValueName,
|
|
DWORD dwType,
|
|
DWORD dwDataLength,
|
|
LPBYTE lpData,
|
|
WCHAR *pwszGPO,
|
|
WCHAR *pwszSOM,
|
|
REGHASHTABLE *pHashTable);
|
|
BOOL ProcessAdmData( PRSOP_TARGET pTarget, BOOL bUser );
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GenerateRsopPolicy()
|
|
//
|
|
// Purpose: Generates planning mode Rsop policy for specified target
|
|
//
|
|
// Parameters: dwFlags - Processing flags
|
|
// bstrMachName - Target computer name
|
|
// bstrNewMachSOM - New machine domain or OU
|
|
// psaMachSecGroups - New machine security groups
|
|
// bstrUserName - Target user name
|
|
// psaUserSecGroups - New user security groups
|
|
// bstrSite - Site of target computer
|
|
// pwszNameSpace - Namespace to write Rsop data
|
|
// pvProgress - Progress indicator class
|
|
// pvGpoFilter - GPO filter class
|
|
//
|
|
// Return: True if successful, False otherwise
|
|
//
|
|
// Notes: If a new SOM is specified then that is used instead of
|
|
// the SOM the target belongs to. Similarly, if new
|
|
// security groups are specified then that is used instead of
|
|
// the security groups that the target belongs to. If
|
|
// target name is null and both new SOM and new security
|
|
// groups are non-null, then we simulate a dummy target; otherwise
|
|
// we skip generating planning mode info for the target.
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL GenerateRsopPolicy( DWORD dwFlags, BSTR bstrMachName,
|
|
BSTR bstrNewMachSOM, SAFEARRAY *psaMachSecGroups,
|
|
BSTR bstrUserName, BSTR bstrNewUserSOM,
|
|
SAFEARRAY *psaUserSecGroups,
|
|
BSTR bstrSite,
|
|
WCHAR *pwszNameSpace,
|
|
LPVOID pvProgress,
|
|
LPVOID pvMachGpoFilter,
|
|
LPVOID pvUserGpoFilter )
|
|
{
|
|
LPGPOINFO pGpoInfoMach = NULL;
|
|
LPGPOINFO pGpoInfoUser = NULL;
|
|
PNETAPI32_API pNetAPI32 = NULL;
|
|
PDSROLE_PRIMARY_DOMAIN_INFO_BASIC pDsInfo = NULL;
|
|
BOOL bDC = FALSE;
|
|
DWORD dwResult;
|
|
LPWSTR pwszDomain = NULL;
|
|
LPWSTR pwszMachDns = NULL;
|
|
LPWSTR pwszDomainDns = NULL;
|
|
DWORD dwSize = 0;
|
|
BOOL bResult = FALSE;
|
|
LPGPEXT lpExtMach = NULL;
|
|
LPGPEXT lpExtUser = NULL;
|
|
LPGPEXT lpExt,lpTemp = NULL;
|
|
WCHAR *pwszMach = (WCHAR *) bstrMachName;
|
|
WCHAR *pwszUser = (WCHAR *) bstrUserName;
|
|
DWORD dwExtCount = 1;
|
|
DWORD dwIncrPercent;
|
|
CProgressIndicator* pProgress = (CProgressIndicator*) pvProgress;
|
|
CGpoFilter *pMachGpoFilter = (CGpoFilter *) pvMachGpoFilter;
|
|
CGpoFilter *pUserGpoFilter = (CGpoFilter *) pvUserGpoFilter;
|
|
RSOPSESSIONDATA rsopSessionData;
|
|
LPRSOPSESSIONDATA lprsopSessionData;
|
|
BOOL bDummyMach = pwszMach == NULL && bstrNewMachSOM != NULL;
|
|
BOOL bDummyUser = pwszUser == NULL && bstrNewUserSOM != NULL;
|
|
DWORD dwUserGPCoreError = ERROR_SUCCESS;
|
|
DWORD dwMachGPCoreError = ERROR_SUCCESS;
|
|
CLocator locator;
|
|
HRESULT hr = S_OK;
|
|
XLastError xe;
|
|
|
|
//
|
|
// Allow debugging level to be changed dynamically
|
|
//
|
|
|
|
InitDebugSupport( FALSE );
|
|
|
|
|
|
if ( pwszUser == NULL && pwszMach == NULL && !bDummyUser && !bDummyMach ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Both user and machine names cannot be NULL.")));
|
|
xe = ERROR_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
|
|
pNetAPI32 = LoadNetAPI32();
|
|
|
|
if (!pNetAPI32) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Failed to load netapi32 with %d."),
|
|
GetLastError()));
|
|
// error logged in LoadNetAPI32
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// Get the role of this computer
|
|
//
|
|
|
|
dwResult = pNetAPI32->pfnDsRoleGetPrimaryDomainInformation( NULL, DsRolePrimaryDomainInfoBasic,
|
|
(PBYTE *)&pDsInfo );
|
|
|
|
if (dwResult != ERROR_SUCCESS) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: DsRoleGetPrimaryDomainInformation failed with %d."), dwResult));
|
|
goto Exit;
|
|
}
|
|
|
|
if ( pDsInfo->MachineRole == DsRole_RoleBackupDomainController
|
|
|| pDsInfo->MachineRole == DsRole_RolePrimaryDomainController ) {
|
|
bDC = TRUE;
|
|
}
|
|
|
|
if ( !bDC ) {
|
|
xe = ERROR_ACCESS_DENIED;
|
|
DebugMsg((DM_WARNING, TEXT("GeneratRsopPolicy: Rsop data can be generated on a DC only")));
|
|
goto Exit;
|
|
}
|
|
|
|
pwszDomain = pDsInfo->DomainNameFlat;
|
|
|
|
//
|
|
// Get the machine name in dns format, so that ldap_bind can be done to this specific DC.
