mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4308 lines
134 KiB
4308 lines
134 KiB
//*************************************************************
|
|
//
|
|
// Group Policy Support
|
|
//
|
|
// Microsoft Confidential
|
|
// Copyright (c) Microsoft Corporation 1997-1998
|
|
// All rights reserved
|
|
//
|
|
//*************************************************************
|
|
|
|
|
|
#include "gphdr.h"
|
|
|
|
//
|
|
// DS Object class types
|
|
//
|
|
|
|
TCHAR szDSClassAny[] = TEXT("(objectClass=*)");
|
|
TCHAR szDSClassGPO[] = TEXT("groupPolicyContainer");
|
|
TCHAR szDSClassSite[] = TEXT("site");
|
|
TCHAR szDSClassDomain[] = TEXT("domainDNS");
|
|
TCHAR szDSClassOU[] = TEXT("organizationalUnit");
|
|
TCHAR szObjectClass[] = TEXT("objectClass");
|
|
|
|
TCHAR wszKerberos[] = TEXT("Kerberos");
|
|
|
|
//
|
|
// Global flags for Gpo shutdown processing. These are accessed outside
|
|
// the lock because its value is either 0 or 1. Even if there is a race,
|
|
// all it means is that shutdown will start one iteration later.
|
|
//
|
|
|
|
BOOL g_bStopMachGPOProcessing = FALSE;
|
|
BOOL g_bStopUserGPOProcessing = FALSE;
|
|
|
|
//
|
|
// Critical section for handling concurrent, asynchronous completion
|
|
//
|
|
|
|
CRITICAL_SECTION g_GPOCS;
|
|
|
|
//
|
|
// Global pointers for maintaining asynchronous completion context
|
|
//
|
|
|
|
LPGPINFOHANDLE g_pMachGPInfo = 0;
|
|
LPGPINFOHANDLE g_pUserGPInfo = 0;
|
|
|
|
//
|
|
// Status UI critical section, callback, and proto-types
|
|
//
|
|
|
|
CRITICAL_SECTION g_StatusCallbackCS;
|
|
PFNSTATUSMESSAGECALLBACK g_pStatusMessageCallback = NULL;
|
|
|
|
DWORD WINAPI
|
|
SetPreviousFgPolicyRefreshInfo( LPWSTR szUserSid,
|
|
FgPolicyRefreshInfo info );
|
|
DWORD WINAPI
|
|
SetNextFgPolicyRefreshInfo( LPWSTR szUserSid,
|
|
FgPolicyRefreshInfo info );
|
|
|
|
DWORD WINAPI
|
|
GetCurrentFgPolicyRefreshInfo( LPWSTR szUserSid,
|
|
FgPolicyRefreshInfo* pInfo );
|
|
//*************************************************************
|
|
//
|
|
// ApplyGroupPolicy()
|
|
//
|
|
// Purpose: Processes group policy
|
|
//
|
|
// Parameters: dwFlags - Processing flags
|
|
// hToken - Token (user or machine)
|
|
// hEvent - Termination event for background thread
|
|
// hKeyRoot - Root registry key (HKCU or HKLM)
|
|
// pStatusCallback - Callback function for display status messages
|
|
//
|
|
// Return: Thread handle if successful
|
|
// NULL if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
HANDLE WINAPI ApplyGroupPolicy (DWORD dwFlags, HANDLE hToken, HANDLE hEvent,
|
|
HKEY hKeyRoot, PFNSTATUSMESSAGECALLBACK pStatusCallback)
|
|
{
|
|
HANDLE hThread = NULL;
|
|
DWORD dwThreadID;
|
|
LPGPOINFO lpGPOInfo = NULL;
|
|
SECURITY_ATTRIBUTES sa;
|
|
OLE32_API *pOle32Api = NULL;
|
|
XPtrLF<SECURITY_DESCRIPTOR> xsd;
|
|
CSecDesc Csd;
|
|
XLastError xe;
|
|
|
|
//
|
|
// Verbose output
|
|
//
|
|
DebugMsg((DM_VERBOSE, TEXT("ApplyGroupPolicy: Entering. Flags = %x"), dwFlags));
|
|
|
|
|
|
//
|
|
// Save the status UI callback function
|
|
//
|
|
EnterCriticalSection (&g_StatusCallbackCS);
|
|
g_pStatusMessageCallback = pStatusCallback;
|
|
LeaveCriticalSection (&g_StatusCallbackCS);
|
|
|
|
|
|
//
|
|
// Allocate a GPOInfo structure to work with.
|
|
//
|
|
lpGPOInfo = (LPGPOINFO) LocalAlloc (LPTR, sizeof(GPOINFO));
|
|
|
|
if (!lpGPOInfo) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: Failed to alloc lpGPOInfo (%d)."),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_ALLOCATION);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
lpGPOInfo->dwFlags = dwFlags;
|
|
lpGPOInfo->hToken = hToken;
|
|
lpGPOInfo->hEvent = hEvent;
|
|
lpGPOInfo->hKeyRoot = hKeyRoot;
|
|
|
|
if (dwFlags & GP_MACHINE) {
|
|
lpGPOInfo->pStatusCallback = MachinePolicyCallback;
|
|
} else {
|
|
lpGPOInfo->pStatusCallback = UserPolicyCallback;
|
|
}
|
|
|
|
|
|
//
|
|
// Create an event so other processes can trigger policy
|
|
// to be applied immediately
|
|
//
|
|
|
|
|
|
Csd.AddLocalSystem();
|
|
Csd.AddAdministrators();
|
|
|
|
if (!(dwFlags & GP_MACHINE)) {
|
|
|
|
//
|
|
// User events
|
|
//
|
|
XPtrLF<SID> xSid = (SID *)GetUserSid(hToken);
|
|
|
|
if (!xSid) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: Failed to find user Sid %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_SETACLS);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
Csd.AddSid((SID *)xSid,
|
|
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE);
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Machine Events
|
|
// Allow Everyone Access by default but can be overridden by policy or preference
|
|
//
|
|
|
|
DWORD dwUsersDenied = 0;
|
|
HKEY hSubKey;
|
|
DWORD dwType=0, dwSize=0;
|
|
|
|
//
|
|
// Check for a preference
|
|
//
|
|
|
|
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, WINLOGON_KEY, 0, KEY_READ,
|
|
&hSubKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(dwUsersDenied);
|
|
RegQueryValueEx(hSubKey, MACHPOLICY_DENY_USERS, NULL, &dwType,
|
|
(LPBYTE) &dwUsersDenied, &dwSize);
|
|
|
|
RegCloseKey(hSubKey);
|
|
}
|
|
|
|
|
|
//
|
|
// Check for a policy
|
|
//
|
|
|
|
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, SYSTEM_POLICIES_KEY, 0, KEY_READ,
|
|
&hSubKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(dwUsersDenied);
|
|
RegQueryValueEx(hSubKey, MACHPOLICY_DENY_USERS, NULL, &dwType,
|
|
(LPBYTE) &dwUsersDenied, &dwSize);
|
|
|
|
RegCloseKey(hSubKey);
|
|
}
|
|
|
|
|
|
if (!dwUsersDenied) {
|
|
Csd.AddAuthUsers(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE);
|
|
}
|
|
}
|
|
|
|
xsd = Csd.MakeSD();
|
|
|
|
if (!xsd) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: Failed to create Security Descriptor with %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_SETACLS);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
sa.lpSecurityDescriptor = (SECURITY_DESCRIPTOR *)xsd;
|
|
sa.bInheritHandle = FALSE;
|
|
sa.nLength = sizeof(sa);
|
|
|
|
lpGPOInfo->hTriggerEvent = CreateEvent (&sa, FALSE, FALSE,
|
|
(dwFlags & GP_MACHINE) ?
|
|
MACHINE_POLICY_REFRESH_EVENT : USER_POLICY_REFRESH_EVENT);
|
|
|
|
|
|
lpGPOInfo->hForceTriggerEvent = CreateEvent (&sa, FALSE, FALSE,
|
|
(dwFlags & GP_MACHINE) ?
|
|
MACHINE_POLICY_FORCE_REFRESH_EVENT : USER_POLICY_FORCE_REFRESH_EVENT);
|
|
|
|
|
|
//
|
|
// Create the notification events.
|
|
// These should already be created in InitializePolicyProcessing..
|
|
//
|
|
|
|
lpGPOInfo->hNotifyEvent = OpenEvent (EVENT_ALL_ACCESS, FALSE,
|
|
(dwFlags & GP_MACHINE) ?
|
|
MACHINE_POLICY_APPLIED_EVENT : USER_POLICY_APPLIED_EVENT);
|
|
|
|
//
|
|
// Create the needfg event
|
|
//
|
|
|
|
lpGPOInfo->hNeedFGEvent = OpenEvent (EVENT_ALL_ACCESS, FALSE,
|
|
(dwFlags & GP_MACHINE) ?
|
|
MACHINE_POLICY_REFRESH_NEEDFG_EVENT :
|
|
USER_POLICY_REFRESH_NEEDFG_EVENT);
|
|
|
|
//
|
|
// Create the done event
|
|
//
|
|
|
|
lpGPOInfo->hDoneEvent = OpenEvent (EVENT_ALL_ACCESS, FALSE,
|
|
(dwFlags & GP_MACHINE) ?
|
|
MACHINE_POLICY_DONE_EVENT :
|
|
USER_POLICY_DONE_EVENT);
|
|
|
|
//
|
|
// Initilialize shutdown gpo processing support
|
|
//
|
|
|
|
if ( dwFlags & GP_MACHINE )
|
|
g_bStopMachGPOProcessing = FALSE;
|
|
else
|
|
g_bStopUserGPOProcessing = FALSE;
|
|
|
|
pOle32Api = LoadOle32Api();
|
|
if ( pOle32Api == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: Failed to load ole32.dll.") ));
|
|
}
|
|
else {
|
|
|
|
HRESULT hr = pOle32Api->pfnCoInitializeEx( NULL, COINIT_MULTITHREADED );
|
|
|
|
if ( SUCCEEDED(hr) ) {
|
|
lpGPOInfo->bFGCoInitialized = TRUE;
|
|
}
|
|
else {
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: CoInitializeEx failed with 0x%x."), hr ));
|
|
}
|
|
}
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND )
|
|
{
|
|
lpGPOInfo->dwFlags |= GP_BACKGROUND_THREAD;
|
|
}
|
|
|
|
//
|
|
// Process the GPOs
|
|
//
|
|
ProcessGPOs(lpGPOInfo);
|
|
|
|
if ( lpGPOInfo->bFGCoInitialized ) {
|
|
pOle32Api->pfnCoUnInitialize();
|
|
lpGPOInfo->bFGCoInitialized = FALSE;
|
|
}
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND )
|
|
{
|
|
lpGPOInfo->dwFlags &= ~GP_ASYNC_FOREGROUND;
|
|
lpGPOInfo->dwFlags &= ~GP_BACKGROUND_THREAD;
|
|
}
|
|
|
|
//
|
|
// If requested, create a background thread to keep updating
|
|
// the profile from the gpos
|
|
//
|
|
if (lpGPOInfo->dwFlags & GP_BACKGROUND_REFRESH) {
|
|
|
|
//
|
|
// Create a thread which sleeps and processes GPOs
|
|
//
|
|
|
|
hThread = CreateThread (NULL, 64*1024, // 64k as the stack size
|
|
(LPTHREAD_START_ROUTINE) GPOThread,
|
|
(LPVOID) lpGPOInfo, CREATE_SUSPENDED, &dwThreadID);
|
|
|
|
if (!hThread) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ApplyGroupPolicy: Failed to create background thread (%d)."),
|
|
GetLastError()));
|
|
goto Exit;
|
|
}
|
|
|
|
SetThreadPriority (hThread, THREAD_PRIORITY_IDLE);
|
|
lpGPOInfo->pStatusCallback = NULL;
|
|
ResumeThread (hThread);
|
|
|
|
//
|
|
// Reset the status UI callback function
|
|
//
|
|
|
|
EnterCriticalSection (&g_StatusCallbackCS);
|
|
g_pStatusMessageCallback = NULL;
|
|
LeaveCriticalSection (&g_StatusCallbackCS);
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ApplyGroupPolicy: Leaving successfully.")));
|
|
|
|
return hThread;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ApplyGroupPolicy: Background refresh not requested. Leaving successfully.")));
|
|
hThread = (HANDLE) 1;
|
|
|
|
Exit:
|
|
EnterCriticalSection( &g_GPOCS );
|
|
if ( dwFlags & GP_MACHINE ) {
|
|
|
|
if ( g_pMachGPInfo )
|
|
LocalFree( g_pMachGPInfo );
|
|
g_pMachGPInfo = 0;
|
|
} else {
|
|
if ( g_pUserGPInfo )
|
|
LocalFree( g_pUserGPInfo );
|
|
g_pUserGPInfo = 0;
|
|
}
|
|
LeaveCriticalSection( &g_GPOCS );
|
|
|
|
if (lpGPOInfo) {
|
|
|
|
if (lpGPOInfo->hTriggerEvent) {
|
|
CloseHandle (lpGPOInfo->hTriggerEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hForceTriggerEvent) {
|
|
CloseHandle (lpGPOInfo->hForceTriggerEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hNotifyEvent) {
|
|
CloseHandle (lpGPOInfo->hNotifyEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hNeedFGEvent) {
|
|
CloseHandle (lpGPOInfo->hNeedFGEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->lpwszSidUser)
|
|
DeleteSidString( lpGPOInfo->lpwszSidUser );
|
|
|
|
if (lpGPOInfo->szName)
|
|
LocalFree(lpGPOInfo->szName);
|
|
|
|
if (lpGPOInfo->szTargetName)
|
|
LocalFree(lpGPOInfo->szTargetName);
|
|
|
|
LocalFree (lpGPOInfo);
|
|
}
|
|
|
|
//
|
|
// Reset the status UI callback function
|
|
//
|
|
|
|
EnterCriticalSection (&g_StatusCallbackCS);
|
|
g_pStatusMessageCallback = NULL;
|
|
LeaveCriticalSection (&g_StatusCallbackCS);
|
|
|
|
return hThread;
|
|
}
|
|
|
|
|
|
extern "C" void ProfileProcessGPOs( void* );
|
|
|
|
//*************************************************************
|
|
//
|
|
// GPOThread()
|
|
//
|
|
// Purpose: Background thread for GPO processing.
|
|
//
|
|
// Parameters: lpGPOInfo - GPO info
|
|
//
|
|
// Return: 0
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD WINAPI GPOThread (LPGPOINFO lpGPOInfo)
|
|
{
|
|
HINSTANCE hInst;
|
|
HKEY hKey;
|
|
HANDLE hHandles[4] = {NULL, NULL, NULL, NULL};
|
|
DWORD dwType, dwSize, dwResult;
|
|
DWORD dwTimeout, dwOffset;
|
|
BOOL bSetBkGndFlag, bForceBkGndFlag;
|
|
TCHAR szEventName[60];
|
|
LARGE_INTEGER DueTime;
|
|
HRESULT hr;
|
|
ULONG TTLMinutes;
|
|
XLastError xe;
|
|
|
|
OLE32_API *pOle32Api = LoadOle32Api();
|
|
|
|
hInst = LoadLibrary (TEXT("userenv.dll"));
|
|
|
|
hHandles[0] = lpGPOInfo->hEvent;
|
|
hHandles[1] = lpGPOInfo->hTriggerEvent;
|
|
hHandles[2] = lpGPOInfo->hForceTriggerEvent;
|
|
|
|
for (;;)
|
|
{
|
|
//
|
|
// Initialize
|
|
//
|
|
|
|
bForceBkGndFlag = FALSE;
|
|
|
|
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
if (lpGPOInfo->iMachineRole == 3) {
|
|
dwTimeout = GP_DEFAULT_REFRESH_RATE_DC;
|
|
dwOffset = GP_DEFAULT_REFRESH_RATE_OFFSET_DC;
|
|
} else {
|
|
dwTimeout = GP_DEFAULT_REFRESH_RATE;
|
|
dwOffset = GP_DEFAULT_REFRESH_RATE_OFFSET;
|
|
}
|
|
} else {
|
|
dwTimeout = GP_DEFAULT_REFRESH_RATE;
|
|
dwOffset = GP_DEFAULT_REFRESH_RATE_OFFSET;
|
|
}
|
|
|
|
|
|
//
|
|
// Query for the refresh timer value and max offset
|
|
//
|
|
|
|
if (RegOpenKeyEx (lpGPOInfo->hKeyRoot,
|
|
SYSTEM_POLICIES_KEY,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
|
|
if ((lpGPOInfo->iMachineRole == 3) && (lpGPOInfo->dwFlags & GP_MACHINE)) {
|
|
|
|
dwSize = sizeof(dwTimeout);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("GroupPolicyRefreshTimeDC"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &dwTimeout,
|
|
&dwSize);
|
|
|
|
dwSize = sizeof(dwOffset);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("GroupPolicyRefreshTimeOffsetDC"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &dwOffset,
|
|
&dwSize);
|
|
|
|
} else {
|
|
|
|
dwSize = sizeof(dwTimeout);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("GroupPolicyRefreshTime"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &dwTimeout,
|
|
&dwSize);
|
|
|
|
dwSize = sizeof(dwOffset);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("GroupPolicyRefreshTimeOffset"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &dwOffset,
|
|
&dwSize);
|
|
}
|
|
|
|
RegCloseKey (hKey);
|
|
}
|
|
|
|
|
|
//
|
|
// Limit the timeout to once every 64800 minutes (45 days)
|
|
//
|
|
|
|
if (dwTimeout >= 64800) {
|
|
dwTimeout = 64800;
|
|
}
|
|
|
|
|
|
//
|
|
// Convert seconds to milliseconds
|
|
//
|
|
|
|
dwTimeout = dwTimeout * 60 * 1000;
|
|
|
|
|
|
//
|
|
// Limit the offset to 1440 minutes (24 hours)
|
|
//
|
|
|
|
if (dwOffset >= 1440) {
|
|
dwOffset = 1440;
|
|
}
|
|
|
|
|
|
//
|
|
// Special case 0 milliseconds to be 7 seconds
|
|
//
|
|
|
|
if (dwTimeout == 0) {
|
|
dwTimeout = 7000;
|
|
|
|
} else {
|
|
|
|
//
|
|
// If there is an offset, pick a random number
|
|
// from 0 to dwOffset and then add it to the timeout
|
|
//
|
|
|
|
if (dwOffset) {
|
|
dwOffset = GetTickCount() % dwOffset;
|
|
|
|
dwOffset = dwOffset * 60 * 1000;
|
|
dwTimeout += dwOffset;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Setup the timer
|
|
//
|
|
|
|
if (dwTimeout >= 60000) {
|
|
DebugMsg((DM_VERBOSE, TEXT("GPOThread: Next refresh will happen in %d minutes"),
|
|
((dwTimeout / 1000) / 60)));
|
|
} else {
|
|
DebugMsg((DM_VERBOSE, TEXT("GPOThread: Next refresh will happen in %d seconds"),
|
|
(dwTimeout / 1000)));
|
|
}
|
|
|
|
|
|
wsprintf (szEventName, TEXT("userenv: refresh timer for %d:%d"),
|
|
GetCurrentProcessId(), GetCurrentThreadId());
|
|
hHandles[3] = CreateWaitableTimer (NULL, TRUE, szEventName);
|
|
|
|
|
|
if (hHandles[3] == NULL) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GPOThread: CreateWaitableTimer failed with error %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_TIMER);
|
|
ev.AddArg( TEXT("CreateWaitableTimer")); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
break;
|
|
}
|
|
|
|
DueTime.QuadPart = UInt32x32To64(10000, dwTimeout);
|
|
DueTime.QuadPart *= -1;
|
|
|
|
if (!SetWaitableTimer (hHandles[3], &DueTime, 0, NULL, 0, FALSE)) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("GPOThread: Failed to set timer with error %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_TIMER);
|
|
ev.AddArg(TEXT("SetWaitableTimer")); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
break;
|
|
}
|
|
|
|
dwResult = WaitForMultipleObjects( 4, hHandles, FALSE, INFINITE );
|
|
|
|
if ( (dwResult - WAIT_OBJECT_0) == 0 )
|
|
{
|
|
//
|
|
// for machine policy thread, this is a shutdown.