|
|
//
|
|
|
|
dwSize = 0;
|
|
GetComputerNameEx( ComputerNameDnsFullyQualified, pwszMachDns, &dwSize );
|
|
|
|
if ( dwSize > 0 ) {
|
|
|
|
pwszMachDns = (WCHAR *) LocalAlloc (LPTR, dwSize * sizeof(WCHAR) );
|
|
if ( pwszMachDns == NULL ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Failed to allocate memory")));
|
|
goto Exit;
|
|
}
|
|
|
|
} else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: GetComputerNameEx failed")));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = GetComputerNameEx( ComputerNameDnsFullyQualified, pwszMachDns, &dwSize );
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: GetComputerNameEx failed")));
|
|
goto Exit;
|
|
}
|
|
|
|
pwszDomainDns = pwszMachDns;
|
|
|
|
//
|
|
// 5% of the task is done
|
|
//
|
|
pProgress->IncrementBy( 5 );
|
|
|
|
//
|
|
// Setup computer target info, if any
|
|
//
|
|
|
|
bResult = FALSE;
|
|
|
|
if ( pwszMach || bDummyMach ) {
|
|
|
|
pGpoInfoMach = (LPGPOINFO) LocalAlloc (LPTR, sizeof(GPOINFO));
|
|
|
|
if (!pGpoInfoMach) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to alloc lpGPOInfo (%d)."),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_ALLOCATION);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
pGpoInfoMach->dwFlags = GP_PLANMODE | GP_MACHINE;
|
|
|
|
|
|
bResult = GetWbemServices( pGpoInfoMach, pwszNameSpace, TRUE, NULL, &(pGpoInfoMach->pWbemServices) );
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when getting Wbemservices.")));
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// First set dirty to be true
|
|
//
|
|
|
|
bResult = LogExtSessionStatus(pGpoInfoMach->pWbemServices, NULL, TRUE);
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging user Session data.")));
|
|
goto Exit;
|
|
}
|
|
|
|
if ( ! GenerateGpoInfo( pwszDomain, pwszDomainDns, pwszMach,
|
|
(WCHAR *) bstrNewMachSOM, psaMachSecGroups, dwFlags, TRUE,
|
|
(WCHAR *) bstrSite, pMachGpoFilter, &locator, NULL, NULL, pGpoInfoMach, pNetAPI32 ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: GenerateGpoInfo failed with %d."), xe));
|
|
dwMachGPCoreError = (xe) ? xe : E_FAIL;
|
|
}
|
|
else {
|
|
dwMachGPCoreError = ERROR_SUCCESS;
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// 10% of the task is done
|
|
//
|
|
pProgress->IncrementBy( 5 );
|
|
|
|
//
|
|
// Setup user target info, if any
|
|
//
|
|
|
|
if ( pwszUser || bDummyUser ) {
|
|
pGpoInfoUser = (LPGPOINFO) LocalAlloc (LPTR, sizeof(GPOINFO));
|
|
|
|
if (!pGpoInfoUser) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to alloc lpGPOInfo (%d)."),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_ALLOCATION);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
pGpoInfoUser->dwFlags = GP_PLANMODE;
|
|
|
|
|
|
bResult = GetWbemServices( pGpoInfoUser, pwszNameSpace, TRUE, NULL, &(pGpoInfoUser->pWbemServices));
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when getting Wbemservices.")));
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// First set dirty to be true
|
|
//
|
|
|
|
bResult = LogExtSessionStatus(pGpoInfoUser->pWbemServices, NULL, TRUE);
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging user Session data.")));
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
if ( ! GenerateGpoInfo( pwszDomain, pwszDomainDns, pwszUser,
|
|
(WCHAR *) bstrNewUserSOM, psaUserSecGroups, dwFlags, FALSE, (WCHAR *) bstrSite,
|
|
pUserGpoFilter, &locator, pwszMach, (WCHAR *) bstrNewMachSOM, pGpoInfoUser, pNetAPI32 ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: GenerateGpoInfo failed with %d."), xe));
|
|
dwUserGPCoreError = (xe) ? xe : E_FAIL;
|
|
}
|
|
else {
|
|
dwUserGPCoreError = ERROR_SUCCESS;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Log Gpo info to WMI's database
|
|
//
|
|
|
|
|
|
lprsopSessionData = &rsopSessionData;
|
|
|
|
if ( pwszMach || bDummyMach ) {
|
|
|
|
XPtrLF<TOKEN_GROUPS> xGrps;
|
|
|
|
hr = RsopSidsFromToken(pGpoInfoMach->pRsopToken, &xGrps);
|
|
|
|
if (FAILED(hr)) {
|
|
xe = HRESULT_CODE(hr);
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: RsopSidsFromToken failed with error 0x%x."), hr));
|
|
goto Exit;
|
|
|
|
}
|
|
|
|
//
|
|
// Fill up the rsop Session Data (Machine Specific)
|
|
//
|
|
|
|
lprsopSessionData->pwszTargetName = pwszMach;
|
|
lprsopSessionData->pwszSOM = GetSomPath(bstrNewMachSOM ? bstrNewMachSOM : pGpoInfoMach->lpDNName);
|
|
lprsopSessionData->pSecurityGroups = (PTOKEN_GROUPS)xGrps;
|
|
lprsopSessionData->bLogSecurityGroup = TRUE;
|
|
lprsopSessionData->pwszSite = (WCHAR *) bstrSite;
|
|
lprsopSessionData->bMachine = TRUE;
|
|
|
|
|
|
bResult = LogRsopData( pGpoInfoMach, lprsopSessionData );
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging machine Rsop data.")));
|
|
goto Exit;
|
|
}
|
|
|
|
pGpoInfoMach->bRsopLogging = TRUE;
|
|
}
|
|
|
|
if ( pwszUser || bDummyUser ) {
|
|
|
|
XPtrLF<TOKEN_GROUPS> xGrps;
|
|
|
|
hr = RsopSidsFromToken(pGpoInfoUser->pRsopToken, &xGrps);
|
|
|
|
if (FAILED(hr)) {
|
|
xe = HRESULT_CODE(hr);
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: RsopSidsFromToken failed with error 0x%x."), hr));
|
|
goto Exit;
|
|
|
|
}
|
|
|
|
|
|
//
|
|
// Fill up the rsop Session Data (User Specific)
|
|
//
|
|
|
|
lprsopSessionData->pwszTargetName = pwszUser;
|
|
lprsopSessionData->pwszSOM = GetSomPath(bstrNewUserSOM ? bstrNewUserSOM : pGpoInfoUser->lpDNName);
|
|
lprsopSessionData->pSecurityGroups = (PTOKEN_GROUPS)xGrps;
|
|
lprsopSessionData->bLogSecurityGroup = TRUE;
|
|
lprsopSessionData->pwszSite = (WCHAR *) bstrSite;
|
|
lprsopSessionData->bMachine = FALSE;
|
|
|
|
bResult = LogRsopData( pGpoInfoUser, lprsopSessionData );
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging user Rsop data.")));
|
|
goto Exit;
|
|
}
|
|
|
|
pGpoInfoUser->bRsopLogging = TRUE;
|
|
}
|
|
|
|
if ( ( dwUserGPCoreError != ERROR_SUCCESS) || ( dwMachGPCoreError != ERROR_SUCCESS) ){
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Couldn't fetch the user/computer GPO list. Exitting provider.")));
|
|
// note that at this point bResult can be true and we want to actually return that
|
|
// since this error will be part of the GP Core error...
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// 15% of the task is done
|
|
//
|
|
pProgress->IncrementBy( 5 );
|
|
|
|
if ( dwFlags & FLAG_NO_CSE_INVOKE )
|
|
{
|
|
bResult = TRUE;
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// By this time, pGPOInfoMach should be defined if
|
|
// we needed data for mach and pGPOInfoUser should be
|
|
// defined if we needed the data for user.
|
|
//
|
|
// Assumption: lpExt is the same for both user and Machine
|
|
//
|
|
|
|
if (pGpoInfoMach)
|
|
lpExt = lpExtMach = pGpoInfoMach->lpExtensions;
|
|
|
|
if (pGpoInfoUser)
|
|
lpExt = lpExtUser = pGpoInfoUser->lpExtensions;
|
|
|
|
|
|
//
|
|
// count the number of extensions
|
|
//
|
|
|
|
DmAssert(lpExt);
|
|
|
|
lpTemp = lpExt;
|
|
|
|
while ( lpExt )
|
|
{
|
|
dwExtCount++;
|
|
lpExt = lpExt->pNext;
|
|
}
|
|
|
|
lpExt = lpTemp;
|
|
|
|
dwIncrPercent = ( pProgress->MaxProgress() - pProgress->CurrentProgress() ) / dwExtCount;
|
|
|
|
//
|
|
// Loop through registered extensions, asking them to generate planning mode info
|
|
//
|
|
|
|
while ( lpExt ) {
|
|
|
|
//
|
|
// Add check here for cancellation of policy generation
|
|
//
|
|
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateRsopPolicy: -----------------------")));
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateRsopPolicy: Processing extension %s"), lpExt->lpDisplayName));
|
|
|
|
if (lpExtMach)
|
|
FilterGPOs( lpExtMach, pGpoInfoMach );
|
|
|
|
if (lpExtUser)
|
|
FilterGPOs( lpExtUser, pGpoInfoUser );
|
|
|
|
__try {
|
|
|
|
dwResult = ProcessMachAndUserGpoList( lpExtMach, lpExtUser, dwFlags, (WCHAR *) bstrSite,
|
|
pwszMach, (WCHAR *) bstrNewMachSOM, psaMachSecGroups, pGpoInfoMach,
|
|
pwszUser, (WCHAR *) bstrNewUserSOM, psaUserSecGroups, pGpoInfoUser );
|
|
pProgress->IncrementBy( dwIncrPercent );
|
|
|
|
}
|
|
__except( GPOExceptionFilter( GetExceptionInformation() ) ) {
|
|
|
|
RevertToSelf();
|
|
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Extension %s ProcessGroupPolicy threw unhandled exception 0x%x."),
|
|
lpExt->lpDisplayName, GetExceptionCode() ));
|
|
|
|
CEvents ev(TRUE, EVENT_CAUGHT_EXCEPTION);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.AddArgHex(GetExceptionCode()); ev.Report();
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateRsopPolicy: -----------------------")));
|
|
|
|
if (lpExtMach)
|
|
lpExtMach = lpExtMach->pNext;
|
|
|
|
if (lpExtUser)
|
|
lpExtUser = lpExtUser->pNext;
|
|
|
|
lpExt = lpExt->pNext;
|
|
}
|
|
|
|
bResult = TRUE;
|
|
|
|
Exit:
|
|
|
|
//
|
|
// if all logging was successful
|
|
//
|
|
|
|
if ((pGpoInfoUser) && (pGpoInfoUser->bRsopLogging)) {
|
|
bResult = UpdateExtSessionStatus(pGpoInfoUser->pWbemServices, NULL, (!bResult), dwUserGPCoreError );
|
|
}
|
|
|
|
|
|
if ((pGpoInfoMach) && (pGpoInfoMach->bRsopLogging)) {
|
|
bResult = UpdateExtSessionStatus(pGpoInfoMach->pWbemServices, NULL, (!bResult), dwMachGPCoreError);
|
|
}
|
|
|
|
|
|
UnloadGPExtensions( pGpoInfoMach );
|
|
UnloadGPExtensions( pGpoInfoUser ); // Frees lpExtensions field
|
|
|
|
if ( pDsInfo ) {
|
|
pNetAPI32->pfnDsRoleFreeMemory (pDsInfo);
|
|
}
|
|
|
|
LocalFree( pwszMachDns );
|
|
|
|
FreeGpoInfo( pGpoInfoUser );
|
|
FreeGpoInfo( pGpoInfoMach );
|
|
|
|
return bResult;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GenerateGpoInfo()
|
|
//
|
|
// Purpose: Allocates and fills in pGpoInfo for specified target
|
|
//
|
|
// Parameters: pwszDomain - Domain name
|
|
// pwszDomainDns - Dns name of machine for ldap binding
|
|
// pwszAccount - User or machine account name
|
|
// pwszNewSOM - New SOM of target
|
|
// psaSecGroups - New security groups of target
|
|
// dwFlags - Processing flags
|
|
// bMachine - Is this machine processing
|
|
// pwszSite - Site name
|
|
// pGpoFilter - Gpo filter
|
|
// pLocator - Wbem interface class
|
|
// pwszMachAccount - Machine account
|
|
// pwszNewMachSOM - Machine SOM (abv 2 are applicable only for loopback)
|
|
// ppGpoInfo - Gpo info returned here
|
|
// pNetApi32 - Delay loaded netap32.dll
|
|
//
|
|
// Return: True if successful, False otherwise
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL GenerateGpoInfo( WCHAR *pwszDomain, WCHAR *pwszDomainDns, WCHAR *pwszAccount,
|
|
WCHAR *pwszNewSOM, SAFEARRAY *psaSecGroups,
|
|
DWORD dwFlags, BOOL bMachine, WCHAR *pwszSite, CGpoFilter *pGpoFilter, CLocator *pLocator,
|
|
WCHAR *pwszMachAccount, WCHAR *pwszNewMachSOM, LPGPOINFO pGpoInfo, PNETAPI32_API pNetAPI32 )
|
|
{
|
|
HRESULT hr;
|
|
BOOL bResult = FALSE;
|
|
XPtrLF<WCHAR> xszXlatName;
|
|
PSECUR32_API pSecur32;
|
|
XLastError xe;
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
XPtrLF<WCHAR> xwszTargetDomain;
|
|
DWORD dwUserPolicyMode = 0;
|
|
DWORD dwLocFlags;
|
|
|
|
|
|
|
|
if (!bMachine) {
|
|
if (dwFlags & FLAG_LOOPBACK_MERGE ) {
|
|
dwUserPolicyMode = 1;
|
|
}
|
|
else if (dwFlags & FLAG_LOOPBACK_REPLACE ) {
|
|
dwUserPolicyMode = 2;
|
|
}
|
|
}
|
|
|
|
dwLocFlags = GP_PLANMODE | (dwFlags & FLAG_ASSUME_COMP_WQLFILTER_TRUE) | (dwFlags & FLAG_ASSUME_USER_WQLFILTER_TRUE);
|
|
|
|
//
|
|
// Load secur32.dll
|
|
//
|
|
|
|
pSecur32 = LoadSecur32();
|
|
|
|
if (!pSecur32) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to load Secur32.")));
|
|
return NULL;
|
|
}
|
|
|
|
|
|
if ( pwszAccount == NULL ) {
|
|
if ( pwszNewSOM == NULL ) {
|
|
|
|
//
|
|
// When dummy user is specified then both SOM and security groups
|
|
// must be specified.