|
|
// for user policy thread, this is a logoff.
|
|
//
|
|
goto ExitLoop;
|
|
}
|
|
else if ( (dwResult - WAIT_OBJECT_0) == 2 ) {
|
|
bForceBkGndFlag = TRUE;
|
|
}
|
|
else if ( dwResult == WAIT_FAILED )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg( ( DM_WARNING, L"GPOThread: MsgWaitForMultipleObjects with error %d", GetLastError() ) );
|
|
CEvents ev(TRUE, EVENT_FAILED_TIMER);
|
|
ev.AddArg(TEXT("WaitForMultipleObjects")); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto ExitLoop;
|
|
}
|
|
|
|
//
|
|
// Check if we should set the background flag. We offer this
|
|
// option for the test team's automation tests. They need to
|
|
// simulate logon / boot policy without actually logging on or
|
|
// booting the machine.
|
|
//
|
|
|
|
bSetBkGndFlag = TRUE;
|
|
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE,
|
|
WINLOGON_KEY,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(bSetBkGndFlag);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("SetGroupPolicyBackgroundFlag"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &bSetBkGndFlag,
|
|
&dwSize);
|
|
|
|
RegCloseKey (hKey);
|
|
}
|
|
|
|
|
|
lpGPOInfo->dwFlags &= ~GP_REGPOLICY_CPANEL;
|
|
lpGPOInfo->dwFlags &= ~GP_SLOW_LINK;
|
|
lpGPOInfo->dwFlags &= ~GP_VERBOSE;
|
|
lpGPOInfo->dwFlags &= ~GP_BACKGROUND_THREAD;
|
|
lpGPOInfo->dwFlags &= ~GP_FORCED_REFRESH;
|
|
|
|
//
|
|
// In case of forced refresh flag, we override the extensions nobackground policy and prevent
|
|
// it from getting skipped early on in the processing. We bypass the history logic and force
|
|
// policy to be applied for extensions that do not care abt. whether they are run in the
|
|
// foreground or background. for only foreground extensions we write a registry value saying
|
|
// that the extension needs to override the history logic when they get applied in the foreground
|
|
// next.
|
|
// In addition we pulse the needfg event so that the calling app knows a reboot/relogon is needed
|
|
// for application of fgonly extensions
|
|
//
|
|
|
|
if (bForceBkGndFlag) {
|
|
lpGPOInfo->dwFlags |= GP_FORCED_REFRESH;
|
|
}
|
|
|
|
//
|
|
// Set the background thread flag so components known
|
|
// when they are being called from the background thread
|
|
// vs the main thread.
|
|
//
|
|
|
|
if (bSetBkGndFlag) {
|
|
lpGPOInfo->dwFlags |= GP_BACKGROUND_THREAD;
|
|
}
|
|
|
|
if ( !lpGPOInfo->bBGCoInitialized && pOle32Api != NULL ) {
|
|
|
|
hr = pOle32Api->pfnCoInitializeEx( NULL, COINIT_MULTITHREADED );
|
|
if ( SUCCEEDED(hr) ) {
|
|
lpGPOInfo->bBGCoInitialized = TRUE;
|
|
}
|
|
}
|
|
|
|
ProcessGPOs(lpGPOInfo);
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_MACHINE ) {
|
|
|
|
//
|
|
// Delete garbage-collectable namespaces under root\rsop that are
|
|
// older than 1 week. We can have a policy to configure this time-to-live value.
|
|
//
|
|
|
|
TTLMinutes = 24 * 60;
|
|
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE,
|
|
WINLOGON_KEY,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(TTLMinutes);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("RSoPGarbageCollectionInterval"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &TTLMinutes,
|
|
&dwSize);
|
|
|
|
RegCloseKey (hKey);
|
|
}
|
|
|
|
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE,
|
|
SYSTEM_POLICIES_KEY,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(TTLMinutes);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("RSoPGarbageCollectionInterval"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &TTLMinutes,
|
|
&dwSize);
|
|
|
|
RegCloseKey (hKey);
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Synchronize with other processes that may be concurrently creating namespaces,
|
|
// during diagnostic mode or planning mode data generation.
|
|
//
|
|
|
|
XCriticalPolicySection xCritSect( EnterCriticalPolicySection(TRUE ) );
|
|
if ( xCritSect )
|
|
GarbageCollectNamespaces(TTLMinutes);
|
|
}
|
|
|
|
CloseHandle (hHandles[3]);
|
|
hHandles[3] = NULL;
|
|
}
|
|
|
|
ExitLoop:
|
|
|
|
//
|
|
// Cleanup
|
|
//
|
|
|
|
if (hHandles[3]) {
|
|
CloseHandle (hHandles[3]);
|
|
}
|
|
|
|
if (lpGPOInfo->hTriggerEvent) {
|
|
CloseHandle (lpGPOInfo->hTriggerEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hForceTriggerEvent) {
|
|
CloseHandle (lpGPOInfo->hForceTriggerEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hNotifyEvent) {
|
|
CloseHandle (lpGPOInfo->hNotifyEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hNeedFGEvent) {
|
|
CloseHandle (lpGPOInfo->hNeedFGEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->hDoneEvent) {
|
|
CloseHandle (lpGPOInfo->hDoneEvent);
|
|
}
|
|
|
|
if ( lpGPOInfo->bBGCoInitialized ) {
|
|
|
|
OLE32_API *pOle32Api = LoadOle32Api();
|
|
if ( pOle32Api == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("GPOThread: Failed to load ole32.dll.") ));
|
|
}
|
|
else {
|
|
pOle32Api->pfnCoUnInitialize();
|
|
lpGPOInfo->bBGCoInitialized = FALSE;
|
|
}
|
|
|
|
}
|
|
|
|
EnterCriticalSection( &g_GPOCS );
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_MACHINE ) {
|
|
|
|
if ( g_pMachGPInfo )
|
|
LocalFree( g_pMachGPInfo );
|
|
|
|
g_pMachGPInfo = 0;
|
|
} else {
|
|
|
|
if ( g_pUserGPInfo )
|
|
LocalFree( g_pUserGPInfo );
|
|
|
|
g_pUserGPInfo = 0;
|
|
}
|
|
|
|
LeaveCriticalSection( &g_GPOCS );
|
|
|
|
if (lpGPOInfo->lpwszSidUser)
|
|
DeleteSidString( lpGPOInfo->lpwszSidUser );
|
|
|
|
if (lpGPOInfo->szName)
|
|
LocalFree(lpGPOInfo->szName);
|
|
|
|
if (lpGPOInfo->szTargetName)
|
|
LocalFree(lpGPOInfo->szTargetName);
|
|
|
|
LocalFree (lpGPOInfo);
|
|
|
|
FreeLibraryAndExitThread (hInst, 0);
|
|
return 0;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GPOExceptionFilter()
|
|
//
|
|
// Purpose: Exception filter when procssing GPO extensions
|
|
//
|
|
// Parameters: pExceptionPtrs - Pointer to exception pointer
|
|
//
|
|
// Returns: EXCEPTION_EXECUTE_HANDLER
|
|
//
|
|
//*************************************************************
|
|
|
|
LONG GPOExceptionFilter( PEXCEPTION_POINTERS pExceptionPtrs )
|
|
{
|
|
PEXCEPTION_RECORD pExr = pExceptionPtrs->ExceptionRecord;
|
|
PCONTEXT pCxr = pExceptionPtrs->ContextRecord;
|
|
|
|
DebugMsg(( DM_WARNING, L"GPOExceptionFilter: Caught exception 0x%x, exr = 0x%x, cxr = 0x%x\n",
|
|
pExr->ExceptionCode, pExr, pCxr ));
|
|
|
|
DmAssert( ! L"Caught unhandled exception when processing group policy extension" );
|
|
|
|
return EXCEPTION_EXECUTE_HANDLER;
|
|
}
|
|
|
|
BOOL WINAPI
|
|
GetFgPolicySetting( HKEY hKeyRoot );
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessGPOs()
|
|
//
|
|
// Purpose: Processes GPOs
|
|
//
|
|
// Parameters: lpGPOInfo - GPO information
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL ProcessGPOs (LPGPOINFO lpGPOInfo)
|
|
{
|
|
BOOL bRetVal = FALSE;
|
|
DWORD dwThreadID;
|
|
HANDLE hThread;
|
|
DWORD dwType, dwSize, dwResult;
|
|
HKEY hKey;
|
|
BOOL bResult;
|
|
PDOMAIN_CONTROLLER_INFO pDCI = NULL;
|
|
LPTSTR lpDomain = NULL;
|
|
LPTSTR lpName = NULL;
|
|
LPTSTR lpDomainDN = NULL;
|
|
LPTSTR lpComputerName;
|
|
PGROUP_POLICY_OBJECT lpGPO = NULL;
|
|
PGROUP_POLICY_OBJECT lpGPOTemp;
|
|
BOOL bAllSkipped;
|
|
LPGPEXT lpExt;
|
|
LPGPINFOHANDLE pGPHandle = NULL;
|
|
ASYNCCOMPLETIONHANDLE pAsyncHandle = 0;
|
|
HANDLE hOldToken;
|
|
UINT uExtensionCount = 0;
|
|
PNETAPI32_API pNetAPI32;
|
|
DWORD dwUserPolicyMode = 0;
|
|
DWORD dwCurrentTime = 0;
|
|
INT iRole;
|
|
BOOL bSlow;
|
|
BOOL bForceNeedFG = FALSE;
|
|
CLocator locator;
|
|
RSOPEXTSTATUS gpCoreStatus;
|
|
XLastError xe;
|
|
LPWSTR szNetworkName = 0;
|
|
FgPolicyRefreshInfo info = { GP_ReasonUnknown, GP_ModeAsyncForeground };
|
|
PTOKEN_GROUPS pTokenGroups = NULL;
|
|
BOOL bAsyncFg = lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND ? TRUE : FALSE;
|
|
LPWSTR szPolicyMode = 0;
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND )
|
|
{
|
|
szPolicyMode = L"Async forground";
|
|
}
|
|
else if ( !( lpGPOInfo->dwFlags & GP_BACKGROUND_REFRESH ) )
|
|
{
|
|
szPolicyMode = L"Sync forground";
|
|
}
|
|
else
|
|
{
|
|
szPolicyMode = L"Background";
|
|
}
|
|
|
|
//
|
|
// Allow debugging level to be changed dynamically between
|
|
// policy refreshes.
|
|
//
|
|
|
|
InitDebugSupport( FALSE );
|
|
|
|
//
|
|
// Debug spew
|
|
//
|
|
|
|
memset(&gpCoreStatus, 0, sizeof(gpCoreStatus));
|
|
|
|
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs: Starting computer Group Policy (%s) processing..."),szPolicyMode ));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
} else {
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs: Starting user Group Policy (%s) processing..."),szPolicyMode ));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
DebugMsg(( DM_VERBOSE, TEXT("ProcessGPOs:")));
|
|
}
|
|
|
|
if ( !( lpGPOInfo->dwFlags & GP_MACHINE ) && lpGPOInfo->lpwszSidUser )
|
|
{
|
|
lpGPOInfo->lpwszSidUser = GetSidString( lpGPOInfo->hToken );
|
|
if ( lpGPOInfo->lpwszSidUser == 0 )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetSidString failed.")));
|
|
CEvents ev(TRUE, EVENT_FAILED_GET_SID); ev.Report();
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
GetSystemTimeAsFileTime(&gpCoreStatus.ftStartTime);
|
|
gpCoreStatus.bValid = TRUE;
|
|
|
|
//
|
|
// Check if we should be verbose to the event log
|
|
//
|
|
|
|
if (CheckForVerbosePolicy()) {
|
|
lpGPOInfo->dwFlags |= GP_VERBOSE;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Verbose output to eventlog requested.")));
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
CEvents ev(FALSE, EVENT_START_MACHINE_POLICY); ev.Report();
|
|
} else {
|
|
CEvents ev(FALSE, EVENT_START_USER_POLICY); ev.Report();
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Claim the critical section
|
|
//
|
|
|
|
lpGPOInfo->hCritSection = EnterCriticalPolicySection((lpGPOInfo->dwFlags & GP_MACHINE));
|
|
|
|
if (!lpGPOInfo->hCritSection) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to claim the policy critical section with %d."),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_CRITICAL_SECTION);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Set the security on the Group Policy registry key
|
|
//
|
|
|
|
if (!MakeRegKeySecure((lpGPOInfo->dwFlags & GP_MACHINE) ? NULL : lpGPOInfo->hToken,
|
|
lpGPOInfo->hKeyRoot,
|
|
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy"))) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to secure reg key.")));
|
|
}
|
|
|
|
//
|
|
// Check if user's sid has changed
|
|
// Check the change in user's sid before doing any rsop logging..
|
|
//
|
|
|
|
if ( !CheckForChangedSid( lpGPOInfo, &locator ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Check for changed sid failed")));
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// This flag will be used for all further Rsop Logging..
|
|
//
|
|
|
|
lpGPOInfo->bRsopLogging = RsopLoggingEnabled();
|
|
|
|
//
|
|
// Load netapi32
|
|
//
|
|
|
|
pNetAPI32 = LoadNetAPI32();
|
|
|
|
if (!pNetAPI32) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to load netapi32 with %d."),
|
|
GetLastError()));
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// Get the role of this computer
|
|
//
|
|
|
|
if (!GetMachineRole (&iRole)) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the role of the computer.")));
|
|
CEvents ev(TRUE, EVENT_FAILED_ROLE); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
lpGPOInfo->iMachineRole = iRole;
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Machine role is %d."), iRole));
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
|
|
switch (iRole) {
|
|
case 0:
|
|
{
|
|
CEvents ev(FALSE, EVENT_ROLE_STANDALONE); ev.Report();
|
|
break;
|
|
}
|
|
|
|
case 1:
|
|
{
|
|
CEvents ev(FALSE, EVENT_ROLE_DOWNLEVEL_DOMAIN); ev.Report();
|
|
break;
|
|
}
|
|
default:
|
|
{
|
|
CEvents ev(FALSE, EVENT_ROLE_DS_DOMAIN); ev.Report();
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// If we are going to apply policy from the DS
|
|
// query for the user's DN name, domain name, etc
|
|
//
|
|
|
|
if (lpGPOInfo->dwFlags & GP_APPLY_DS_POLICY)
|
|
{
|
|
//
|
|
// Query for the user's domain name
|
|
//
|
|
|
|
if (!ImpersonateUser(lpGPOInfo->hToken, &hOldToken))
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to impersonate user")));
|
|
goto Exit;
|
|
}
|
|
|
|
lpDomain = MyGetDomainName ();
|
|
|
|
RevertToUser(&hOldToken);
|
|
|
|
if (!lpDomain) {
|
|
xe = GetLastError();
|
|
dwResult = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: MyGetDomainName failed with %d."),
|
|
dwResult));
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// Query for the DS server name
|
|
//
|
|
DWORD dwAdapterIndex = (DWORD) -1;
|
|
|
|
dwResult = GetDomainControllerInfo( pNetAPI32,
|
|
lpDomain,
|
|
DS_DIRECTORY_SERVICE_REQUIRED | DS_IS_FLAT_NAME
|
|
| DS_RETURN_DNS_NAME |
|
|
((lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD) ? DS_BACKGROUND_ONLY : 0),
|
|
lpGPOInfo->hKeyRoot,
|
|
&pDCI,
|
|
&bSlow,
|
|
&dwAdapterIndex );
|
|
|
|
if (dwResult != ERROR_SUCCESS) {
|
|
xe = dwResult;
|
|
|
|
if ((dwResult == ERROR_BAD_NETPATH) ||
|
|
(dwResult == ERROR_NETWORK_UNREACHABLE) ||
|
|
(dwResult == ERROR_NO_SUCH_DOMAIN)) {
|
|
|
|
//
|
|
// couldn't find DC. Nothing more we can do, abort
|
|
//
|
|
if ( (!(lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD)) ||
|
|
(lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND) ||
|
|
(lpGPOInfo->iMachineRole == 3) )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: The DC for domain %s is not available. aborting"),
|
|
lpDomain));
|
|
|
|
CEvents ev(TRUE, EVENT_FAILED_DSNAME);
|
|
ev.AddArgWin32Error(dwResult); ev.Report();
|
|
}
|
|
else {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: The DC for domain %s is not available."), lpDomain));
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE)
|
|
{
|
|
CEvents ev(FALSE, EVENT_FAILED_DSNAME);
|
|
ev.AddArgWin32Error(dwResult); ev.Report();
|
|
}
|
|
}
|
|
} else {
|
|
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: DSGetDCName failed with %d."),
|
|
dwResult));
|
|
CEvents ev(TRUE, EVENT_FAILED_DSNAME);
|
|
ev.AddArgWin32Error(dwResult); ev.Report();
|
|
}
|
|
|
|
goto Exit;
|
|
} else {
|
|
|
|
//
|
|
// success, slow link?