|
|
//
|
|
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Incorrect SOM or security specification for dummy target"),
|
|
GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
if ( bMachine )
|
|
dwFlags |= GP_MACHINE;
|
|
|
|
dwFlags |= GP_PLANMODE; // mark the processing as planning mode processing
|
|
|
|
pGpoInfo->dwFlags = dwFlags;
|
|
|
|
//
|
|
// caller can force slow link in planning mode
|
|
//
|
|
if ( dwFlags & FLAG_ASSUME_SLOW_LINK )
|
|
{
|
|
pGpoInfo->dwFlags |= GP_SLOW_LINK;
|
|
}
|
|
else
|
|
{
|
|
pGpoInfo->dwFlags &= ~GP_SLOW_LINK;
|
|
}
|
|
|
|
if ( pwszAccount ) {
|
|
if ( !GetCategory( pwszDomain, pwszAccount, &pGpoInfo->lpDNName ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - getCategory failed with error - %d"), GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// TranslateName to SamCompatible so that the rest of the functions work correctly
|
|
// for any of the various name formats
|
|
//
|
|
|
|
if ( pwszAccount ) {
|
|
DWORD dwSize = MAX_PATH+1;
|
|
|
|
xszXlatName = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*dwSize);
|
|
|
|
if (!xszXlatName) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - Couldn't allocate memory for Name...")));
|
|
goto Exit;
|
|
}
|
|
|
|
if (!pSecur32->pfnTranslateName( pwszAccount,
|
|
NameUnknown,
|
|
NameSamCompatible,
|
|
xszXlatName,
|
|
&dwSize )) {
|
|
|
|
BOOL bOk = FALSE;
|
|
|
|
if (dwSize > (MAX_PATH+1)) {
|
|
|
|
xszXlatName = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*dwSize);
|
|
|
|
if (!xszXlatName) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - Couldn't allocate memory for Name...")));
|
|
goto Exit;
|
|
}
|
|
|
|
bOk = pSecur32->pfnTranslateName( pwszAccount,
|
|
NameUnknown,
|
|
NameSamCompatible,
|
|
xszXlatName,
|
|
&dwSize );
|
|
|
|
}
|
|
|
|
if (!bOk) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - TranslateName failed with error %d"), GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateGpoInfo: RsopCreateToken for Account Name <%s>"), (LPWSTR)xszXlatName));
|
|
}
|
|
|
|
hr = RsopCreateToken( xszXlatName, psaSecGroups, &pGpoInfo->pRsopToken );
|
|
if ( FAILED(hr) ) {
|
|
xe = HRESULT_CODE(hr);
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to create Rsop token. Error - %d"), HRESULT_CODE(hr)));
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
dwError = GetDomain(pwszNewSOM ? pwszNewSOM : pGpoInfo->lpDNName, &xwszTargetDomain);
|
|
|
|
if (dwError != ERROR_SUCCESS) {
|
|
xe = dwError;
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to Get domain. Error - %d"), dwError));
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Query for the GPO list based upon the mode
|
|
//
|
|
// 0 is normal
|
|
// 1 is merge. Merge user list + machine list
|
|
// 2 is replace. use machine list instead of user list
|
|
//
|
|
|
|
|
|
if (dwUserPolicyMode == 0) {
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateGpoInfo: Calling GetGPOInfo for normal policy mode")));
|
|
|
|
bResult = GetGPOInfo( dwLocFlags | ((pGpoInfo->dwFlags & GP_MACHINE) ? GPO_LIST_FLAG_MACHINE : 0),
|
|
xwszTargetDomain,
|
|
pwszNewSOM ? pwszNewSOM : pGpoInfo->lpDNName,
|
|
NULL,
|
|
&pGpoInfo->lpGPOList,
|
|
&pGpoInfo->lpSOMList, &pGpoInfo->lpGpContainerList,
|
|
pNetAPI32, FALSE, pGpoInfo->pRsopToken, pwszSite, pGpoFilter, pLocator );
|
|
|
|
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: GetGPOInfo failed.")));
|
|
CEvents ev( TRUE, EVENT_GPO_QUERY_FAILED ); ev.Report();
|
|
goto Exit;
|
|
}
|
|
} else if (dwUserPolicyMode == 2) {
|
|
|
|
XPtrLF<TCHAR> xMachDNName;
|
|
XPtrLF<TCHAR> xwszMachDomain;
|
|
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Calling GetGPOInfo for replacement user policy mode")));
|
|
|
|
if ( pwszMachAccount ) {
|
|
if ( !GetCategory( pwszDomain, pwszMachAccount, &xMachDNName ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - getCategory failed with error - %d"), GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
dwError = GetDomain(pwszNewMachSOM ? pwszNewMachSOM : xMachDNName, &xwszMachDomain);
|
|
|
|
if (dwError != ERROR_SUCCESS) {
|
|
xe = dwError;
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to Get domain. Error - %d"), dwError));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = GetGPOInfo( dwLocFlags | 0,
|
|
xwszMachDomain,
|
|
pwszNewMachSOM ? pwszNewMachSOM : xMachDNName,
|
|
NULL,
|
|
&pGpoInfo->lpGPOList,
|
|
&pGpoInfo->lpLoopbackSOMList,
|
|
&pGpoInfo->lpLoopbackGpContainerList,
|
|
pNetAPI32, FALSE, pGpoInfo->pRsopToken, pwszSite, pGpoFilter, pLocator );
|
|
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: GetGPOInfo failed.")));
|
|
CEvents ev( TRUE, EVENT_GPO_QUERY_FAILED ); ev.Report();
|
|
goto Exit;
|
|
}
|
|
}
|
|
else {
|
|
XPtrLF<TCHAR> xMachDNName;
|
|
XPtrLF<TCHAR> xwszMachDomain;
|
|
PGROUP_POLICY_OBJECT lpGPO = NULL;
|
|
PGROUP_POLICY_OBJECT lpGPOTemp;
|
|
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Calling GetGPOInfo for merging user policy mode")));
|
|
|
|
bResult = GetGPOInfo( dwLocFlags | ((pGpoInfo->dwFlags & GP_MACHINE) ? GPO_LIST_FLAG_MACHINE : 0),
|
|
xwszTargetDomain,
|
|
pwszNewSOM ? pwszNewSOM : pGpoInfo->lpDNName,
|
|
NULL,
|
|
&pGpoInfo->lpGPOList,
|
|
&pGpoInfo->lpSOMList, &pGpoInfo->lpGpContainerList,
|
|
pNetAPI32, FALSE, pGpoInfo->pRsopToken, pwszSite, pGpoFilter, pLocator );
|
|
|
|
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: GetGPOInfo failed.")));
|
|
CEvents ev( TRUE, EVENT_GPO_QUERY_FAILED ); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
if ( pwszMachAccount ) {
|
|
if ( !GetCategory( pwszDomain, pwszMachAccount, &xMachDNName ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo - getCategory failed with error - %d"), GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
dwError = GetDomain(pwszNewMachSOM ? pwszNewMachSOM : xMachDNName, &xwszMachDomain);
|
|
|
|
if (dwError != ERROR_SUCCESS) {
|
|
xe = dwError;
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Failed to Get domain. Error - %d"), dwError));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = GetGPOInfo( 0 | dwLocFlags,
|
|
xwszMachDomain,
|
|
pwszNewMachSOM ? pwszNewMachSOM : xMachDNName,
|
|
NULL,
|
|
&lpGPO,
|
|
&pGpoInfo->lpLoopbackSOMList,
|
|
&pGpoInfo->lpLoopbackGpContainerList,
|
|
pNetAPI32, FALSE, pGpoInfo->pRsopToken, pwszSite, pGpoFilter, pLocator );
|
|
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: GetGPOInfo failed.")));
|
|
CEvents ev( TRUE, EVENT_GPO_QUERY_FAILED ); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
if (pGpoInfo->lpGPOList && lpGPO) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateGpoInfo: Both user and machine lists are defined. Merging them together.")));
|
|
|
|
//
|
|
// Need to merge the lists together
|
|
//
|
|
|
|
lpGPOTemp = pGpoInfo->lpGPOList;
|
|
|
|
while (lpGPOTemp->pNext) {
|
|
lpGPOTemp = lpGPOTemp->pNext;
|
|
}
|
|
|
|
lpGPOTemp->pNext = lpGPO;
|
|
|
|
} else if (!pGpoInfo->lpGPOList && lpGPO) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateGpoInfo: Only machine list is defined.")));
|
|
pGpoInfo->lpGPOList = lpGPO;
|
|
|
|
} else {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("GenerateGpoInfo: Only user list is defined.")));
|
|
}
|
|
}
|
|
|
|
|
|
|
|
if ( !ReadGPExtensions( pGpoInfo ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: ReadGPExtensions failed.")));
|
|
CEvents ev( TRUE, EVENT_READ_EXT_FAILED ); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
if ( !CheckForSkippedExtensions( pGpoInfo, TRUE ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: Checking extensions for skipping failed")));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = SetupGPOFilter( pGpoInfo );
|
|
|
|
if ( !bResult ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GenerateGpoInfo: SetupGPOFilter failed.")));
|
|
CEvents ev(TRUE, EVENT_SETUP_GPOFILTER_FAILED); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
Exit:
|
|
|
|
return bResult;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GetCategory()
|
|
//
|
|
// Purpose: Gets the fully qualified domain name
|
|
//
|
|
// Parameters: pwszDomain - Domain name
|
|
// pwszAccount - User or machine account name
|
|
// pwszDNName - Fully qualified domain name returned here
|
|
//
|
|
// Return: True if successful, False otherwise
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL GetCategory( WCHAR *pwszDomain, WCHAR *pwszAccount, WCHAR **ppwszDNName )
|
|
{
|
|
PSECUR32_API pSecur32Api;
|
|
BOOL bResult = FALSE;
|
|
ULONG ulSize = 512;
|
|
XLastError xe;
|
|
|
|
*ppwszDNName = NULL;
|
|
|
|
*ppwszDNName = (WCHAR *) LocalAlloc (LPTR, ulSize * sizeof(WCHAR) );
|
|
if ( *ppwszDNName == NULL ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GetCategory: Memory allocation failed.")));
|
|
goto Exit;
|
|
}
|
|
|
|
pSecur32Api = LoadSecur32();
|
|
|
|
if (!pSecur32Api) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GetCategory: Failed to load secur32 api.")));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = pSecur32Api->pfnTranslateName( pwszAccount, NameUnknown, NameFullyQualifiedDN,
|
|
*ppwszDNName, &ulSize );
|
|
|
|
if ( !bResult && ulSize > 0 ) {
|
|
|
|
LocalFree( *ppwszDNName );
|
|
*ppwszDNName = (WCHAR *) LocalAlloc (LPTR, ulSize * sizeof(WCHAR) );
|
|
if ( *ppwszDNName == NULL ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GetCategory: Memory allocation failed.")));
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = pSecur32Api->pfnTranslateName( pwszAccount, NameUnknown, NameFullyQualifiedDN,
|
|
*ppwszDNName, &ulSize );
|
|
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GetCategory: TranslateName failed with error %d."), GetLastError()));
|
|
}
|
|
}
|
|
else {
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GetCategory: TranslateName failed with error %d."), GetLastError()));
|
|
}
|
|
}
|
|
|
|
Exit:
|
|
|
|
if ( !bResult ) {
|
|
LocalFree( *ppwszDNName );
|
|
*ppwszDNName = NULL;
|
|
}
|
|
|
|
return bResult;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessMachAndUserGpoList()
|
|
//
|
|
// Purpose: Calls the various extensions to do the planning
|
|
// mode logging
|
|
//
|
|
// Parameters: lpExtMach - Machine extension struct
|
|
// lpExtUser - User extension struct
|
|
// dwFlags - Processing flags
|
|
// pwszSite - Site name
|
|
// pwszNewComputerSOM - New computer scope of management
|
|
// psaCompSecGroups - New computer security groups
|
|
// pGpoInfoMach - Machine Gpo info
|
|
// ... - Similarly for user account
|
|
//
|
|
// Return: True if successful, False otherwise
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD ProcessMachAndUserGpoList( LPGPEXT lpExtMach, LPGPEXT lpExtUser, DWORD dwFlags, WCHAR *pwszSite,
|
|
WCHAR *pwszMach, WCHAR *pwszNewComputerSOM, SAFEARRAY *psaComputerSecurityGroups, LPGPOINFO pGpoInfoMach,
|
|
WCHAR *pwszUser, WCHAR *pwszNewUserSOM, SAFEARRAY *psaUserSecurityGroups, LPGPOINFO pGpoInfoUser )
|
|
{
|
|
BOOL bAbort = FALSE;
|
|
DWORD dwResult;
|
|
|
|
RSOP_TARGET computerTarget, userTarget;
|
|
PRSOP_TARGET pComputerTarget = NULL;
|
|
PRSOP_TARGET pUserTarget = NULL;
|
|
BOOL bPlanningSupported = TRUE;
|
|
LPGPEXT lpExt;
|
|
|
|
|
|
|
|
lpExt = (lpExtMach != NULL) ? lpExtMach : lpExtUser;
|
|
|
|
if (!lpExt) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessMachAndUserGpoList: Both user and computer exts are null, returning.")));
|
|
return TRUE;
|
|
}
|
|
|
|
bPlanningSupported = lpExt->bRegistryExt || (lpExt->lpRsopFunctionName ? TRUE : FALSE);
|
|
|
|
|
|
if ( lpExtMach && !lpExtMach->bSkipped && pGpoInfoMach->lpGPOList ) {
|
|
|
|
//
|
|
// Computer target is non-null
|
|
//
|
|
|
|
pComputerTarget = &computerTarget;
|
|
pComputerTarget->pwszAccountName = pwszMach;
|
|
pComputerTarget->pwszNewSOM = pwszNewComputerSOM;
|
|
pComputerTarget->psaSecurityGroups = psaComputerSecurityGroups;
|
|
pComputerTarget->pRsopToken = pGpoInfoMach->pRsopToken;
|
|
pComputerTarget->pGPOList = pGpoInfoMach->lpGPOList;
|
|