|
|
//
|
|
if (bSlow) {
|
|
lpGPOInfo->dwFlags |= GP_SLOW_LINK;
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
CEvents ev(FALSE, EVENT_SLOWLINK); ev.Report();
|
|
}
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: A slow link was detected.")));
|
|
}
|
|
|
|
if ( ( lpGPOInfo->dwFlags & GP_MACHINE ) != 0 )
|
|
{
|
|
dwResult = GetNetworkName( &szNetworkName, dwAdapterIndex );
|
|
if ( dwResult != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetNetworkName failed with %d."), dwResult ));
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: network name is %s"), szNetworkName ? szNetworkName : L"" ));
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Get the user's DN name
|
|
//
|
|
|
|
if (!ImpersonateUser(lpGPOInfo->hToken, &hOldToken)) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to impersonate user")));
|
|
goto Exit;
|
|
}
|
|
|
|
lpName = MyGetUserName (NameFullyQualifiedDN);
|
|
|
|
RevertToUser(&hOldToken);
|
|
|
|
if (!lpName) {
|
|
xe = GetLastError();
|
|
dwResult = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: MyGetUserName failed with %d."),
|
|
dwResult));
|
|
CEvents ev(TRUE, EVENT_FAILED_USERNAME);
|
|
ev.AddArgWin32Error(dwResult); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
lpDomainDN = pDCI->DomainName;
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
CEvents ev(FALSE, EVENT_USERNAME); ev.AddArg(L"%.500s", lpName); ev.Report();
|
|
CEvents ev1(FALSE, EVENT_DOMAINNAME); ev1.AddArg(L"%.500s", lpDomain); ev1.Report();
|
|
CEvents ev2(FALSE, EVENT_DCNAME); ev2.AddArg(pDCI->DomainControllerName); ev2.Report();
|
|
}
|
|
|
|
lpGPOInfo->lpDNName = lpName;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: User name is: %s, Domain name is: %s"),
|
|
lpName, lpDomain));
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Domain controller is: %s Domain DN is %s"),
|
|
pDCI->DomainControllerName, lpDomainDN));
|
|
|
|
|
|
if (!(lpGPOInfo->dwFlags & GP_MACHINE)) {
|
|
CallDFS(pDCI->DomainName, pDCI->DomainControllerName);
|
|
}
|
|
|
|
|
|
//
|
|
// Save the DC name in the registry for future reference
|
|
//
|
|
|
|
DWORD dwDisp;
|
|
|
|
if (RegCreateKeyEx (lpGPOInfo->hKeyRoot,
|
|
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"),
|
|
0, NULL, REG_OPTION_NON_VOLATILE,
|
|
KEY_SET_VALUE, NULL, &hKey, &dwDisp) == ERROR_SUCCESS)
|
|
{
|
|
dwSize = (lstrlen(pDCI->DomainControllerName) + 1) * sizeof(TCHAR);
|
|
RegSetValueEx (hKey, TEXT("DCName"), 0, REG_SZ,
|
|
(LPBYTE) pDCI->DomainControllerName, dwSize);
|
|
|
|
if ( ( lpGPOInfo->dwFlags & GP_MACHINE ) != 0 )
|
|
{
|
|
LPWSTR szTemp = szNetworkName ? szNetworkName : L"";
|
|
|
|
dwSize = ( wcslen( szTemp ) + 1 ) * sizeof( WCHAR );
|
|
RegSetValueEx( hKey,
|
|
L"NetworkName",
|
|
0,
|
|
REG_SZ,
|
|
(LPBYTE) szTemp,
|
|
dwSize );
|
|
}
|
|
RegCloseKey (hKey);
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Read the group policy extensions from the registry
|
|
//
|
|
|
|
if ( !ReadGPExtensions( lpGPOInfo ) )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: ReadGPExtensions failed.")));
|
|
CEvents ev(TRUE, EVENT_READ_EXT_FAILED); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the user policy mode if appropriate
|
|
//
|
|
|
|
if (!(lpGPOInfo->dwFlags & GP_MACHINE)) {
|
|
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE,
|
|
SYSTEM_POLICIES_KEY,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(dwUserPolicyMode);
|
|
RegQueryValueEx (hKey,
|
|
TEXT("UserPolicyMode"),
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE) &dwUserPolicyMode,
|
|
&dwSize);
|
|
|
|
RegCloseKey (hKey);
|
|
}
|
|
|
|
if (dwUserPolicyMode > 0) {
|
|
|
|
if (!(lpGPOInfo->dwFlags & GP_APPLY_DS_POLICY)) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Loopback is not allowed for downlevel or local user accounts. Loopback will be disabled.")));
|
|
CEvents ev(FALSE, EVENT_LOOPBACK_DISABLED1); ev.Report();
|
|
dwUserPolicyMode = 0;
|
|
}
|
|
|
|
if (dwUserPolicyMode > 0) {
|
|
if (lpGPOInfo->iMachineRole < 2) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Loopback is not allowed on machines joined to a downlevel domain or running standalone. Loopback will be disabled.")));
|
|
CEvents ev(TRUE, EVENT_LOOPBACK_DISABLED2); ev.Report();
|
|
dwUserPolicyMode = 0;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if (!ImpersonateUser(lpGPOInfo->hToken, &hOldToken)) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to impersonate user")));
|
|
CEvents ev(TRUE, EVENT_FAILED_IMPERSONATE);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Read each of the extensions status..
|
|
//
|
|
|
|
if (!ReadExtStatus(lpGPOInfo)) {
|
|
// event logged by ReadExtStatus
|
|
xe = GetLastError();
|
|
RevertToUser(&hOldToken);
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Check if any extensions can be skipped. If there is ever a case where
|
|
// all extensions can be skipped, then exit successfully right after this check.
|
|
// Currently RegistryExtension is always run unless there are no GPO changes,
|
|
// but the GPO changes check is done much later.
|
|
//
|
|
|
|
if ( !CheckForSkippedExtensions( lpGPOInfo, FALSE ) ) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Checking extensions for skipping failed")));
|
|
//
|
|
// LogEvent() is called by CheckForSkippedExtensions()
|
|
//
|
|
RevertToUser(&hOldToken);
|
|
goto Exit;
|
|
}
|
|
|
|
LPWSTR szSiteName;
|
|
dwResult = pNetAPI32->pfnDsGetSiteName(0, &szSiteName);
|
|
|
|
if ( dwResult != ERROR_SUCCESS )
|
|
{
|
|
if ( dwResult == ERROR_NO_SITENAME )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: No site name defined. Skipping site policy.")));
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_VERBOSE )
|
|
{
|
|
CEvents ev(TRUE, EVENT_NO_SITENAME);
|
|
ev.Report();
|
|
}
|
|
szSiteName = 0;
|
|
}
|
|
else
|
|
{
|
|
xe = dwResult;
|
|
CEvents ev(TRUE, EVENT_FAILED_QUERY_SITE);
|
|
ev.AddArgWin32Error(dwResult); ev.Report();
|
|
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: DSGetSiteName failed with %d, exiting."), dwResult));
|
|
RevertToUser(&hOldToken);
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
lpGPOInfo->szSiteName = szSiteName;
|
|
|
|
//
|
|
// Query for the GPO list based upon the mode
|
|
//
|
|
// 0 is normal
|
|
// 1 is merge. Merge user list + machine list
|
|
// 2 is replace. use machine list instead of user list
|
|
//
|
|
|
|
|
|
if (dwUserPolicyMode == 0) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Calling GetGPOInfo for normal policy mode")));
|
|
|
|
bResult = GetGPOInfo ((lpGPOInfo->dwFlags & GP_MACHINE) ? GPO_LIST_FLAG_MACHINE : 0,
|
|
lpDomainDN, lpName, NULL, &lpGPOInfo->lpGPOList,
|
|
&lpGPOInfo->lpSOMList,
|
|
&lpGPOInfo->lpGpContainerList,
|
|
pNetAPI32, TRUE, 0, szSiteName, 0, &locator);
|
|
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetGPOInfo failed.")));
|
|
CEvents ev(TRUE, EVENT_GPO_QUERY_FAILED); ev.Report();
|
|
}
|
|
|
|
|
|
} else if (dwUserPolicyMode == 2) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Calling GetGPOInfo for replacement user policy mode")));
|
|
|
|
lpComputerName = MyGetComputerName (NameFullyQualifiedDN);
|
|
|
|
if (lpComputerName) {
|
|
|
|
PDOMAIN_CONTROLLER_INFO pDCInfo;
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Using computer name %s for query."), lpComputerName));
|
|
|
|
dwResult = pNetAPI32->pfnDsGetDcName( 0,
|
|
0,
|
|
0,
|
|
0,
|
|
DS_DIRECTORY_SERVICE_REQUIRED |
|
|
((lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD) ? DS_BACKGROUND_ONLY : 0),
|
|
&pDCInfo);
|
|
if ( dwResult == 0 )
|
|
{
|
|
bResult = GetGPOInfo (0, pDCInfo->DomainName, lpComputerName, NULL,
|
|
&lpGPOInfo->lpGPOList,
|
|
&lpGPOInfo->lpLoopbackSOMList,
|
|
&lpGPOInfo->lpLoopbackGpContainerList,
|
|
pNetAPI32, FALSE, 0, szSiteName, 0, &locator );
|
|
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetGPOInfo failed.")));
|
|
CEvents ev(TRUE, EVENT_GPO_QUERY_FAILED); ev.Report();
|
|
}
|
|
|
|
pNetAPI32->pfnNetApiBufferFree( pDCInfo );
|
|
}
|
|
else
|
|
{
|
|
xe = dwResult;
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the computer domain name with %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_NO_MACHINE_DOMAIN);
|
|
ev.AddArg(lpComputerName); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
bResult = FALSE;
|
|
}
|
|
LocalFree (lpComputerName);
|
|
|
|
} else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the computer name with %d"),
|
|
GetLastError()));
|
|
|
|
CEvents ev(TRUE, EVENT_FAILED_MACHINENAME);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
bResult = FALSE;
|
|
}
|
|
} else {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Calling GetGPOInfo for merging user policy mode")));
|
|
|
|
lpComputerName = MyGetComputerName (NameFullyQualifiedDN);
|
|
|
|
if (lpComputerName) {
|
|
|
|
lpGPOInfo->lpGPOList = NULL;
|
|
bResult = GetGPOInfo (0, lpDomainDN, lpName, NULL,
|
|
&lpGPOInfo->lpGPOList,
|
|
&lpGPOInfo->lpSOMList,
|
|
&lpGPOInfo->lpGpContainerList,
|
|
pNetAPI32, FALSE, 0, szSiteName, 0, &locator );
|
|
|
|
if (bResult) {
|
|
|
|
PDOMAIN_CONTROLLER_INFO pDCInfo;
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Using computer name %s for query."), lpComputerName));
|
|
|
|
lpGPO = NULL;
|
|
|
|
dwResult = pNetAPI32->pfnDsGetDcName( 0,
|
|
0,
|
|
0,
|
|
0,
|
|
DS_DIRECTORY_SERVICE_REQUIRED |
|
|
((lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD) ? DS_BACKGROUND_ONLY : 0),
|
|
&pDCInfo);
|
|
if ( dwResult == 0 )
|
|
{
|
|
bResult = GetGPOInfo (0, pDCInfo->DomainName, lpComputerName, NULL,
|
|
&lpGPO,
|
|
&lpGPOInfo->lpLoopbackSOMList,
|
|
&lpGPOInfo->lpLoopbackGpContainerList,
|
|
pNetAPI32, FALSE, 0, szSiteName, 0, &locator );
|
|
|
|
if (bResult) {
|
|
|
|
if (lpGPOInfo->lpGPOList && lpGPO) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Both user and machine lists are defined. Merging them together.")));
|
|
|
|
//
|
|
// Need to merge the lists together
|
|
//
|
|
|
|
lpGPOTemp = lpGPOInfo->lpGPOList;
|
|
|
|
while (lpGPOTemp->pNext) {
|
|
lpGPOTemp = lpGPOTemp->pNext;
|
|
}
|
|
|
|
lpGPOTemp->pNext = lpGPO;
|
|
|
|
} else if (!lpGPOInfo->lpGPOList && lpGPO) {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Only machine list is defined.")));
|
|
lpGPOInfo->lpGPOList = lpGPO;
|
|
|
|
} else {
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Only user list is defined.")));
|
|
}
|
|
|
|
} else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetGPOInfo failed for computer name.")));
|
|
CEvents ev(TRUE, EVENT_GPO_QUERY_FAILED); ev.Report();
|
|
}
|
|
pNetAPI32->pfnNetApiBufferFree( pDCInfo );
|
|
|
|
}
|
|
else
|
|
{
|
|
xe = dwResult;
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the computer domain name with %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_NO_MACHINE_DOMAIN);
|
|
ev.AddArg(lpComputerName); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
bResult = FALSE;
|
|
}
|
|
|
|
} else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetGPOInfo failed for user name.")));
|
|
CEvents ev(TRUE, EVENT_GPO_QUERY_FAILED); ev.Report();
|
|
}
|
|
|
|
LocalFree (lpComputerName);
|
|
|
|
} else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the computer name with %d"),
|
|
GetLastError()));
|
|
CEvents ev(TRUE, EVENT_FAILED_MACHINENAME);
|
|
ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
bResult = FALSE;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
if (!RevertToUser(&hOldToken)) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to revert to self")));
|
|
}
|
|
|
|
|
|
if (!bResult) {
|
|
goto Exit;
|
|
}
|
|
|
|
bResult = SetupGPOFilter( lpGPOInfo );
|
|
|
|
if (!bResult) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: SetupGPOFilter failed.")));
|
|
CEvents ev(TRUE, EVENT_SETUP_GPOFILTER_FAILED); ev.Report();
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// Log Gpo info to WMI's database
|
|
//
|
|
|
|
//
|
|
// Need to check if the security group membership has changed the first time around
|
|
//
|
|
|
|
if ( !(lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD) || (lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND) ) {
|
|
|
|
if ((lpGPOInfo->dwFlags & GP_MACHINE) && (lpGPOInfo->dwFlags & GP_APPLY_DS_POLICY)) {
|
|
|
|
|
|
HANDLE hLocToken=NULL;
|
|
|
|
//
|
|
// if it is machine policy processing, get the machine token so that we can check
|
|
// security group membership using the right token. This causes GetMachineToken to be called twice
|
|
// but moving it to the beginning requires too much change.