pComputerTarget->pWbemServices = pGpoInfoMach->pWbemServices;
|
|
|
|
|
|
if (pGpoInfoMach->bRsopLogging) {
|
|
pGpoInfoMach->bRsopLogging = LogExtSessionStatus(pGpoInfoMach->pWbemServices, lpExtMach,
|
|
bPlanningSupported);
|
|
if (!pGpoInfoMach->bRsopLogging) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging user Session data.")));
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
|
|
if ( lpExtUser && !lpExtUser->bSkipped && pGpoInfoUser->lpGPOList ) {
|
|
|
|
//
|
|
// User target is non-null
|
|
//
|
|
|
|
pUserTarget = &userTarget;
|
|
pUserTarget->pwszAccountName = pwszUser;
|
|
pUserTarget->pwszNewSOM = pwszNewUserSOM;
|
|
pUserTarget->psaSecurityGroups = psaUserSecurityGroups;
|
|
pUserTarget->pRsopToken = pGpoInfoUser->pRsopToken;
|
|
pUserTarget->pGPOList = pGpoInfoUser->lpGPOList;
|
|
pUserTarget->pWbemServices = pGpoInfoUser->pWbemServices;
|
|
|
|
|
|
if (pGpoInfoUser->bRsopLogging) {
|
|
pGpoInfoUser->bRsopLogging = LogExtSessionStatus(pGpoInfoUser->pWbemServices, lpExtUser,
|
|
bPlanningSupported);
|
|
if (!pGpoInfoUser->bRsopLogging) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRsopPolicy: Error when logging user Session data.")));
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
|
|
if ( pComputerTarget == NULL && pUserTarget == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessMachAndUserGpoList: Both user and computer targets are null, returning.")));
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
if ( lpExt->bRegistryExt ) {
|
|
|
|
//
|
|
// Registry pseudo extension
|
|
//
|
|
|
|
dwResult = GenerateRegistryPolicy( dwFlags,
|
|
&bAbort,
|
|
pwszSite,
|
|
pComputerTarget,
|
|
pUserTarget );
|
|
|
|
} else {
|
|
|
|
if ( LoadGPExtension( lpExt, TRUE ) ) {
|
|
dwResult = lpExt->pRsopEntryPoint( dwFlags,
|
|
&bAbort,
|
|
pwszSite,
|
|
pComputerTarget,
|
|
pUserTarget );
|
|
|
|
}
|
|
else {
|
|
dwResult = GetLastError();
|
|
}
|
|
|
|
}
|
|
|
|
|
|
if ( lpExtUser && !lpExtUser->bSkipped && pGpoInfoUser->bRsopLogging) {
|
|
if ( !bPlanningSupported )
|
|
UpdateExtSessionStatus(pGpoInfoUser->pWbemServices, lpExtUser->lpKeyName, TRUE, ERROR_SUCCESS);
|
|
else if (dwResult != ERROR_SUCCESS)
|
|
UpdateExtSessionStatus(pGpoInfoUser->pWbemServices, lpExtUser->lpKeyName, TRUE, dwResult);
|
|
else
|
|
UpdateExtSessionStatus(pGpoInfoUser->pWbemServices, lpExtUser->lpKeyName, FALSE, dwResult);
|
|
}
|
|
|
|
|
|
if ( lpExtMach && !lpExtMach->bSkipped && pGpoInfoMach->bRsopLogging) {
|
|
if ( !bPlanningSupported )
|
|
UpdateExtSessionStatus(pGpoInfoMach->pWbemServices, lpExtMach->lpKeyName, TRUE, ERROR_SUCCESS);
|
|
else if (dwResult != ERROR_SUCCESS)
|
|
UpdateExtSessionStatus(pGpoInfoMach->pWbemServices, lpExtMach->lpKeyName, TRUE, dwResult);
|
|
else
|
|
UpdateExtSessionStatus(pGpoInfoMach->pWbemServices, lpExtMach->lpKeyName, FALSE, dwResult);
|
|
}
|
|
|
|
|
|
return dwResult;
|
|
}
|
|
|
|
|
|
//*********************************************************************
|
|
// * Planning mode registry stuff
|
|
//*********************************************************************
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessRegistryFiles()
|
|
//
|
|
// Purpose: Called from GenerateRegsitryPolicy to process registry data from
|
|
// the registry files associated with a policy target.
|
|
//
|
|
// Parameters:
|
|
// pTarget - Policy for which registry policy is to be processed.
|
|
// pHashTable - Hash table to keep registry policy information.
|
|
//
|
|
// Return: On success, TRUE. Otherwise, FALSE.
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL ProcessRegistryFiles(PRSOP_TARGET pTarget, REGHASHTABLE *pHashTable)
|
|
{
|
|
PGROUP_POLICY_OBJECT lpGPO;
|
|
TCHAR szRegistry[MAX_PATH];
|
|
LPTSTR lpEnd;
|
|
HRESULT hr;
|
|
DWORD dwGrantedAccessMask;
|
|
BOOL bAccess;
|
|
|
|
//
|
|
// Check parameters
|
|
//
|
|
|
|
DmAssert(pHashTable);
|
|
|
|
if(!pHashTable) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessRegistryFiles: Invalid parameter.")));
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Spin through GPOs in the list.
|
|
//
|
|
|
|
lpGPO = pTarget->pGPOList;
|
|
|
|
while ( lpGPO ) {
|
|
|
|
//
|
|
// Build the path to Registry.pol
|
|
//
|
|
|
|
DmAssert( lstrlen(lpGPO->lpFileSysPath) + lstrlen(c_szRegistryPol) + 1 < MAX_PATH );
|
|
if(lstrlen(lpGPO->lpFileSysPath) + lstrlen(c_szRegistryPol) + 1 >= MAX_PATH) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessRegistryFiles: Length of path to registry.pol exceeded MAX_PATH.")));
|
|
return FALSE;
|
|
}
|
|
|
|
lstrcpy (szRegistry, lpGPO->lpFileSysPath);
|
|
lpEnd = CheckSlash (szRegistry);
|
|
lstrcpy (lpEnd, c_szRegistryPol);
|
|
|
|
|
|
//
|
|
// Check if the RsopToken has access to this file.
|
|
//
|
|
|
|
hr = RsopFileAccessCheck(szRegistry, pTarget->pRsopToken, GENERIC_READ, &dwGrantedAccessMask, &bAccess);
|
|
if(FAILED(hr)) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessRegistryFiles: RsopFileAccessCheck failed.")));
|
|
return FALSE;
|
|
}
|
|
|
|
if(!bAccess) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessRegistryFiles: The RsopToken does not have access to file %s. Continuing...."), szRegistry));
|
|
lpGPO = lpGPO->pNext;
|
|
continue;
|
|
}
|
|
|
|
|
|
//
|
|
// Process registry data for this particular file.
|
|
//
|
|
|
|
if (!ParseRegistryFile (NULL, szRegistry, (PFNREGFILECALLBACK)ProcessRegistryValue, NULL,
|
|
lpGPO->lpDSPath, lpGPO->lpLink,pHashTable, TRUE)) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessRegistryFiles: ProcessRegistryFile failed.")));
|
|
return FALSE;
|
|
}
|
|
|
|
lpGPO = lpGPO->pNext;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessAdmData()
|
|
//
|
|
// Purpose: Called from GenerateRegistryPolicy in order to process Admin templates
|
|
// data associated with a registry policy target.
|
|
//
|
|
// Parameters: pTarget - Target for which data is to be processed
|
|
// bUser - Is this for user or machine policy ?
|
|
//
|
|
// Return: On success, TRUE. Otherwise, FALSE.
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL ProcessAdmData( PRSOP_TARGET pTarget, BOOL bUser )
|
|
{
|
|
PGROUP_POLICY_OBJECT lpGPO;
|
|
|
|
WIN32_FIND_DATA findData;
|
|
ADMFILEINFO *pAdmFileCache = 0;
|
|
TCHAR szRegistry[MAX_PATH];
|
|
LPTSTR lpEnd;
|
|
|
|
HANDLE hFindFile;
|
|
WIN32_FILE_ATTRIBUTE_DATA attrData;
|
|
DWORD dwFilePathSize;
|
|
DWORD dwSize;
|
|
|
|
WCHAR *pwszEnd;
|
|
WCHAR *pwszFile;
|
|
|
|
HRESULT hr;
|
|
DWORD dwGrantedAccessMask;
|
|
BOOL bAccess;
|
|
|
|
//
|
|
// Check parameters
|
|
//
|
|
if(pTarget == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessAdmData: Invalid paramter.")));
|
|
return FALSE;
|
|
}
|
|
|
|
lpGPO = pTarget->pGPOList;
|
|
|
|
while(lpGPO) {
|
|
|
|
//
|
|
// Log Adm data
|
|
//
|
|
|
|
dwFilePathSize = lstrlen( lpGPO->lpFileSysPath );
|
|
dwSize = dwFilePathSize + MAX_PATH;
|
|
|
|
pwszFile = (WCHAR *) LocalAlloc( LPTR, dwSize * sizeof(WCHAR) );
|
|
|
|
if ( pwszFile == 0 ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessAdmData: Failed to allocate memory.")));
|
|
FreeAdmFileCache( pAdmFileCache );
|
|
return FALSE;
|
|
}
|
|
|
|
lstrcpy( pwszFile, lpGPO->lpFileSysPath );
|
|
|
|
//
|
|
// Strip off trailing 'machine' or 'user'
|
|
//
|
|
|
|
pwszEnd = pwszFile + lstrlen( pwszFile );
|
|
|
|
if ( !bUser )
|
|
pwszEnd -= 7; // length of "machine"
|
|
else
|
|
pwszEnd -= 4; // length of "user"
|
|
|
|
lstrcpy( pwszEnd, L"Adm\\*.adm");
|
|
|
|
//
|
|
// Remember end point so that the actual Adm filename can be
|
|
// easily concatenated.
|
|
//
|
|
|
|
pwszEnd = pwszEnd + lstrlen( L"Adm\\" );
|
|
|
|
//
|
|
// Enumerate all Adm files
|
|
//
|
|
|
|
hFindFile = FindFirstFile( pwszFile, &findData);
|
|
|
|
if ( hFindFile != INVALID_HANDLE_VALUE )
|
|
{
|
|
do
|
|
{
|
|
if ( !(findData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) )
|
|
{
|
|
DmAssert( dwFilePathSize + lstrlen(findData.cFileName) + lstrlen( L"\\Adm\\" ) < dwSize );
|
|
|
|
lstrcpy( pwszEnd, findData.cFileName);
|
|
|
|
ZeroMemory (&attrData, sizeof(attrData));
|
|
|
|
//
|
|
// Check if the RsopToken has access to this file.
|
|
//
|
|
|
|
hr = RsopFileAccessCheck(pwszFile, pTarget->pRsopToken, GENERIC_READ, &dwGrantedAccessMask, &bAccess);
|
|
if(FAILED(hr)) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessAdmData: RsopFileAccessCheck failed.")));
|
|
FreeAdmFileCache( pAdmFileCache );
|
|
return FALSE;
|
|
}
|
|
|
|
if(!bAccess) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessAdmData: The RsopToken does not have access to file %s. Continuing..."), findData.cFileName));
|
|
continue;
|
|
}
|
|
|
|
if ( GetFileAttributesEx (pwszFile, GetFileExInfoStandard, &attrData ) != 0 ) {
|
|
|
|
if ( !AddAdmFile( pwszFile, lpGPO->lpDSPath,
|
|
&attrData.ftLastWriteTime, NULL, &pAdmFileCache ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessAdmData: NewAdmData failed.")));
|
|
}
|
|
|
|
}
|
|
} // if findData & file_attr_dir
|
|
} while ( FindNextFile(hFindFile, &findData) );// do
|
|
|
|
FindClose(hFindFile);
|
|
|
|
} // if hfindfile
|
|
|
|
LocalFree( pwszFile );
|
|
|
|
lpGPO = lpGPO->pNext;
|
|
}
|
|
|
|
if ( ! LogAdmRsopData( pAdmFileCache, pTarget->pWbemServices ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessAdmData: Error when logging Adm Rsop data. Continuing.")));
|
|
}
|
|
|
|
FreeAdmFileCache( pAdmFileCache );
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GenerateRegistryPolicy()
|
|
//
|
|
// Purpose: Implementation of Planning mode regsitry pseudo-extension
|
|
//
|
|
// Parameters: dwFlags - Flags
|
|
// pbAbort - Abort processing
|
|
// pwszSite - Site of target
|
|
// pComputerTarget - Computer target specification
|
|
// pUserTarget - User target specification
|
|
//
|
|
// Return: On success, S_OK. Otherwise, E_FAIL.