|
|
//
|
|
|
|
|
|
hLocToken = GetMachineToken();
|
|
|
|
if (hLocToken) {
|
|
CheckGroupMembership( lpGPOInfo, hLocToken, &lpGPOInfo->bMemChanged, &lpGPOInfo->bUserLocalMemChanged, &pTokenGroups);
|
|
CloseHandle(hLocToken);
|
|
}
|
|
else {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get the machine token with %d"), GetLastError()));
|
|
goto Exit;
|
|
}
|
|
}
|
|
else {
|
|
|
|
//
|
|
// In the user case just use the token passed in
|
|
//
|
|
|
|
CheckGroupMembership( lpGPOInfo, lpGPOInfo->hToken, &lpGPOInfo->bMemChanged, &lpGPOInfo->bUserLocalMemChanged, &pTokenGroups);
|
|
}
|
|
}
|
|
|
|
|
|
if ( lpGPOInfo->bRsopLogging )
|
|
{
|
|
if ( SetRsopTargetName(lpGPOInfo) )
|
|
{
|
|
RSOPSESSIONDATA rsopSessionData;
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Logging Data for Target <%s>."), lpGPOInfo->szTargetName));
|
|
|
|
//
|
|
// fill up the rsop data
|
|
//
|
|
rsopSessionData.pwszTargetName = lpGPOInfo->szName;
|
|
rsopSessionData.pwszSOM = lpGPOInfo->lpDNName ? GetSomPath( lpGPOInfo->lpDNName ) : TEXT("Local");
|
|
rsopSessionData.pSecurityGroups = pTokenGroups;
|
|
rsopSessionData.bLogSecurityGroup = lpGPOInfo->bMemChanged || lpGPOInfo->bUserLocalMemChanged;
|
|
rsopSessionData.pwszSite = lpGPOInfo->szSiteName;
|
|
rsopSessionData.bMachine = (lpGPOInfo->dwFlags & GP_MACHINE);
|
|
rsopSessionData.bSlowLink = bSlow;
|
|
|
|
//
|
|
// Fill in the current time
|
|
//
|
|
|
|
BOOL bStateChanged = FALSE;
|
|
BOOL bLinkChanged = FALSE;
|
|
BOOL bNoState = FALSE;
|
|
|
|
//
|
|
// log RSoP data only when policy has changed
|
|
//
|
|
dwResult = ComparePolicyState( lpGPOInfo, &bLinkChanged, &bStateChanged, &bNoState );
|
|
if ( dwResult != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, L"ProcessGPOs: ComparePolicyState failed %d, assuming policy changed.", dwResult ));
|
|
}
|
|
|
|
//
|
|
// bStateChanged is TRUE if dwResult is not kosher
|
|
//
|
|
|
|
if ( bStateChanged || bNoState || bLinkChanged || (lpGPOInfo->dwFlags & GP_FORCED_REFRESH) ||
|
|
lpGPOInfo->bMemChanged || lpGPOInfo->bUserLocalMemChanged ) {
|
|
|
|
//
|
|
// Any changes get the wmi interface
|
|
//
|
|
|
|
lpGPOInfo->bRsopLogging =
|
|
GetWbemServices( lpGPOInfo, RSOP_NS_DIAG_ROOT, FALSE, &(lpGPOInfo->bRsopCreated), &(lpGPOInfo->pWbemServices) );
|
|
|
|
if (!lpGPOInfo->bRsopLogging)
|
|
{
|
|
CEvents ev(TRUE, EVENT_FAILED_WBEM_SERVICES); ev.Report();
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// all changes except link changes
|
|
//
|
|
|
|
if ( bStateChanged || bNoState || (lpGPOInfo->dwFlags & GP_FORCED_REFRESH) )
|
|
{
|
|
//
|
|
// treat no state as newly created
|
|
//
|
|
|
|
lpGPOInfo->bRsopCreated = (lpGPOInfo->bRsopCreated || bNoState);
|
|
|
|
lpGPOInfo->bRsopLogging = LogExtSessionStatus( lpGPOInfo->pWbemServices,
|
|
0,
|
|
TRUE,
|
|
lpGPOInfo->bRsopCreated || (lpGPOInfo->dwFlags & GP_FORCED_REFRESH)
|
|
/* log the event sources only if the namespace is newly created or force refresh */
|
|
);
|
|
|
|
if (!lpGPOInfo->bRsopLogging)
|
|
{
|
|
CEvents ev(TRUE, EVENT_FAILED_RSOPCORE_SESSION_STATUS); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
}
|
|
else
|
|
{
|
|
bResult = LogRsopData( lpGPOInfo, &rsopSessionData );
|
|
|
|
if (!bResult)
|
|
{
|
|
CEvents ev(TRUE, EVENT_RSOP_FAILED); ev.Report();
|
|
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Error when logging Rsop data. Continuing.")));
|
|
lpGPOInfo->bRsopLogging = FALSE;
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Logged Rsop Data successfully.")));
|
|
//
|
|
// save state only when policy has changed and RSoP logging is successful
|
|
//
|
|
dwResult = SavePolicyState( lpGPOInfo );
|
|
if ( dwResult != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, L"ProcessGPOs: SavePolicyState failed %d.", dwResult ));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else if ( bLinkChanged || lpGPOInfo->bMemChanged || lpGPOInfo->bUserLocalMemChanged )
|
|
{
|
|
bResult = LogSessionData( lpGPOInfo, &rsopSessionData );
|
|
if (!bResult)
|
|
{
|
|
CEvents ev(TRUE, EVENT_RSOP_FAILED); ev.Report();
|
|
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Error when logging Rsop session. Continuing.")));
|
|
lpGPOInfo->bRsopLogging = FALSE;
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Logged Rsop Session successfully.")));
|
|
//
|
|
// save state only when policy has changed and RSoP logging is successful
|
|
//
|
|
dwResult = SaveLinkState( lpGPOInfo );
|
|
if ( dwResult != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, L"ProcessGPOs: SaveLinkState failed %d.", dwResult ));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Error querying for targetname. not logging Gpos.Error = %d"), GetLastError()));
|
|
}
|
|
}
|
|
|
|
|
|
DebugPrintGPOList( lpGPOInfo );
|
|
|
|
//================================================================
|
|
//
|
|
// Now walk through the list of extensions
|
|
//
|
|
//================================================================
|
|
|
|
EnterCriticalSection( &g_GPOCS );
|
|
|
|
pGPHandle = (LPGPINFOHANDLE) LocalAlloc( LPTR, sizeof(GPINFOHANDLE) );
|
|
|
|
//
|
|
// Continue even if pGPHandle is 0, because all it means is that async completions (if any)
|
|
// will fail. Remove old asynch completion context.
|
|
//
|
|
|
|
if ( pGPHandle )
|
|
pGPHandle->pGPOInfo = lpGPOInfo;
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_MACHINE ) {
|
|
if ( g_pMachGPInfo )
|
|
LocalFree( g_pMachGPInfo );
|
|
|
|
g_pMachGPInfo = pGPHandle;
|
|
} else {
|
|
if ( g_pUserGPInfo )
|
|
LocalFree( g_pUserGPInfo );
|
|
|
|
g_pUserGPInfo = pGPHandle;
|
|
}
|
|
|
|
LeaveCriticalSection( &g_GPOCS );
|
|
|
|
pAsyncHandle = (ASYNCCOMPLETIONHANDLE) pGPHandle;
|
|
|
|
dwCurrentTime = GetCurTime();
|
|
|
|
lpExt = lpGPOInfo->lpExtensions;
|
|
|
|
//
|
|
// Before going in, get the thread token and reset the thread token in case
|
|
// one of the extensions hit an exception.
|
|
//
|
|
|
|
if (!OpenThreadToken (GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_READ,
|
|
TRUE, &hOldToken)) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: OpenThreadToken failed with error %d, assuming thread is not impersonating"), GetLastError()));
|
|
hOldToken = NULL;
|
|
}
|
|
|
|
while ( lpExt )
|
|
{
|
|
BOOL bProcessGPOs, bNoChanges, bUsePerUserLocalSetting;
|
|
PGROUP_POLICY_OBJECT pDeletedGPOList;
|
|
DWORD dwRet;
|
|
HRESULT hrCSERsopStatus = S_OK;
|
|
GPEXTSTATUS gpExtStatus;
|
|
|
|
//
|
|
// Check for early shutdown or user logoff
|
|
//
|
|
if ( (lpGPOInfo->dwFlags & GP_MACHINE) && g_bStopMachGPOProcessing
|
|
|| !(lpGPOInfo->dwFlags & GP_MACHINE) && g_bStopUserGPOProcessing ) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Aborting GPO processing due to machine shutdown or logoff")));
|
|
CEvents ev(TRUE, EVENT_GPO_PROC_STOPPED); ev.Report();
|
|
break;
|
|
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: -----------------------")));
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Processing extension %s"),
|
|
lpExt->lpDisplayName));
|
|
|
|
//
|
|
// The extension has not gotten skipped at this point
|
|
//
|
|
bUsePerUserLocalSetting = lpExt->dwUserLocalSetting && !(lpGPOInfo->dwFlags & GP_MACHINE);
|
|
|
|
//
|
|
// read the CSEs status
|
|
//
|
|
ReadStatus( lpExt->lpKeyName,
|
|
lpGPOInfo,
|
|
bUsePerUserLocalSetting ? lpGPOInfo->lpwszSidUser : 0,
|
|
&gpExtStatus );
|
|
|
|
|
|
//
|
|
// Reset lpGPOInfo->lpGPOList based on extension filter list. If the extension
|
|
// is being called to do delete processing on the history then the current GpoList
|
|
// is null.
|
|
//
|
|
|
|
if ( lpExt->bHistoryProcessing )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Extension %s is being called to do delete processing on cached history."),
|
|
lpExt->lpDisplayName));
|
|
lpGPOInfo->lpGPOList = NULL;
|
|
}
|
|
else
|
|
FilterGPOs( lpExt, lpGPOInfo );
|
|
|
|
DebugPrintGPOList( lpGPOInfo );
|
|
|
|
if ( !CheckGPOs( lpExt, lpGPOInfo, dwCurrentTime,
|
|
&bProcessGPOs, &bNoChanges, &pDeletedGPOList ) )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: CheckGPOs failed.")));
|
|
lpExt = lpExt->pNext;
|
|
continue;
|
|
}
|
|
|
|
if ( lpExt->dwNoBackgroundPolicy && ( lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD ) )
|
|
{
|
|
if ( bProcessGPOs && ( pDeletedGPOList || lpGPOInfo->lpGPOList || lpExt->bRsopTransition ) )
|
|
{
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonCSERequiresSync;
|
|
}
|
|
}
|
|
|
|
if ( lpExt->bSkipped )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Extension %s skipped with flags 0x%x."),
|
|
lpExt->lpDisplayName, lpGPOInfo->dwFlags));
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE)
|
|
{
|
|
CEvents ev(FALSE, EVENT_EXT_SKIPPED);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.AddArgHex(lpGPOInfo->dwFlags); ev.Report();
|
|
}
|
|
|
|
lpExt = lpExt->pNext;
|
|
continue;
|
|
}
|
|
|
|
if ( bProcessGPOs )
|
|
{
|
|
if ( !pDeletedGPOList && !lpGPOInfo->lpGPOList && !lpExt->bRsopTransition )
|
|
{
|
|
DebugMsg((DM_VERBOSE,
|
|
TEXT("ProcessGPOs: Extension %s skipped because both deleted and changed GPO lists are empty."),
|
|
lpExt->lpDisplayName ));
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE)
|
|
{
|
|
CEvents ev(FALSE, EVENT_EXT_HAS_EMPTY_LISTS);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.Report();
|
|
}
|
|
|
|
lpExt = lpExt->pNext;
|
|
continue;
|
|
}
|
|
|
|
if ( !(lpExt->bForcedRefreshNextFG) )
|
|
{
|
|
if ( lpExt->dwEnableAsynch )
|
|
{
|
|
//
|
|
// Save now to shadow area to avoid race between thread that returns from
|
|
// ProcessGPOList and the thread that does ProcessGroupPolicyCompleted and
|
|
// reads from shadow area.
|
|
//
|
|
SaveGPOList( lpExt->lpKeyName, lpGPOInfo,
|
|
HKEY_LOCAL_MACHINE,
|
|
bUsePerUserLocalSetting ? lpGPOInfo->lpwszSidUser : NULL,
|
|
TRUE, lpGPOInfo->lpGPOList );
|
|
}
|
|
|
|
dwRet = E_FAIL;
|
|
|
|
__try
|
|
{
|
|
dwRet = ProcessGPOList( lpExt, lpGPOInfo, pDeletedGPOList,
|
|
lpGPOInfo->lpGPOList, bNoChanges, pAsyncHandle, &hrCSERsopStatus );
|
|
}
|
|
__except( GPOExceptionFilter( GetExceptionInformation() ) )
|
|
{
|
|
|
|
SetThreadToken(NULL, hOldToken);
|
|
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Extension %s ProcessGroupPolicy threw unhandled exception 0x%x."),
|
|
lpExt->lpDisplayName, GetExceptionCode() ));
|
|
|
|
CEvents ev(TRUE, EVENT_CAUGHT_EXCEPTION);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.AddArgHex(GetExceptionCode()); ev.Report();
|
|
}
|
|
|
|
SetThreadToken(NULL, hOldToken);
|
|
|
|
FreeGPOList( pDeletedGPOList );
|
|
pDeletedGPOList = NULL;
|
|
|
|
|
|
if ( dwRet == ERROR_SUCCESS || dwRet == ERROR_OVERRIDE_NOCHANGES )
|
|
{
|
|
//
|
|
// ERROR_OVERRIDE_NOCHANGES means that extension processed the list and so the cached list
|
|
// must be updated, but the extension will be called the next time even if there are
|
|
// no changes. Duplicate the saved data in the PerUserLocalSetting case to allow for deleted
|
|
// GPO information to be generated from a combination of HKCU and HKLM\{sid-user} data.
|
|
//
|
|
|
|
SaveGPOList( lpExt->lpKeyName, lpGPOInfo,
|
|
HKEY_LOCAL_MACHINE,
|
|
NULL,
|
|
FALSE, lpGPOInfo->lpGPOList );
|
|
|
|
if ( bUsePerUserLocalSetting )
|
|
{
|
|
SaveGPOList( lpExt->lpKeyName, lpGPOInfo,
|
|
HKEY_LOCAL_MACHINE,
|
|
lpGPOInfo->lpwszSidUser,
|
|
FALSE, lpGPOInfo->lpGPOList );
|
|
}
|
|
uExtensionCount++;
|
|
|
|
//
|
|
// the CSE required sync foreground previously and now returned ERROR_OVERRIDE_NOCHANGES,
|
|
// maintain the require sync foreground refresh flag
|
|
//
|
|
if ( gpExtStatus.dwStatus == ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED &&
|
|
dwRet == ERROR_OVERRIDE_NOCHANGES )
|
|
{
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonCSESyncError;
|
|
}
|
|
}
|
|
else if ( dwRet == E_PENDING )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Extension %s ProcessGroupPolicy returned e_pending."),
|
|
lpExt->lpDisplayName));
|
|
}
|
|
else if ( dwRet == ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED )
|
|
{
|
|
//
|
|
// a CSE returned ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED.
|
|
// Raise a flag to sync foreground refresh.
|
|
//
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonCSERequiresSync;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Extension %s ProcessGroupPolicy returned sync_foreground."),
|
|
lpExt->lpDisplayName));
|
|
if ( lpGPOInfo->dwFlags & GP_FORCED_REFRESH )
|
|
{
|
|
bForceNeedFG = TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Extension %s ProcessGroupPolicy failed, status 0x%x."),
|
|
lpExt->lpDisplayName, dwRet));
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
CEvents ev(FALSE, EVENT_CHANGES_FAILED);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.AddArgWin32Error(dwRet); ev.Report();
|
|
}
|
|
|
|
//
|
|
// the CSE required foreground previously and now returned an error,
|
|
// maintain the require sync foreground refresh flag
|
|
//
|
|
if ( gpExtStatus.dwStatus == ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED )
|
|
{
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonCSESyncError;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Fill up the status data.
|
|
//
|
|
ZeroMemory( &gpExtStatus, sizeof(gpExtStatus) );
|
|
gpExtStatus.dwSlowLink = (lpGPOInfo->dwFlags & GP_SLOW_LINK) != 0;
|
|
gpExtStatus.dwRsopLogging = lpGPOInfo->bRsopLogging;
|
|
gpExtStatus.dwStatus = dwRet;
|
|
gpExtStatus.dwTime = dwCurrentTime;
|
|
gpExtStatus.bForceRefresh = bForceNeedFG;
|
|
gpExtStatus.dwRsopStatus = hrCSERsopStatus;
|
|
|
|
WriteStatus(lpExt->lpKeyName,
|
|
lpGPOInfo,
|
|
bUsePerUserLocalSetting ? lpGPOInfo->lpwszSidUser : NULL,
|
|
&gpExtStatus);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// if it is force refresh next time around, all we need to do is readstatus and
|
|
// writestatus back with forcerefresh value set.
|
|
//
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Extensions %s needs to run in ForeGround. Skipping after setting forceflag."),
|
|
lpExt->lpDisplayName));
|
|
|
|
if ( gpExtStatus.bStatus )
|
|
{
|
|
gpExtStatus.bForceRefresh = TRUE;
|
|
|
|
WriteStatus( lpExt->lpKeyName, lpGPOInfo,
|
|
bUsePerUserLocalSetting ? lpGPOInfo->lpwszSidUser : NULL,
|
|
&gpExtStatus );
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// We can ignore this because absence of a status automatically means processing
|
|
//
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Couldn't read status data for %s. Error %d. ignoring.. "),
|
|
lpExt->lpDisplayName, GetLastError()));
|
|
}
|
|
|
|
//
|
|
// There is a policy that can only be force refreshed in foreground
|
|
//
|
|
bForceNeedFG = TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Process next extension
|
|
//
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: -----------------------")));
|
|
lpExt = lpExt->pNext;
|
|
}
|
|
|
|
if ( hOldToken )
|
|
{
|
|
CloseHandle(hOldToken);
|
|
}
|
|
|
|
//================================================================
|
|
//
|
|
// Success
|
|
//
|
|
//================================================================
|
|
bRetVal = TRUE;
|
|
|
|
Exit:
|
|
//
|
|
// change engine modes only if there is no error
|
|
//
|
|
if ( bRetVal )
|
|
{
|
|
//
|
|
// if policy sez sync. mark it sync
|
|
//
|
|
if ( GetFgPolicySetting( HKEY_LOCAL_MACHINE ) )
|
|
{
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonSyncPolicy;
|
|
}
|
|
|
|
//
|
|
// async only on Pro
|
|
//
|
|
OSVERSIONINFOEXW version;
|
|
version.dwOSVersionInfoSize = sizeof(version);
|
|
if ( !GetVersionEx( (LPOSVERSIONINFO) &version ) )
|
|
{
|
|
//
|
|
// conservatively assume non Pro SKU
|
|
//
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonSKU;
|
|
}
|
|
else
|
|
{
|
|
if ( version.wProductType != VER_NT_WORKSTATION )
|
|
{
|
|
//
|
|
// force sync refresh on non Pro SKU
|
|
//
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonSKU;
|
|
}
|
|
}
|
|
|
|
if ( !( lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD ) || ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND ) )
|
|
{
|
|
//
|
|
// set the previous info only in the foreground refreshes
|
|
//
|
|
LPWSTR szSid = lpGPOInfo->dwFlags & GP_MACHINE ? 0 : lpGPOInfo->lpwszSidUser;
|
|
FgPolicyRefreshInfo curInfo = { GP_ReasonUnknown, GP_ModeUnknown };
|
|
if ( GetCurrentFgPolicyRefreshInfo( szSid, &curInfo ) != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: GetCurrentFgPolicyRefreshInfo failed.")));
|
|
}
|
|
else
|
|
{
|
|
if ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND )
|
|
{
|
|
curInfo.mode = GP_ModeAsyncForeground;
|
|
}
|
|
else
|
|
{
|
|
curInfo.mode = GP_ModeSyncForeground;
|
|
}
|
|
|
|
if ( SetPreviousFgPolicyRefreshInfo( szSid, curInfo ) != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: SetPreviousFgPolicyRefreshInfo failed.") ));
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( info.mode == GP_ModeSyncForeground )
|
|
{
|
|
//
|
|
// need sync foreground, set in all refreshes
|
|
//
|
|
LPWSTR szSid = lpGPOInfo->dwFlags & GP_MACHINE ? 0 : lpGPOInfo->lpwszSidUser;
|
|
if ( SetNextFgPolicyRefreshInfo( szSid, info ) != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: SetNextFgPolicyRefreshInfo failed.")));
|
|
}
|
|
}
|
|
else if ( info.mode == GP_ModeAsyncForeground )
|
|
{
|
|
//
|
|
// sync foreground policy successfully applied, nobody needs sync foreground,
|
|
// reset the GP_ModeSyncForeground only in the async foreground and background
|
|
// refreshes
|
|
//
|
|
LPWSTR szSid = lpGPOInfo->dwFlags & GP_MACHINE ? 0 : lpGPOInfo->lpwszSidUser;
|
|
if ( !( lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD ) &&
|
|
!( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND ) )
|
|
{
|
|
if ( SetNextFgPolicyRefreshInfo( szSid, info ) != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: SetNextFgPolicyRefreshInfo failed.")));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( !lpGPOInfo->pWbemServices )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: No WMI logging done in this policy cycle.")));
|
|
}
|
|
|
|
if (!bRetVal)
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Processing failed with error %d."), (DWORD)(xe)));
|
|
|
|
GetSystemTimeAsFileTime(&gpCoreStatus.ftEndTime);
|
|
gpCoreStatus.bValid = TRUE;
|
|
gpCoreStatus.dwStatus = bRetVal ?
|
|
ERROR_SUCCESS:
|
|
((xe ==ERROR_SUCCESS) ? E_FAIL : xe);
|
|
|
|
// if rsop logging is not supported gp core status will appear dirty
|
|
gpCoreStatus.dwLoggingStatus = RsopLoggingEnabled() ? ((lpGPOInfo->bRsopLogging) ? S_OK : E_FAIL) : HRESULT_FROM_WIN32(ERROR_CANCELLED);
|
|
|
|
|
|
// No point in checking for error code here.
|
|
// The namespace is marked dirty. Diagnostic mode provider should expect all
|
|
// values here or mark the namespace dirty.
|
|
|
|
|
|
if ((lpGPOInfo->dwFlags & GP_MACHINE) || (lpGPOInfo->lpwszSidUser)) {
|
|
|
|
SaveLoggingStatus(
|
|
(lpGPOInfo->dwFlags & GP_MACHINE) ? NULL : (lpGPOInfo->lpwszSidUser),
|
|
NULL, &gpCoreStatus);
|
|
}
|
|
|
|
//
|
|
// Unload the Group Policy Extensions
|
|
//
|
|
|
|
UnloadGPExtensions (lpGPOInfo);
|
|
|
|
FreeLists( lpGPOInfo );
|
|
|
|
lpGPOInfo->lpGPOList = NULL;
|
|
lpGPOInfo->lpExtFilterList = NULL;
|
|
|
|
if (szNetworkName) {
|
|
LocalFree (szNetworkName );
|
|
szNetworkName = NULL;
|
|
}
|
|
|
|
FreeSOMList( lpGPOInfo->lpSOMList );
|
|
FreeSOMList( lpGPOInfo->lpLoopbackSOMList );
|
|
FreeGpContainerList( lpGPOInfo->lpGpContainerList );
|
|
FreeGpContainerList( lpGPOInfo->lpLoopbackGpContainerList );
|
|
|
|
if ( lpGPOInfo->szSiteName )
|
|
{
|
|
pNetAPI32->pfnNetApiBufferFree(lpGPOInfo->szSiteName);
|
|
lpGPOInfo->szSiteName = 0;
|
|
}
|
|
|
|
lpGPOInfo->lpSOMList = NULL;
|
|
lpGPOInfo->lpLoopbackSOMList = NULL;
|
|
lpGPOInfo->lpGpContainerList = NULL;
|
|
lpGPOInfo->lpLoopbackGpContainerList = NULL;
|
|
lpGPOInfo->bRsopCreated = FALSE; // reset this to false always.
|
|
// we will know in the next iteration
|
|
|
|
ReleaseWbemServices( lpGPOInfo );
|
|
|
|
//
|
|
// Token groups can change only at logon time, so reset to false
|
|
//
|
|
|
|
lpGPOInfo->bMemChanged = FALSE;
|
|
lpGPOInfo->bUserLocalMemChanged = FALSE;
|
|
|
|
//
|
|
// We migrate the policy data from old sid only at logon time.
|
|
// reset it to false.
|
|
//
|
|
|
|
lpGPOInfo->bSidChanged = FALSE;
|
|
|
|
if (pDCI) {
|
|
pNetAPI32->pfnNetApiBufferFree(pDCI);
|
|
}
|
|
|
|
lpGPOInfo->lpDNName = 0;
|
|
if (lpName) {
|
|
LocalFree (lpName);
|
|
}
|
|
|
|
if (lpDomain) {
|
|
LocalFree (lpDomain);
|
|
}
|
|
|
|
if (pTokenGroups) {
|
|
LocalFree(pTokenGroups);
|
|
pTokenGroups = NULL;
|
|
}
|
|
|
|
//
|
|
// Release the critical section
|
|
//
|
|
|
|
if (lpGPOInfo->hCritSection) {
|
|
LeaveCriticalPolicySection (lpGPOInfo->hCritSection);
|
|
lpGPOInfo->hCritSection = NULL;
|
|
}
|
|
|
|
|
|
//
|
|
// Announce that policies have changed
|
|
//
|
|
|
|
if (bRetVal) {
|
|
|
|
//
|
|
// This needs to be set before NotifyEvent
|
|
//
|
|
|
|
if (bForceNeedFG)
|
|
{
|
|
info.reason = GP_ReasonSyncForced;
|
|
info.mode = GP_ModeSyncForeground;
|
|
LPWSTR szSid = lpGPOInfo->dwFlags & GP_MACHINE ? 0 : lpGPOInfo->lpwszSidUser;
|
|
if ( SetNextFgPolicyRefreshInfo( szSid, info ) != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: SetNextFgPolicyRefreshInfo failed.")));
|
|
}
|
|
else
|
|
{
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Forced option changed policy mode.")));
|
|
}
|
|
|
|
DmAssert(lpGPOInfo->dwFlags & GP_FORCED_REFRESH);
|
|
SetEvent(lpGPOInfo->hNeedFGEvent);
|
|
}
|
|
|
|
if (uExtensionCount) {
|
|
|
|
//
|
|
// First, update User with new colors, bitmaps, etc.
|
|
//
|
|
|
|
if (lpGPOInfo->dwFlags & GP_REGPOLICY_CPANEL) {
|
|
|
|
//
|
|
// Something has changed in the control panel section
|
|
// Start control.exe with the /policy switch so the
|
|
// display is refreshed.
|
|
//
|
|
|
|
RefreshDisplay (lpGPOInfo);
|
|
}
|
|
|
|
|
|
//
|
|
// Notify anyone waiting on an event handle
|
|
//
|
|
|
|
if (lpGPOInfo->hNotifyEvent) {
|
|
PulseEvent (lpGPOInfo->hNotifyEvent);
|
|
}
|
|
|
|
|
|
//
|
|
// Create a thread to broadcast the WM_SETTINGCHANGE message
|
|
//
|
|
|
|
// copy the data to another structure so that this thread can safely free its structures
|
|
|
|
LPPOLICYCHANGEDINFO lpPolicyChangedInfo;
|
|
|
|
lpPolicyChangedInfo = (LPPOLICYCHANGEDINFO)LocalAlloc(LPTR, sizeof(POLICYCHANGEDINFO));
|
|
|
|
if (lpPolicyChangedInfo)
|
|
{
|
|
HANDLE hProc;
|
|
BOOL bDupSucceeded = TRUE;
|
|
|
|
lpPolicyChangedInfo->bMachine = (lpGPOInfo->dwFlags & GP_MACHINE) ? 1 : 0;
|
|
|
|
if (!(lpPolicyChangedInfo->bMachine))
|
|
{
|
|
hProc = GetCurrentProcess();
|
|
|
|
if( hProc == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to get process handle with error (%d)."), GetLastError()));
|
|
bDupSucceeded = FALSE;
|
|
}
|
|
|
|
if (bDupSucceeded &&
|
|
(!DuplicateHandle(
|
|
hProc, // Source of the handle
|
|
lpGPOInfo->hToken, // Source handle
|
|
hProc, // Target of the handle
|
|
&(lpPolicyChangedInfo->hToken), // Target handle
|
|
0, // ignored since DUPLICATE_SAME_ACCESS is set
|
|
FALSE, // no inherit on the handle
|
|
DUPLICATE_SAME_ACCESS
|
|
))) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to open duplicate token handle with error (%d)."), GetLastError()));
|
|
bDupSucceeded = FALSE;
|
|
}
|
|
}
|
|
|
|
if (bDupSucceeded) {
|
|
hThread = CreateThread (NULL, 0, (LPTHREAD_START_ROUTINE) PolicyChangedThread,
|
|
(LPVOID) lpPolicyChangedInfo,
|
|
CREATE_SUSPENDED, &dwThreadID);
|
|
|
|
if (hThread) {
|
|
SetThreadPriority (hThread, THREAD_PRIORITY_IDLE);
|
|
ResumeThread (hThread);
|
|
CloseHandle (hThread);
|
|
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to create background thread (%d)."),
|
|
GetLastError()));
|
|
|
|
// free the resources if the thread didn't get launched
|
|
if (!(lpPolicyChangedInfo->bMachine)) {
|
|
if (lpPolicyChangedInfo->hToken) {
|
|
CloseHandle(lpPolicyChangedInfo->hToken);
|
|
lpPolicyChangedInfo->hToken = NULL;
|
|
}
|
|
}
|
|
|
|
LocalFree(lpPolicyChangedInfo);
|
|
}
|
|
}
|
|
else {
|
|
LocalFree(lpPolicyChangedInfo);
|
|
}
|
|
}
|
|
else {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOs: Failed to allocate memory for policy changed structure with %d."), GetLastError()));
|
|
}
|
|
}
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
CEvents ev(FALSE, EVENT_MACHINE_POLICY_APPLIED); ev.Report();
|
|
} else {
|
|
CEvents ev(FALSE, EVENT_USER_POLICY_APPLIED); ev.Report();
|
|
}
|
|
}
|
|
|
|
if (lpGPOInfo->hDoneEvent) {
|
|
PulseEvent (lpGPOInfo->hDoneEvent);
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Computer Group Policy has been applied.")));
|
|
} else {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: User Group Policy has been applied.")));
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOs: Leaving with %d."), bRetVal));
|
|
|
|
return bRetVal;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// PolicyChangedThread()
|
|
//
|
|
// Purpose: Sends the WM_SETTINGCHANGE message announcing
|
|
// that policy has changed. This is done on a
|
|
// separate thread because this could take many
|
|
// seconds to succeed if an application is hung
|
|
//
|
|
// Parameters: lpPolicyChangedInfo - GPO info
|
|
//
|
|
// Return: 0
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD WINAPI PolicyChangedThread (LPPOLICYCHANGEDINFO lpPolicyChangedInfo)
|
|
{
|
|
HINSTANCE hInst;
|
|
NTSTATUS Status;
|
|
BOOLEAN WasEnabled;
|
|
HANDLE hOldToken = NULL;
|
|
XLastError xe;
|
|
|
|
|
|
hInst = LoadLibrary (TEXT("userenv.dll"));
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("PolicyChangedThread: Calling UpdateUser with %d."), lpPolicyChangedInfo->bMachine));
|
|
|
|
// impersonate and update system parameter if it is not machine
|
|
if (!(lpPolicyChangedInfo->bMachine)) {
|
|
if (!ImpersonateUser(lpPolicyChangedInfo->hToken, &hOldToken))
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("PolicyChangedThread: Failed to impersonate user")));
|
|
goto Exit;
|
|
}
|
|
|
|
if (!UpdatePerUserSystemParameters(NULL, UPUSP_POLICYCHANGE)) {
|
|
DebugMsg((DM_WARNING, TEXT("PolicyChangedThread: UpdateUser failed with %d."), GetLastError()));
|
|
// ignoring error and continuing the next notifications
|
|
}
|
|
|
|
if (!RevertToUser(&hOldToken)) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("PolicyChangedThread: Failed to revert user")));
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("PolicyChangedThread: Broadcast message for %d."), lpPolicyChangedInfo->bMachine));
|
|
|
|
//
|
|
// Broadcast the WM_SETTINGCHANGE message
|
|
//
|
|
|
|
Status = RtlAdjustPrivilege(SE_TCB_PRIVILEGE, TRUE, FALSE, &WasEnabled);
|
|
|
|
if ( NT_SUCCESS(Status) )
|
|
{
|
|
DWORD dwBSM = BSM_ALLDESKTOPS | BSM_APPLICATIONS;
|
|
|
|
BroadcastSystemMessage (BSF_IGNORECURRENTTASK | BSF_FORCEIFHUNG,
|
|
&dwBSM,
|
|
WM_SETTINGCHANGE,
|
|
lpPolicyChangedInfo->bMachine, (LPARAM) TEXT("Policy"));
|
|
|
|
RtlAdjustPrivilege(SE_TCB_PRIVILEGE, WasEnabled, FALSE, &WasEnabled);
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("PolicyChangedThread: Leaving")));
|
|
|
|
Exit:
|
|
if (!(lpPolicyChangedInfo->bMachine)) {
|
|
if (lpPolicyChangedInfo->hToken) {
|
|
CloseHandle(lpPolicyChangedInfo->hToken);
|
|
lpPolicyChangedInfo->hToken = NULL;
|
|
}
|
|
}
|
|
|
|
LocalFree(lpPolicyChangedInfo);
|
|
|
|
FreeLibraryAndExitThread (hInst, 0);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// GetCurTime()
|
|
//
|
|
// Purpose: Returns current time in minutes, or 0 if there
|
|
// is a failure
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD GetCurTime()
|
|
{
|
|
DWORD dwCurTime = 0;
|
|
LARGE_INTEGER liCurTime;
|
|
|
|
if ( NT_SUCCESS( NtQuerySystemTime( &liCurTime) ) ) {
|
|
|
|
if ( RtlTimeToSecondsSince1980 ( &liCurTime, &dwCurTime) ) {
|
|
|
|
dwCurTime /= 60; // seconds to minutes
|
|
}
|
|
}
|
|
|
|
return dwCurTime;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// LoadGPExtension()
|
|
//
|
|
// Purpose: Loads a GP extension.
|
|
//
|
|
// Parameters: lpExt -- GP extension
|
|
// bRsopPlanningMode -- Is this during Rsop planning mode ?