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD GenerateRegistryPolicy( DWORD dwFlags,
|
|
BOOL *pbAbort,
|
|
WCHAR *pwszSite,
|
|
PRSOP_TARGET pComputerTarget,
|
|
PRSOP_TARGET pUserTarget )
|
|
{
|
|
REGHASHTABLE *pHashTable = NULL;
|
|
BOOL bUser;
|
|
|
|
if(pComputerTarget && pComputerTarget->pGPOList) {
|
|
|
|
//
|
|
// Setup computer hash table
|
|
//
|
|
|
|
pHashTable = AllocHashTable();
|
|
if ( pHashTable == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: AllocHashTable failed.")));
|
|
return E_FAIL;
|
|
}
|
|
|
|
//
|
|
// Process computer GPO list
|
|
//
|
|
|
|
|
|
if(!ProcessRegistryFiles(pComputerTarget, pHashTable)) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: ProcessRegistryFiles failed.")));
|
|
FreeHashTable( pHashTable );
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
//
|
|
// Log computer registry data to Cimom database
|
|
//
|
|
if ( ! LogRegistryRsopData( GP_MACHINE, pHashTable, pComputerTarget->pWbemServices ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: LogRegistryRsopData failed.")));
|
|
FreeHashTable( pHashTable );
|
|
return E_FAIL;
|
|
}
|
|
FreeHashTable( pHashTable );
|
|
pHashTable = NULL;
|
|
|
|
//
|
|
// Process ADM data
|
|
//
|
|
|
|
bUser = FALSE;
|
|
if (pComputerTarget && !ProcessAdmData( pComputerTarget, bUser ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: ProcessAdmData failed.")));
|
|
return E_FAIL;
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// Process user GPO list
|
|
//
|
|
|
|
if(pUserTarget && pUserTarget->pGPOList) {
|
|
|
|
//
|
|
// Setup user hash table
|
|
//
|
|
|
|
pHashTable = AllocHashTable();
|
|
if ( pHashTable == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: AllocHashTable failed.")));
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
if(!ProcessRegistryFiles(pUserTarget, pHashTable)) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: ProcessRegistryFiles failed.")));
|
|
FreeHashTable( pHashTable );
|
|
return E_FAIL;
|
|
}
|
|
|
|
//
|
|
// Log user registry data to Cimom database
|
|
//
|
|
|
|
if ( ! LogRegistryRsopData( 0, pHashTable, pUserTarget->pWbemServices ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: LogRegistryRsopData failed.")));
|
|
FreeHashTable( pHashTable );
|
|
return E_FAIL;
|
|
}
|
|
FreeHashTable( pHashTable );
|
|
pHashTable = NULL;
|
|
|
|
//
|
|
// Process ADM data
|
|
//
|
|
|
|
bUser = TRUE;
|
|
if (pUserTarget && !ProcessAdmData( pUserTarget, bUser ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("GenerateRegistryPolicy: ProcessAdmData failed.")));
|
|
return E_FAIL;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// CheckOUAccess()
|
|
//
|
|
// Purpose: Determines if the user / machine has read access to
|
|
// the OU.
|
|
//
|
|
// Parameters: pld - LDAP connection
|
|
// pLDAP - LDAP function table pointer
|
|
// pMessage - LDAP message
|
|
// pRsopToken - RSOP token of the user or machine
|
|
// pSD - Security descriptor returned here
|
|
// pcbSDLen - Length of security descriptor returned here
|
|
// pbAccessGranted - Receives the final yes / no status
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs.
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL CheckOUAccess( PLDAP_API pLDAP,
|
|
PLDAP pld,
|
|
PLDAPMessage pMessage,
|
|
PRSOPTOKEN pRsopToken,
|
|
BOOL *pbAccessGranted )
|
|
{
|
|
BOOL bResult = FALSE;
|
|
TCHAR szSDProperty[] = TEXT("nTSecurityDescriptor");
|
|
PWSTR *ppwszValues;
|
|
|
|
*pbAccessGranted = FALSE;
|
|
|
|
//
|
|
// Get the security descriptor value
|
|
//
|
|
ppwszValues = pLDAP->pfnldap_get_values( pld, pMessage, szSDProperty );
|
|
|
|
if (!ppwszValues)
|
|
{
|
|
if (pld->ld_errno == LDAP_NO_SUCH_ATTRIBUTE)
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("CheckOUAccess: Object can not be accessed.")));
|
|
bResult = TRUE;
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("CheckOUAccess: ldap_get_values failed with 0x%x"),
|
|
pld->ld_errno));
|
|
}
|
|
}
|
|
else
|
|
{
|
|
PLDAP_BERVAL *pSize;
|
|
//
|
|
// Get the length of the security descriptor
|
|
//
|
|
pSize = pLDAP->pfnldap_get_values_len(pld, pMessage, szSDProperty);
|
|
|
|
if (!pSize)
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("CheckOUAccess: ldap_get_values_len failed with 0x%x"),
|
|
pld->ld_errno));
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Allocate the memory for the security descriptor
|
|
//
|
|
PSECURITY_DESCRIPTOR pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, (*pSize)->bv_len);
|
|
|
|
if ( pSD == NULL )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("CheckOUAccess: Failed to allocate memory for SD with %d"),
|
|
GetLastError()));
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// OU {bf967aa8-0de6-11d0-a285-00aa003049e2}
|
|
//
|
|
GUID OrganizationalUnit = { 0xbf967aa5, 0x0de6, 0x11d0, 0xa2, 0x85, 0x00, 0xaa, 0x00, 0x30, 0x49, 0xe2 };
|
|
|
|
//
|
|
// gPOptions {f30e3bbf-9ff0-11d1-b603-0000f80367c1}
|
|
//
|
|
GUID gPOptionsGuid = { 0xf30e3bbf, 0x9ff0, 0x11d1, 0xb6, 0x03, 0x00, 0x00, 0xf8, 0x03, 0x67, 0xc1 };
|
|
|
|
//
|
|
// gPLink {f30e3bbe-9ff0-11d1-b603-0000f80367c1}
|
|
//
|
|
GUID gPLinkGuid = { 0xf30e3bbe, 0x9ff0, 0x11d1, 0xb6, 0x03, 0x00, 0x00, 0xf8, 0x03, 0x67, 0xc1 };
|
|
|
|
OBJECT_TYPE_LIST ObjType[] = { { ACCESS_OBJECT_GUID, 0, &OrganizationalUnit },
|
|
{ ACCESS_PROPERTY_SET_GUID, 0, &gPLinkGuid },
|
|
{ ACCESS_PROPERTY_SET_GUID, 0, &gPOptionsGuid } };
|
|
HRESULT hr;
|
|
PRIVILEGE_SET PrivSet;
|
|
DWORD PrivSetLength = sizeof(PRIVILEGE_SET);
|
|
DWORD dwGrantedAccess;
|
|
BOOL bAccessStatus = TRUE;
|
|
GENERIC_MAPPING DS_GENERIC_MAPPING = { DS_GENERIC_READ,
|
|
DS_GENERIC_WRITE,
|
|
DS_GENERIC_EXECUTE,
|
|
DS_GENERIC_ALL };
|
|
|
|
//
|
|
// Copy the security descriptor
|
|
//
|
|
CopyMemory( pSD, (PBYTE)(*pSize)->bv_val, (*pSize)->bv_len);
|
|
|
|
//
|
|
// Now we use RsopAccessCheckByType to determine if the user / machine
|
|
// should have this GPO applied to them
|
|
//
|
|
|
|
hr = RsopAccessCheckByType(pSD,
|
|
0,
|
|
pRsopToken,
|
|
ACTRL_DS_READ_PROP,
|
|
ObjType,
|
|
ARRAYSIZE(ObjType),
|
|
&DS_GENERIC_MAPPING,
|
|
&PrivSet,
|
|
&PrivSetLength,
|
|
&dwGrantedAccess,
|
|
&bAccessStatus );
|
|
if ( FAILED( hr ) )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("CheckOUAccess: RsopAccessCheckByType failed with %d"), GetLastError()));
|
|
}
|
|
else
|
|
{
|
|
*pbAccessGranted = bAccessStatus;
|
|
bResult = TRUE;
|
|
}
|
|
|
|
LocalFree( pSD );
|
|
}
|
|
|
|
pLDAP->pfnldap_value_free_len(pSize);
|
|
}
|
|
|
|
pLDAP->pfnldap_value_free(ppwszValues);
|
|
}
|
|
|
|
return bResult;
|
|
}
|