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL LoadGPExtension( LPGPEXT lpExt, BOOL bRsopPlanningMode )
|
|
{
|
|
XLastError xe;
|
|
|
|
if ( !lpExt->bRegistryExt && lpExt->hInstance == NULL )
|
|
{
|
|
lpExt->hInstance = LoadLibrary( lpExt->lpDllName );
|
|
if ( lpExt->hInstance )
|
|
{
|
|
if ( lpExt->bNewInterface )
|
|
{
|
|
lpExt->pEntryPointEx = (PFNPROCESSGROUPPOLICYEX)GetProcAddress(lpExt->hInstance,
|
|
lpExt->lpFunctionName);
|
|
if ( lpExt->pEntryPointEx == NULL )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING,
|
|
TEXT("LoadGPExtension: Failed to query ProcessGroupPolicyEx function entry point in dll <%s> with %d"),
|
|
lpExt->lpDllName, GetLastError()));
|
|
CEvents ev(TRUE, EVENT_EXT_FUNCEX_FAIL);
|
|
ev.AddArg(lpExt->lpDllName); ev.Report();
|
|
|
|
return FALSE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
lpExt->pEntryPoint = (PFNPROCESSGROUPPOLICY)GetProcAddress(lpExt->hInstance,
|
|
lpExt->lpFunctionName);
|
|
if ( lpExt->pEntryPoint == NULL )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING,
|
|
TEXT("LoadGPExtension: Failed to query ProcessGroupPolicy function entry point in dll <%s> with %d"),
|
|
lpExt->lpDllName, GetLastError()));
|
|
CEvents ev(TRUE, EVENT_EXT_FUNC_FAIL);
|
|
ev.AddArg(lpExt->lpDllName); ev.Report();
|
|
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
if ( bRsopPlanningMode ) {
|
|
|
|
if ( lpExt->lpRsopFunctionName ) {
|
|
|
|
lpExt->pRsopEntryPoint = (PFNGENERATEGROUPPOLICY)GetProcAddress(lpExt->hInstance,
|
|
lpExt->lpRsopFunctionName);
|
|
if ( lpExt->pRsopEntryPoint == NULL )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING,
|
|
TEXT("LoadGPExtension: Failed to query GenerateGroupPolicy function entry point in dll <%s> with %d"),
|
|
lpExt->lpDllName, GetLastError()));
|
|
|
|
CEvents ev(TRUE, EVENT_EXT_FUNCRSOP_FAIL);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.AddArg(lpExt->lpDllName); ev.Report();
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
} else {
|
|
|
|
xe = ERROR_PROC_NOT_FOUND;
|
|
DebugMsg((DM_WARNING,
|
|
TEXT("LoadGPExtension: Failed to find Rsop entry point in dll <%s>"), lpExt->lpDllName ));
|
|
return FALSE;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("LoadGPExtension: Failed to load dll <%s> with %d"),
|
|
lpExt->lpDllName, GetLastError()));
|
|
CEvents ev(TRUE, EVENT_EXT_LOAD_FAIL);
|
|
ev.AddArg(lpExt->lpDllName); ev.AddArgWin32Error(GetLastError()); ev.Report();
|
|
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// UnloadGPExtensions()
|
|
//
|
|
// Purpose: Unloads the Group Policy extension dlls
|
|
//
|
|
// Parameters: lpGPOInfo - GP Information
|
|
//
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL UnloadGPExtensions (LPGPOINFO lpGPOInfo)
|
|
{
|
|
if ( !lpGPOInfo )
|
|
{
|
|
return TRUE;
|
|
}
|
|
|
|
LPGPEXT lpExt, lpTemp;
|
|
lpExt = lpGPOInfo->lpExtensions;
|
|
|
|
while ( lpExt )
|
|
{
|
|
lpTemp = lpExt->pNext;
|
|
|
|
if ( lpExt->hInstance )
|
|
{
|
|
FreeLibrary( lpExt->hInstance );
|
|
}
|
|
|
|
if ( lpExt->szEventLogSources )
|
|
{
|
|
LocalFree( lpExt->szEventLogSources );
|
|
}
|
|
if (lpExt->lpPrevStatus)
|
|
{
|
|
LocalFree(lpExt->lpPrevStatus);
|
|
}
|
|
|
|
LocalFree( lpExt );
|
|
lpExt = lpTemp;
|
|
}
|
|
|
|
lpGPOInfo->lpExtensions = 0;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessGPOList()
|
|
//
|
|
// Purpose: Calls client side extensions to process gpos
|
|
//
|
|
// Parameters: lpExt - GP extension
|
|
// lpGPOInfo - GPT Information
|
|
// pDeletedGPOList - Deleted GPOs
|
|
// pChangedGPOList - New/changed GPOs
|
|
// bNoChanges - True if there are no GPO changes
|
|
// and GPO processing is forced
|
|
// pAsyncHandle - Context for async completion
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD ProcessGPOList (LPGPEXT lpExt,
|
|
LPGPOINFO lpGPOInfo,
|
|
PGROUP_POLICY_OBJECT pDeletedGPOList,
|
|
PGROUP_POLICY_OBJECT pChangedGPOList,
|
|
BOOL bNoChanges, ASYNCCOMPLETIONHANDLE pAsyncHandle,
|
|
HRESULT *phrRsopStatus )
|
|
{
|
|
LPTSTR lpGPTPath, lpDSPath;
|
|
INT iStrLen;
|
|
DWORD dwRet = ERROR_SUCCESS;
|
|
DWORD dwFlags = 0;
|
|
PGROUP_POLICY_OBJECT lpGPO;
|
|
TCHAR szStatusFormat[50];
|
|
TCHAR szVerbose[100];
|
|
DWORD dwSlowLinkCur = (lpGPOInfo->dwFlags & GP_SLOW_LINK) != 0;
|
|
IWbemServices *pLocalWbemServices;
|
|
HRESULT hr2 = S_OK;
|
|
|
|
*phrRsopStatus=S_OK;
|
|
|
|
|
|
//
|
|
// Verbose output
|
|
//
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Entering for extension %s"), lpExt->lpDisplayName));
|
|
|
|
if (lpGPOInfo->pStatusCallback) {
|
|
LoadString (g_hDllInstance, IDS_CALLEXTENSION, szStatusFormat, ARRAYSIZE(szStatusFormat));
|
|
wsprintf (szVerbose, szStatusFormat, lpExt->lpDisplayName);
|
|
lpGPOInfo->pStatusCallback(TRUE, szVerbose);
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_MACHINE) {
|
|
dwFlags |= GPO_INFO_FLAG_MACHINE;
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD)
|
|
{
|
|
dwFlags |= GPO_INFO_FLAG_BACKGROUND;
|
|
}
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_ASYNC_FOREGROUND )
|
|
{
|
|
dwFlags |= GPO_INFO_FLAG_ASYNC_FOREGROUND;
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_SLOW_LINK) {
|
|
dwFlags |= GPO_INFO_FLAG_SLOWLINK;
|
|
}
|
|
|
|
if ( dwSlowLinkCur != lpExt->lpPrevStatus->dwSlowLink ) {
|
|
dwFlags |= GPO_INFO_FLAG_LINKTRANSITION;
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
dwFlags |= GPO_INFO_FLAG_VERBOSE;
|
|
}
|
|
|
|
if ( bNoChanges ) {
|
|
dwFlags |= GPO_INFO_FLAG_NOCHANGES;
|
|
}
|
|
|
|
//
|
|
// flag safe mode boot to CSE so that they can made a decision
|
|
// whether or not to apply policy
|
|
//
|
|
if ( GetSystemMetrics( SM_CLEANBOOT ) )
|
|
{
|
|
dwFlags |= GPO_INFO_FLAG_SAFEMODE_BOOT;
|
|
}
|
|
|
|
if (lpExt->bRsopTransition) {
|
|
dwFlags |= GPO_INFO_FLAG_LOGRSOP_TRANSITION;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Passing in the rsop transition flag to Extension %s"),
|
|
lpExt->lpDisplayName));
|
|
}
|
|
|
|
|
|
if ( (lpGPOInfo->dwFlags & GP_FORCED_REFRESH) ||
|
|
((!(lpGPOInfo->dwFlags & GP_BACKGROUND_THREAD)) && (lpExt->lpPrevStatus->bForceRefresh))) {
|
|
|
|
dwFlags |= GPO_INFO_FLAG_FORCED_REFRESH;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Passing in the force refresh flag to Extension %s"),
|
|
lpExt->lpDisplayName));
|
|
}
|
|
|
|
//
|
|
// if it is rsop transition or changes case get the intf ptr
|
|
//
|
|
|
|
if ( (lpGPOInfo->bRsopLogging) &&
|
|
((lpExt->bRsopTransition) || (!bNoChanges) || (dwFlags & GPO_INFO_FLAG_FORCED_REFRESH)) ) {
|
|
|
|
if (!(lpGPOInfo->pWbemServices) ) {
|
|
BOOL bCreated;
|
|
|
|
//
|
|
// Note that this code shouldn't be creating a namespace ever..
|
|
//
|
|
|
|
if (!GetWbemServices(lpGPOInfo, RSOP_NS_DIAG_ROOT, FALSE, NULL, &(lpGPOInfo->pWbemServices))) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOList: Couldn't get the wbemservices intf pointer")));
|
|
lpGPOInfo->bRsopLogging = FALSE;
|
|
hr2 = *phrRsopStatus = E_FAIL;
|
|
}
|
|
}
|
|
|
|
pLocalWbemServices = lpGPOInfo->pWbemServices;
|
|
}
|
|
else {
|
|
pLocalWbemServices = NULL;
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr")));
|
|
}
|
|
|
|
dwRet = ERROR_SUCCESS;
|
|
|
|
if ( lpExt->bRegistryExt )
|
|
{
|
|
//
|
|
// Registry pseudo extension.
|
|
//
|
|
|
|
|
|
//
|
|
// Log the extension specific status
|
|
//
|
|
|
|
if (pLocalWbemServices) {
|
|
lpGPOInfo->bRsopLogging = LogExtSessionStatus( pLocalWbemServices,
|
|
lpExt,
|
|
TRUE,
|
|
(lpExt->bRsopTransition || (dwFlags & GPO_INFO_FLAG_FORCED_REFRESH)
|
|
|| (!bNoChanges)));
|
|
|
|
|
|
if (!lpGPOInfo->bRsopLogging) {
|
|
hr2 = E_FAIL;
|
|
}
|
|
}
|
|
|
|
if (!ProcessGPORegistryPolicy (lpGPOInfo, pChangedGPOList, phrRsopStatus)) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOList: ProcessGPORegistryPolicy failed.")));
|
|
dwRet = E_FAIL;
|
|
}
|
|
|
|
} else { // if lpExt->bRegistryExt
|
|
|
|
//
|
|
// Regular extension
|
|
//
|
|
|
|
BOOL *pbAbort;
|
|
ASYNCCOMPLETIONHANDLE pAsyncHandleTemp;
|
|
|
|
if ( lpExt->dwRequireRegistry ) {
|
|
|
|
GPEXTSTATUS gpExtStatus;
|
|
|
|
ReadStatus( c_szRegistryExtName, lpGPOInfo, NULL, &gpExtStatus );
|
|
|
|
if ( !gpExtStatus.bStatus || gpExtStatus.dwStatus != ERROR_SUCCESS ) {
|
|
|
|
DebugMsg((DM_VERBOSE,
|
|
TEXT("ProcessGPOList: Skipping extension %s due to failed Registry extension."),
|
|
lpExt->lpDisplayName));
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
CEvents ev(FALSE, EVENT_EXT_SKIPPED_DUETO_FAILED_REG);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.Report();
|
|
}
|
|
|
|
dwRet = E_FAIL;
|
|
|
|
goto Exit;
|
|
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Log the extension specific status
|
|
//
|
|
|
|
if (pLocalWbemServices)
|
|
{
|
|
lpGPOInfo->bRsopLogging = LogExtSessionStatus( pLocalWbemServices,
|
|
lpExt,
|
|
lpExt->bNewInterface,
|
|
(lpExt->bRsopTransition || (dwFlags & GPO_INFO_FLAG_FORCED_REFRESH)
|
|
|| (!bNoChanges)));
|
|
if (!lpGPOInfo->bRsopLogging) {
|
|
hr2 = E_FAIL;
|
|
}
|
|
}
|
|
|
|
if ( !LoadGPExtension( lpExt, FALSE ) ) {
|
|
DebugMsg((DM_WARNING, TEXT("ProcessGPOList: LoadGPExtension %s failed."), lpExt->lpDisplayName));
|
|
|
|
dwRet = E_FAIL;
|
|
goto Exit;
|
|
}
|
|
|
|
if ( lpGPOInfo->dwFlags & GP_MACHINE )
|
|
pbAbort = &g_bStopMachGPOProcessing;
|
|
else
|
|
pbAbort = &g_bStopUserGPOProcessing;
|
|
|
|
//
|
|
// Check if asynchronous processing is enabled
|
|
//
|
|
|
|
if ( lpExt->dwEnableAsynch )
|
|
pAsyncHandleTemp = pAsyncHandle;
|
|
else
|
|
pAsyncHandleTemp = 0;
|
|
|
|
if ( lpExt->bNewInterface ) {
|
|
dwRet = lpExt->pEntryPointEx( dwFlags,
|
|
lpGPOInfo->hToken,
|
|
lpGPOInfo->hKeyRoot,
|
|
pDeletedGPOList,
|
|
pChangedGPOList,
|
|
pAsyncHandleTemp,
|
|
pbAbort,
|
|
lpGPOInfo->pStatusCallback,
|
|
pLocalWbemServices,
|
|
phrRsopStatus);
|
|
} else {
|
|
dwRet = lpExt->pEntryPoint( dwFlags,
|
|
lpGPOInfo->hToken,
|
|
lpGPOInfo->hKeyRoot,
|
|
pDeletedGPOList,
|
|
pChangedGPOList,
|
|
pAsyncHandleTemp,
|
|
pbAbort,
|
|
lpGPOInfo->pStatusCallback );
|
|
}
|
|
|
|
RevertToSelf();
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Extension %s returned 0x%x."),
|
|
lpExt->lpDisplayName, dwRet));
|
|
|
|
if ( dwRet != ERROR_SUCCESS &&
|
|
dwRet != ERROR_OVERRIDE_NOCHANGES &&
|
|
dwRet != E_PENDING &&
|
|
dwRet != ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED )
|
|
{
|
|
CEvents ev(TRUE, EVENT_EXT_FAILED);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.Report();
|
|
}
|
|
|
|
} // else of if lpext->bregistryext
|
|
|
|
|
|
if (pLocalWbemServices) {
|
|
if ((dwRet != E_PENDING) && (SUCCEEDED(*phrRsopStatus)) && (lpExt->bNewInterface)) {
|
|
|
|
//
|
|
// for the legacy extensions it will be marked clean
|
|
//
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Extension %s was able to log data. RsopStatus = 0x%x, dwRet = %d, Clearing the dirty bit"),
|
|
lpExt->lpDisplayName, *phrRsopStatus, dwRet));
|
|
|
|
UpdateExtSessionStatus(pLocalWbemServices, lpExt->lpKeyName, FALSE, dwRet);
|
|
}
|
|
else {
|
|
|
|
if (!lpExt->bNewInterface) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Extension %s doesn't support rsop logging"),
|
|
lpExt->lpDisplayName));
|
|
|
|
UpdateExtSessionStatus(pLocalWbemServices, lpExt->lpKeyName, TRUE, dwRet);
|
|
}
|
|
else if (FAILED(*phrRsopStatus)) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Extension %s was not able to log data. Error = 0x%x, dwRet = %d,leaving the log dirty"),
|
|
lpExt->lpDisplayName, *phrRsopStatus, dwRet ));
|
|
|
|
CEvents ev(TRUE, EVENT_EXT_RSOP_FAILED);
|
|
ev.AddArg(lpExt->lpDisplayName); ev.Report();
|
|
|
|
UpdateExtSessionStatus(pLocalWbemServices, lpExt->lpKeyName, TRUE, dwRet);
|
|
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGPOList: Extension %s status was not updated because there was no changes and no transition or rsop wasn't enabled"),
|
|
lpExt->lpDisplayName));
|
|
}
|
|
|
|
//
|
|
// if any of the things provider is supposed to log fails, log it as an error
|
|
// so that provider tries to log it again next time
|
|
//
|
|
|
|
*phrRsopStatus = (SUCCEEDED(*phrRsopStatus)) && (FAILED(hr2)) ? hr2 : *phrRsopStatus;
|
|
*phrRsopStatus = (!lpExt->bNewInterface) ? HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED) : *phrRsopStatus;
|
|
|
|
|
|
Exit:
|
|
|
|
return dwRet;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// RefreshDisplay()
|
|
//
|
|
// Purpose: Starts control.exe
|
|
//
|
|
// Parameters: lpGPOInfo - GPT information
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL RefreshDisplay (LPGPOINFO lpGPOInfo)
|
|
{
|
|
STARTUPINFO si;
|
|
PROCESS_INFORMATION pi;
|
|
TCHAR szCmdLine[50];
|
|
BOOL Result;
|
|
HANDLE hOldToken;
|
|
|
|
|
|
|
|
//
|
|
// Verbose output
|
|
//
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("RefreshDisplay: Starting control.exe")));
|
|
|
|
|
|
//
|
|
// Initialize process startup info
|
|
//
|
|
|
|
si.cb = sizeof(STARTUPINFO);
|
|
si.lpReserved = NULL;
|
|
si.lpTitle = NULL;
|
|
si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
|
|
si.dwFlags = 0;
|
|
si.wShowWindow = SW_HIDE;
|
|
si.lpReserved2 = NULL;
|
|
si.cbReserved2 = 0;
|
|
si.lpDesktop = TEXT("");
|
|
|
|
|
|
//
|
|
// Impersonate the user so we get access checked correctly on
|
|
// the file we're trying to execute
|
|
//
|
|
|
|
if (!ImpersonateUser(lpGPOInfo->hToken, &hOldToken)) {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshDisplay: Failed to impersonate user")));
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//
|
|
// Create the app
|
|
//
|
|
|
|
lstrcpy (szCmdLine, TEXT("control /policy"));
|
|
|
|
Result = CreateProcessAsUser(lpGPOInfo->hToken, NULL, szCmdLine, NULL,
|
|
NULL, FALSE, 0, NULL, NULL, &si, &pi);
|
|
|
|
|
|
//
|
|
// Revert to being 'ourself'
|
|
//
|
|
|
|
if (!RevertToUser(&hOldToken)) {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshDisplay: Failed to revert to self")));
|
|
}
|
|
|
|
|
|
if (Result) {
|
|
WaitForSingleObject (pi.hProcess, 120000);
|
|
CloseHandle (pi.hThread);
|
|
CloseHandle (pi.hProcess);
|
|
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshDisplay: Failed to start control.exe with %d"), GetLastError()));
|
|
}
|
|
|
|
return(Result);
|
|
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// RefreshPolicy()
|
|
//
|
|
// Purpose: External api that causes policy to be refreshed now
|
|
//
|
|
// Parameters: bMachine - Machine policy vs user policy
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if not
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL WINAPI RefreshPolicy (BOOL bMachine)
|
|
{
|
|
HANDLE hEvent;
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("RefreshPolicy: Entering with %d"), bMachine));
|
|
|
|
hEvent = OpenEvent (EVENT_MODIFY_STATE, FALSE,
|
|
bMachine ? MACHINE_POLICY_REFRESH_EVENT : USER_POLICY_REFRESH_EVENT);
|
|
|
|
if (hEvent) {
|
|
BOOL bRet = SetEvent (hEvent);
|
|
|
|
CloseHandle (hEvent);
|
|
|
|
if (!bRet) {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshPolicy: Failed to set event with %d"), GetLastError()));
|
|
return FALSE;
|
|
}
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshPolicy: Failed to open event with %d"), GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("RefreshPolicy: Leaving.")));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// RefreshPolicyEx()
|
|
//
|
|
// Purpose: External api that causes policy to be refreshed now
|
|
//
|
|
// Parameters: bMachine - Machine policy vs user policy.
|
|
// This API is synchronous and waits for the refresh to
|
|
// finish.
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if not
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL WINAPI RefreshPolicyEx (BOOL bMachine, DWORD dwOption)
|
|
{
|
|
XHandle xhEvent;
|
|
|
|
if (!dwOption)
|
|
return RefreshPolicy(bMachine);
|
|
|
|
if (dwOption == RP_FORCE) {
|
|
DebugMsg((DM_VERBOSE, TEXT("RefreshPolicyEx: Entering with force refresh %d"), bMachine));
|
|
|
|
xhEvent = OpenEvent (EVENT_MODIFY_STATE, FALSE,
|
|
bMachine ? MACHINE_POLICY_FORCE_REFRESH_EVENT : USER_POLICY_FORCE_REFRESH_EVENT);
|
|
|
|
}
|
|
else {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshPolicyEx: Invalid option")));
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (!xhEvent) {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshPolicyEx: Failed to open event with %d"), GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (!SetEvent (xhEvent)) {
|
|
DebugMsg((DM_WARNING, TEXT("RefreshPolicyEx: Failed to set event with %d"), GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("RefreshPolicyEx: Leaving.")));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// EnterCriticalPolicySection()
|
|
//
|
|
// Purpose: External api that causes policy to pause
|
|
// This allows an application to pause policy
|
|
// so that values don't change while it reads
|
|
// the settings.
|
|
//
|
|
// Parameters: bMachine - Pause machine policy or user policy
|
|
// dwTimeOut- Amount of time to wait for the policy handle
|
|
// dwFlags - Various flags. Look at the defn.
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if not
|
|
//
|
|
//*************************************************************
|
|
|
|
HANDLE WINAPI EnterCriticalPolicySectionEx (BOOL bMachine, DWORD dwTimeOut, DWORD dwFlags )
|
|
{
|
|
HANDLE hSection;
|
|
DWORD dwRet;
|
|
|
|
//
|
|
// Open the mutex
|
|
//
|
|
|
|
hSection = OpenMutex (SYNCHRONIZE, FALSE,
|
|
(bMachine ? MACHINE_POLICY_MUTEX : USER_POLICY_MUTEX));
|
|
|
|
if (!hSection) {
|
|
DebugMsg((DM_WARNING, TEXT("EnterCriticalPolicySection: Failed to open mutex with %d"),
|
|
GetLastError()));
|
|
return NULL;
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Claim the mutex
|
|
//
|
|
|
|
dwRet = WaitForSingleObject (hSection, dwTimeOut);
|
|
|
|
if ( dwRet == WAIT_FAILED) {
|
|
DebugMsg((DM_WARNING, TEXT("EnterCriticalPolicySection: Failed to wait on the mutex. Error = %d."),
|
|
GetLastError()));
|
|
CloseHandle( hSection );
|
|
return NULL;
|
|
}
|
|
|
|
if ( (dwFlags & ECP_FAIL_ON_WAIT_TIMEOUT) && (dwRet == WAIT_TIMEOUT) ) {
|
|
DebugMsg((DM_WARNING, TEXT("EnterCriticalPolicySection: Wait timed out on the mutex.")));
|
|
CloseHandle( hSection );
|
|
SetLastError(dwRet);
|
|
return NULL;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("EnterCriticalPolicySection: %s critical section has been claimed. Handle = 0x%x"),
|
|
(bMachine ? TEXT("Machine") : TEXT("User")), hSection));
|
|
|
|
return hSection;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// LeaveCriticalPolicySection()
|
|
//
|
|
// Purpose: External api that causes policy to resume
|
|
// This api assumes the app has called
|
|
// EnterCriticalPolicySection first
|
|
//
|
|
// Parameters: hSection - mutex handle
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if not
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL WINAPI LeaveCriticalPolicySection (HANDLE hSection)
|
|
{
|
|
|
|
if (!hSection) {
|
|
DebugMsg((DM_WARNING, TEXT("LeaveCriticalPolicySection: null mutex handle.")));
|
|
SetLastError(ERROR_INVALID_PARAMETER);
|
|
return FALSE;
|
|
}
|
|
|
|
ReleaseMutex (hSection);
|
|
CloseHandle (hSection);
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("LeaveCriticalPolicySection: Critical section 0x%x has been released."),
|
|
hSection));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// EnterCriticalPolicySection()
|
|
//
|
|
// Purpose: External api that causes policy to pause
|
|
// This allows an application to pause policy
|
|
// so that values don't change while it reads
|
|
// the settings.
|
|
//
|
|
// Parameters: bMachine - Pause machine policy or user policy
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if not
|
|
//
|
|
//*************************************************************
|
|
|
|
HANDLE WINAPI EnterCriticalPolicySection (BOOL bMachine)
|
|
{
|
|
return EnterCriticalPolicySectionEx(bMachine, 600000, 0);
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// FreeGpoInfo()
|
|
//
|
|
// Purpose: Deletes an LPGPOINFO struct
|
|
//
|
|
// Parameters: pGpoInfo - Gpo info to free
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL FreeGpoInfo( LPGPOINFO pGpoInfo )
|
|
{
|
|
if ( pGpoInfo == NULL )
|
|
return TRUE;
|
|
|
|
FreeLists( pGpoInfo );
|
|
FreeSOMList( pGpoInfo->lpSOMList );
|
|
FreeSOMList( pGpoInfo->lpLoopbackSOMList );
|
|
FreeGpContainerList( pGpoInfo->lpGpContainerList );
|
|
FreeGpContainerList( pGpoInfo->lpLoopbackGpContainerList );
|
|
|
|
LocalFree( pGpoInfo->lpDNName );
|
|
RsopDeleteToken( pGpoInfo->pRsopToken );
|
|
ReleaseWbemServices( pGpoInfo );
|
|
|
|
LocalFree( pGpoInfo );
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// FreeGPOList()
|
|
//
|
|
// Purpose: Free's the link list of GPOs
|
|
//
|
|
// Parameters: pGPOList - Pointer to the head of the list
|
|
//
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL WINAPI FreeGPOList (PGROUP_POLICY_OBJECT pGPOList)
|
|
{
|
|
PGROUP_POLICY_OBJECT pGPOTemp;
|
|
|
|
while (pGPOList) {
|
|
pGPOTemp = pGPOList->pNext;
|
|
LocalFree (pGPOList);
|
|
pGPOList = pGPOTemp;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// FreeLists()
|
|
//
|
|
// Purpose: Free's the lpExtFilterList and/or lpGPOList
|
|
//
|
|
// Parameters: lpGPOInfo - GPO info
|
|
//
|
|
//*************************************************************
|
|
|
|
void FreeLists( LPGPOINFO lpGPOInfo )
|
|
{
|
|
LPEXTFILTERLIST pExtFilterList = lpGPOInfo->lpExtFilterList;
|
|
|
|
//
|
|
// If bXferToExtList is True then it means that lpGPOInfo->lpExtFilterList
|
|
// owns the list of GPOs. Otherwise lpGPOInfo->lpGPOList owns the list
|
|
// of GPOs.
|
|
//
|
|
|
|
while ( pExtFilterList ) {
|
|
|
|
LPEXTFILTERLIST pTemp = pExtFilterList->pNext;
|
|
|
|
FreeExtList( pExtFilterList->lpExtList );
|
|
|
|
if ( lpGPOInfo->bXferToExtList )
|
|
LocalFree( pExtFilterList->lpGPO );
|
|
|
|
LocalFree( pExtFilterList );
|
|
pExtFilterList = pTemp;
|
|
}
|
|
|
|
if ( !lpGPOInfo->bXferToExtList )
|
|
FreeGPOList( lpGPOInfo->lpGPOList );
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// FreeExtList()
|
|
//
|
|
// Purpose: Free's the lpExtList
|
|
//
|
|
// Parameters: pExtList - Extensions list
|
|
//
|
|
//*************************************************************
|
|
|
|
void FreeExtList( LPEXTLIST pExtList )
|
|
{
|
|
while (pExtList) {
|
|
|
|
LPEXTLIST pTemp = pExtList->pNext;
|
|
LocalFree( pExtList );
|
|
pExtList = pTemp;
|
|
}
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// ShutdownGPOProcessing()
|
|
//
|
|
// Purpose: Begins aborting GPO processing
|
|
//
|
|
// Parameters: bMachine - Shutdown machine or user processing ?
|
|
//
|
|
//*************************************************************
|
|
|
|
void WINAPI ShutdownGPOProcessing( BOOL bMachine )
|
|
{
|
|
if ( bMachine )
|
|
g_bStopMachGPOProcessing = TRUE;
|
|
else
|
|
g_bStopUserGPOProcessing = TRUE;
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// InitializeGPOCriticalSection, CloseGPOCriticalSection
|
|
//
|
|
// Purpose: Initialization and cleanup routines for critical sections
|
|
//
|
|
//*************************************************************
|
|
|
|
void InitializeGPOCriticalSection()
|
|
{
|
|
InitializeCriticalSection( &g_GPOCS );
|
|
InitializeCriticalSection( &g_StatusCallbackCS );
|
|
}
|
|
|
|
|
|
void CloseGPOCriticalSection()
|
|
{
|
|
DeleteCriticalSection( &g_StatusCallbackCS );
|
|
DeleteCriticalSection( &g_GPOCS );
|
|
}
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessGroupPolicyCompletedEx()
|
|
//
|
|
// Purpose: Callback for asynchronous completion of an extension
|
|
//
|
|
// Parameters: refExtensionId - Unique guid of extension
|
|
// pAsyncHandle - Completion context
|
|
// dwStatus - Asynchronous completion status
|
|
// hrRsopStatus - Rsop Logging Status
|
|
//
|
|
// Returns: Win32 error code
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD ProcessGroupPolicyCompletedEx( REFGPEXTENSIONID extensionGuid,
|
|
ASYNCCOMPLETIONHANDLE pAsyncHandle,
|
|
DWORD dwStatus, HRESULT hrRsopStatus )
|
|
{
|
|
DWORD dwRet = E_FAIL;
|
|
TCHAR szExtension[64];
|
|
PGROUP_POLICY_OBJECT pGPOList = NULL;
|
|
LPGPOINFO lpGPOInfo = NULL;
|
|
BOOL bUsePerUserLocalSetting = FALSE;
|
|
DWORD dwCurrentTime = GetCurTime();
|
|
|
|
LPGPINFOHANDLE pGPHandle = (LPGPINFOHANDLE) pAsyncHandle;
|
|
|
|
if ( extensionGuid == 0 )
|
|
return ERROR_INVALID_PARAMETER;
|
|
|
|
GuidToString( extensionGuid, szExtension );
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGroupPolicyCompleted: Entering. Extension = %s, dwStatus = 0x%x"),
|
|
szExtension, dwStatus));
|
|
|
|
EnterCriticalSection( &g_GPOCS );
|
|
|
|
if ( !(pGPHandle == g_pMachGPInfo || pGPHandle == g_pUserGPInfo) ) {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion is stale"),
|
|
szExtension));
|
|
goto Exit;
|
|
}
|
|
|
|
DmAssert( pGPHandle->pGPOInfo != NULL );
|
|
|
|
if ( pGPHandle->pGPOInfo == NULL ) {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion has invalid pGPHandle->pGPOInfo"),
|
|
szExtension));
|
|
goto Exit;
|
|
}
|
|
|
|
lpGPOInfo = pGPHandle->pGPOInfo;
|
|
|
|
if ( (lpGPOInfo->dwFlags & GP_MACHINE) && g_bStopMachGPOProcessing
|
|
|| !(lpGPOInfo->dwFlags & GP_MACHINE) && g_bStopUserGPOProcessing ) {
|
|
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion, aborting due to machine shutdown or logoff"),
|
|
szExtension));
|
|
CEvents ev(TRUE, EVENT_GPO_PROC_STOPPED); ev.Report();
|
|
goto Exit;
|
|
|
|
}
|
|
|
|
if ( dwStatus != ERROR_SUCCESS ) {
|
|
|
|
//
|
|
// Extension returned error code, so no need to update history
|
|
//
|
|
|
|
dwRet = ERROR_SUCCESS;
|
|
goto Exit;
|
|
}
|
|
|
|
if ( pGPHandle == 0 ) {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s is using 0 as asynchronous completion handle"),
|
|
szExtension));
|
|
goto Exit;
|
|
}
|
|
|
|
bUsePerUserLocalSetting = !(lpGPOInfo->dwFlags & GP_MACHINE)
|
|
&& ExtensionHasPerUserLocalSetting( szExtension, HKEY_LOCAL_MACHINE );
|
|
|
|
if ( ReadGPOList( szExtension, lpGPOInfo->hKeyRoot,
|
|
HKEY_LOCAL_MACHINE,
|
|
lpGPOInfo->lpwszSidUser,
|
|
TRUE, &pGPOList ) ) {
|
|
|
|
if ( SaveGPOList( szExtension, lpGPOInfo,
|
|
HKEY_LOCAL_MACHINE,
|
|
NULL,
|
|
FALSE, pGPOList ) ) {
|
|
|
|
if ( bUsePerUserLocalSetting ) {
|
|
|
|
if ( SaveGPOList( szExtension, lpGPOInfo,
|
|
HKEY_LOCAL_MACHINE,
|
|
lpGPOInfo->lpwszSidUser,
|
|
FALSE, pGPOList ) ) {
|
|
dwRet = ERROR_SUCCESS;
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion, failed to save GPOList"),
|
|
szExtension));
|
|
}
|
|
|
|
} else
|
|
dwRet = ERROR_SUCCESS;
|
|
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion, failed to save GPOList"),
|
|
szExtension));
|
|
}
|
|
} else {
|
|
DebugMsg((DM_WARNING, TEXT("Extension %s asynchronous completion, failed to read shadow GPOList"),
|
|
szExtension));
|
|
}
|
|
|
|
Exit:
|
|
|
|
FgPolicyRefreshInfo info = { GP_ReasonUnknown, GP_ModeAsyncForeground };
|
|
LPWSTR szSid = lpGPOInfo->dwFlags & GP_MACHINE ? 0 : lpGPOInfo->lpwszSidUser;
|
|
DWORD dwError;
|
|
if ( dwStatus == ERROR_SYNC_FOREGROUND_REFRESH_REQUIRED )
|
|
{
|
|
FgPolicyRefreshInfo curInfo = { GP_ReasonUnknown, GP_ModeUnknown };
|
|
GetCurrentFgPolicyRefreshInfo( szSid, &curInfo );
|
|
SetPreviousFgPolicyRefreshInfo( szSid, curInfo );
|
|
|
|
info.mode = GP_ModeSyncForeground;
|
|
info.reason = GP_ReasonCSERequiresSync;
|
|
dwError = SetNextFgPolicyRefreshInfo( szSid,
|
|
info );
|
|
if ( dwError != ERROR_SUCCESS )
|
|
{
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGroupPolicyCompletedEx: SetNextFgPolicyRefreshInfo failed, %x."), dwError ));
|
|
}
|
|
}
|
|
|
|
if ( dwRet == ERROR_SUCCESS )
|
|
{
|
|
//
|
|
// clear E_PENDING status code with status returned
|
|
//
|
|
BOOL bUsePerUserLocalSetting = !(lpGPOInfo->dwFlags & GP_MACHINE) && lpGPOInfo->lpwszSidUser != NULL;
|
|
GPEXTSTATUS gpExtStatus;
|
|
|
|
gpExtStatus.dwSlowLink = (lpGPOInfo->dwFlags & GP_SLOW_LINK) != 0;
|
|
gpExtStatus.dwRsopLogging = lpGPOInfo->bRsopLogging;
|
|
gpExtStatus.dwStatus = dwStatus;
|
|
gpExtStatus.dwTime = dwCurrentTime;
|
|
gpExtStatus.bForceRefresh = FALSE;
|
|
|
|
WriteStatus( szExtension, lpGPOInfo,
|
|
bUsePerUserLocalSetting ? lpGPOInfo->lpwszSidUser : NULL,
|
|
&gpExtStatus);
|
|
|
|
//
|
|
// Building up a dummy gpExt structure so that we can log the info required.
|
|
//
|
|
|
|
GPEXT gpExt;
|
|
TCHAR szSubKey[MAX_PATH]; // same as the path in readgpextensions
|
|
HKEY hKey;
|
|
TCHAR szDisplayName[MAX_PATH];
|
|
DWORD dwSize, dwType;
|
|
CHAR szFunctionName[100];
|
|
|
|
gpExt.lpKeyName = szExtension;
|
|
|
|
lstrcpy(szSubKey, GP_EXTENSIONS);
|
|
CheckSlash(szSubKey);
|
|
lstrcat(szSubKey, szExtension);
|
|
|
|
|
|
//
|
|
// Read the displayname so that we can log it..
|
|
//
|
|
|
|
szDisplayName[0] = TEXT('\0');
|
|
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE,
|
|
szSubKey,
|
|
0, KEY_READ, &hKey) == ERROR_SUCCESS) {
|
|
|
|
dwSize = sizeof(szDisplayName);
|
|
if (RegQueryValueEx (hKey, NULL, NULL,
|
|
&dwType, (LPBYTE) szDisplayName,
|
|
&dwSize) != ERROR_SUCCESS) {
|
|
lstrcpyn (szDisplayName, szExtension, ARRAYSIZE(szDisplayName));
|
|
}
|
|
|
|
|
|
dwSize = sizeof(szFunctionName);
|
|
if ( RegQueryValueExA (hKey, "ProcessGroupPolicyEx", NULL,
|
|
&dwType, (LPBYTE) szFunctionName,
|
|
&dwSize) == ERROR_SUCCESS ) {
|
|
gpExt.bNewInterface = TRUE;
|
|
}
|
|
|
|
RegCloseKey(hKey);
|
|
}
|
|
|
|
gpExt.lpDisplayName = szDisplayName;
|
|
|
|
if ((lpGPOInfo->bRsopLogging)) {
|
|
|
|
XInterface<IWbemServices> xWbemServices;
|
|
|
|
GetWbemServices( lpGPOInfo, RSOP_NS_DIAG_ROOT, TRUE, FALSE, &xWbemServices);
|
|
|
|
if (xWbemServices) {
|
|
|
|
if (!gpExt.bNewInterface) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGroupPolicyCompletedEx: Extension %s doesn't support rsop logging."),
|
|
szExtension));
|
|
|
|
UpdateExtSessionStatus(xWbemServices, szExtension, TRUE, dwRet);
|
|
}
|
|
else if (SUCCEEDED(hrRsopStatus)) {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGroupPolicyCompletedEx: Extension %s was able to log data. Error = 0x%x, dwRet = %d. Clearing the dirty bit"),
|
|
szExtension, hrRsopStatus, dwStatus));
|
|
|
|
UpdateExtSessionStatus(xWbemServices, szExtension, FALSE, dwRet);
|
|
}
|
|
else {
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessroupPolicyCompletedEx: Extension %s was not able to log data. Error = 0x%x, dwRet = %d. leaving the log dirty"),
|
|
szExtension, hrRsopStatus, dwStatus));
|
|
|
|
CEvents ev(TRUE, EVENT_EXT_RSOP_FAILED);
|
|
ev.AddArg(gpExt.lpDisplayName); ev.Report();
|
|
|
|
UpdateExtSessionStatus(xWbemServices, szExtension, TRUE, dwRet);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
LeaveCriticalSection( &g_GPOCS );
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("ProcessGroupPolicyCompleted: Leaving. Extension = %s, Return status dwRet = 0x%x"),
|
|
szExtension, dwRet));
|
|
|
|
return dwRet;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// ProcessGroupPolicyCompleted()
|
|
//
|
|
// Purpose: Callback for asynchronous completion of an extension
|
|
//
|
|
// Parameters: refExtensionId - Unique guid of extension
|
|
// pAsyncHandle - Completion context
|
|
// dwStatus - Asynchronous completion status
|
|
//
|
|
// Returns: Win32 error code
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD ProcessGroupPolicyCompleted( REFGPEXTENSIONID extensionGuid,
|
|
ASYNCCOMPLETIONHANDLE pAsyncHandle,
|
|
DWORD dwStatus )
|
|
{
|
|
//
|
|
// Mark RSOP data as clean for legacy extensions
|
|
//
|
|
|
|
return ProcessGroupPolicyCompletedEx(extensionGuid, pAsyncHandle, dwStatus,
|
|
HRESULT_FROM_WIN32(S_OK));
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// DebugPrintGPOList()
|
|
//
|
|
// Purpose: Prints GPO list
|
|
//
|
|
// Parameters: lpGPOInfo - GPO Info
|
|
//
|
|
//*************************************************************
|
|
|
|
void DebugPrintGPOList( LPGPOINFO lpGPOInfo )
|
|
{
|
|
//
|
|
// If we are in verbose mode, put the list of GPOs in the event log
|
|
//
|
|
|
|
PGROUP_POLICY_OBJECT lpGPO = NULL;
|
|
DWORD dwSize;
|
|
|
|
#if DBG
|
|
if (TRUE) {
|
|
#else
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
#endif
|
|
LPTSTR lpTempList;
|
|
|
|
dwSize = 10;
|
|
lpGPO = lpGPOInfo->lpGPOList;
|
|
while (lpGPO) {
|
|
if (lpGPO->lpDisplayName) {
|
|
dwSize += (lstrlen (lpGPO->lpDisplayName) + 4);
|
|
}
|
|
lpGPO = lpGPO->pNext;
|
|
}
|
|
|
|
lpTempList = (LPWSTR) LocalAlloc (LPTR, (dwSize * sizeof(TCHAR)));
|
|
|
|
if (lpTempList) {
|
|
|
|
lstrcpy (lpTempList, TEXT(""));
|
|
|
|
lpGPO = lpGPOInfo->lpGPOList;
|
|
while (lpGPO) {
|
|
if (lpGPO->lpDisplayName) {
|
|
lstrcat (lpTempList, TEXT("\""));
|
|
lstrcat (lpTempList, lpGPO->lpDisplayName);
|
|
lstrcat (lpTempList, TEXT("\" "));
|
|
}
|
|
lpGPO = lpGPO->pNext;
|
|
}
|
|
|
|
if (lpGPOInfo->dwFlags & GP_VERBOSE) {
|
|
CEvents ev(FALSE, EVENT_GPO_LIST);
|
|
ev.AddArg(lpTempList); ev.Report();
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("DebugPrintGPOList: List of GPO(s) to process: %s"),
|
|
lpTempList));
|
|
|
|
LocalFree (lpTempList);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// UserPolicyCallback()
|
|
//
|
|
// Purpose: Callback function for status UI messages
|
|
//
|
|
// Parameters: bVerbose - Verbose message or not
|
|
// lpMessage - Message text
|
|
//
|
|
// Return: ERROR_SUCCESS if successful
|
|
// Win32 error code if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD UserPolicyCallback (BOOL bVerbose, LPWSTR lpMessage)
|
|
{
|
|
WCHAR szMsg[100];
|
|
LPWSTR lpMsg;
|
|
DWORD dwResult = ERROR_INVALID_FUNCTION;
|
|
|
|
|
|
if (lpMessage) {
|
|
lpMsg = lpMessage;
|
|
} else {
|
|
LoadString (g_hDllInstance, IDS_USER_SETTINGS, szMsg, 100);
|
|
lpMsg = szMsg;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("UserPolicyCallback: Setting status UI to %s"), lpMsg));
|
|
|
|
EnterCriticalSection (&g_StatusCallbackCS);
|
|
|
|
if (g_pStatusMessageCallback) {
|
|
dwResult = g_pStatusMessageCallback(bVerbose, lpMsg);
|
|
} else {
|
|
DebugMsg((DM_VERBOSE, TEXT("UserPolicyCallback: Extension requested status UI when status UI is not available.")));
|
|
}
|
|
|
|
LeaveCriticalSection (&g_StatusCallbackCS);
|
|
|
|
return dwResult;
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// MachinePolicyCallback()
|
|
//
|
|
// Purpose: Callback function for status UI messages
|
|
//
|
|
// Parameters: bVerbose - Verbose message or not
|
|
// lpMessage - Message text
|
|
//
|
|
// Return: ERROR_SUCCESS if successful
|
|
// Win32 error code if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
DWORD MachinePolicyCallback (BOOL bVerbose, LPWSTR lpMessage)
|
|
{
|
|
WCHAR szMsg[100];
|
|
LPWSTR lpMsg;
|
|
DWORD dwResult = ERROR_INVALID_FUNCTION;
|
|
|
|
|
|
if (lpMessage) {
|
|
lpMsg = lpMessage;
|
|
} else {
|
|
LoadString (g_hDllInstance, IDS_COMPUTER_SETTINGS, szMsg, 100);
|
|
lpMsg = szMsg;
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("MachinePolicyCallback: Setting status UI to %s"), lpMsg));
|
|
|
|
EnterCriticalSection (&g_StatusCallbackCS);
|
|
|
|
if (g_pStatusMessageCallback) {
|
|
dwResult = g_pStatusMessageCallback(bVerbose, lpMsg);
|
|
} else {
|
|
DebugMsg((DM_VERBOSE, TEXT("MachinePolicyCallback: Extension requested status UI when status UI is not available.")));
|
|
}
|
|
|
|
LeaveCriticalSection (&g_StatusCallbackCS);
|
|
|
|
return dwResult;
|
|
}
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// CallDFS()
|
|
//
|
|
// Purpose: Calls DFS to initialize the domain / DC name
|
|
//
|
|
// Parameters: lpDomainName - Domain name
|
|
// lpDCName - DC name
|
|
//
|
|
// Return: TRUE if successful
|
|
// FALSE if an error occurs
|
|
//
|
|
//*************************************************************
|
|
|
|
//
|
|
// Once upon a time when this file was a C file,
|
|
// the definition of POINTER_TO_OFFSET looked like this,
|
|
//
|
|
// #define POINTER_TO_OFFSET(field, buffer) \
|
|
// ( ((PCHAR)field) -= ((ULONG_PTR)buffer) )
|
|
//
|
|
// Now, that we have decided to end antiquity and made this a C++ file,
|
|
// the new definition is,
|
|
//
|
|
|
|
#define POINTER_TO_OFFSET(field, buffer) \
|
|
( field = (LPWSTR) ( (PCHAR)field -(ULONG_PTR)buffer ) )
|
|
|
|
NTSTATUS CallDFS(LPWSTR lpDomainName, LPWSTR lpDCName)
|
|
{
|
|
HANDLE DfsDeviceHandle = NULL;
|
|
PDFS_SPC_REFRESH_INFO DfsInfo;
|
|
ULONG lpDomainNameLen, lpDCNameLen, sizeNeeded;
|
|
OBJECT_ATTRIBUTES objectAttributes;
|
|
IO_STATUS_BLOCK ioStatusBlock;
|
|
NTSTATUS status;
|
|
UNICODE_STRING unicodeServerName;
|
|
|
|
|
|
lpDomainNameLen = (wcslen(lpDomainName) + 1) * sizeof(WCHAR);
|
|
lpDCNameLen = (wcslen(lpDCName) + 1) * sizeof(WCHAR);
|
|
|
|
sizeNeeded = sizeof(DFS_SPC_REFRESH_INFO) + lpDomainNameLen + lpDCNameLen;
|
|
|
|
DfsInfo = (PDFS_SPC_REFRESH_INFO)LocalAlloc(LPTR, sizeNeeded);
|
|
|
|
if (DfsInfo == NULL) {
|
|
DebugMsg((DM_WARNING, TEXT("CallDFS: LocalAlloc failed with %d"), GetLastError()));
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
DfsInfo->DomainName = (WCHAR *)((PCHAR)DfsInfo + sizeof(DFS_SPC_REFRESH_INFO));
|
|
DfsInfo->DCName = (WCHAR *)((PCHAR)DfsInfo->DomainName + lpDomainNameLen);
|
|
|
|
|
|
RtlCopyMemory(DfsInfo->DomainName,
|
|
lpDomainName,
|
|
lpDomainNameLen);
|
|
|
|
RtlCopyMemory(DfsInfo->DCName,
|
|
lpDCName,
|
|
lpDCNameLen);
|
|
|
|
POINTER_TO_OFFSET(DfsInfo->DomainName, DfsInfo);
|
|
POINTER_TO_OFFSET(DfsInfo->DCName, DfsInfo);
|
|
|
|
RtlInitUnicodeString( &unicodeServerName, L"\\Dfs");
|
|
|
|
InitializeObjectAttributes(
|
|
&objectAttributes,
|
|
&unicodeServerName,
|
|
OBJ_CASE_INSENSITIVE,
|
|
NULL,
|
|
NULL
|
|
);
|
|
|
|
status = NtOpenFile(
|
|
&DfsDeviceHandle,
|
|
SYNCHRONIZE | FILE_WRITE_DATA,
|
|
&objectAttributes,
|
|
&ioStatusBlock,
|
|
0,
|
|
FILE_SYNCHRONOUS_IO_NONALERT
|
|
);
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status) ) {
|
|
DebugMsg((DM_WARNING, TEXT("CallDFS: NtOpenFile failed with 0x%x"), status));
|
|
LocalFree(DfsInfo);
|
|
return status;
|
|
}
|
|
|
|
status = NtFsControlFile(
|
|
DfsDeviceHandle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&ioStatusBlock,
|
|
FSCTL_DFS_SPC_REFRESH,
|
|
DfsInfo, sizeNeeded,
|
|
NULL, 0);
|
|
|
|
if (!NT_SUCCESS(status) ) {
|
|
DebugMsg((DM_WARNING, TEXT("CallDFS: NtFsControlFile failed with 0x%x"), status));
|
|
}
|
|
|
|
|
|
LocalFree(DfsInfo);
|
|
NtClose(DfsDeviceHandle);
|
|
return status;
|
|
}
|
|
|
|
|
|
|
|
|
|
//*************************************************************
|
|
//
|
|
// InitializePolicyProcessing
|
|
//
|
|
// Purpose: Initialises mutexes corresponding to user and machine
|
|
//
|
|
// Parameters: bMachine - Whether it is machine or user
|
|
//
|
|
// Return:
|
|
//
|
|
// Comments:
|
|
// These events/Mutexes need to be initialised right at the beginning
|
|
// because the ACls on these needs to be set before ApplyGroupPolicy can
|
|
// be called..
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL InitializePolicyProcessing(BOOL bMachine)
|
|
{
|
|
HANDLE hSection, hEvent;
|
|
XPtrLF<SECURITY_DESCRIPTOR> xsd;
|
|
SECURITY_ATTRIBUTES sa;
|
|
CSecDesc Csd;
|
|
XLastError xe;
|
|
|
|
|
|
Csd.AddLocalSystem();
|
|
Csd.AddAdministrators();
|
|
Csd.AddEveryOne(SYNCHRONIZE);
|
|
|
|
xsd = Csd.MakeSD();
|
|
|
|
if (!xsd) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create Security Descriptor with %d"),
|
|
GetLastError()));
|
|
// since this is happening in dll load we cannot log an event at this point..
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
sa.lpSecurityDescriptor = (SECURITY_DESCRIPTOR *)xsd;
|
|
sa.bInheritHandle = FALSE;
|
|
sa.nLength = sizeof(sa);
|
|
|
|
|
|
//
|
|
// Synch mutex for group policies
|
|
//
|
|
|
|
hSection = CreateMutex (&sa, FALSE,
|
|
(bMachine ? MACHINE_POLICY_MUTEX : USER_POLICY_MUTEX));
|
|
|
|
if (!hSection) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create mutex with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
if (bMachine)
|
|
g_hPolicyCritMutexMach = hSection;
|
|
else
|
|
g_hPolicyCritMutexUser = hSection;
|
|
|
|
|
|
|
|
//
|
|
// Group Policy Notification events
|
|
//
|
|
|
|
|
|
//
|
|
// Create the changed notification event
|
|
//
|
|
|
|
hEvent = CreateEvent (&sa, TRUE, FALSE,
|
|
(bMachine) ? MACHINE_POLICY_APPLIED_EVENT : USER_POLICY_APPLIED_EVENT);
|
|
|
|
|
|
if (!hEvent) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create NotifyEvent with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
if (bMachine)
|
|
g_hPolicyNotifyEventMach = hEvent;
|
|
else
|
|
g_hPolicyNotifyEventUser = hEvent;
|
|
|
|
//
|
|
// Create the needfg event
|
|
//
|
|
|
|
hEvent = CreateEvent (&sa, FALSE, FALSE,
|
|
(bMachine) ? MACHINE_POLICY_REFRESH_NEEDFG_EVENT : USER_POLICY_REFRESH_NEEDFG_EVENT);
|
|
|
|
if (!hEvent) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create NeedFGEvent with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
if (bMachine)
|
|
g_hPolicyNeedFGEventMach = hEvent;
|
|
else
|
|
g_hPolicyNeedFGEventUser = hEvent;
|
|
|
|
|
|
//
|
|
// Create the done event
|
|
//
|
|
hEvent = CreateEvent (&sa, TRUE, FALSE,
|
|
(bMachine) ? MACHINE_POLICY_DONE_EVENT : USER_POLICY_DONE_EVENT);
|
|
if (!hEvent) {
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create hNotifyDoneEvent with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
|
|
if (bMachine)
|
|
g_hPolicyDoneEventMach = hEvent;
|
|
else
|
|
g_hPolicyDoneEventUser = hEvent;
|
|
|
|
//
|
|
// Create the machine policy - user policy sync event
|
|
//
|
|
if ( bMachine )
|
|
{
|
|
hEvent = CreateEvent( &sa,
|
|
TRUE,
|
|
FALSE,
|
|
MACH_POLICY_FOREGROUND_DONE_EVENT );
|
|
if ( !hEvent )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create m/c-user policy sync event with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
else
|
|
{
|
|
g_hPolicyForegroundDoneEventMach = hEvent;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hEvent = CreateEvent( &sa,
|
|
TRUE,
|
|
FALSE,
|
|
USER_POLICY_FOREGROUND_DONE_EVENT );
|
|
if ( !hEvent )
|
|
{
|
|
xe = GetLastError();
|
|
DebugMsg((DM_WARNING, TEXT("InitializePolicyProcessing: Failed to create user policy/logon script sync event with %d"),
|
|
GetLastError()));
|
|
return FALSE;
|
|
}
|
|
else
|
|
{
|
|
g_hPolicyForegroundDoneEventUser = hEvent;
|
|
}
|
|
}
|
|
|
|
DebugMsg((DM_VERBOSE, TEXT("InitializePolicyProcessing: Initialised %s Mutex/Events"),
|
|
bMachine ? TEXT("Machine"): TEXT("User")));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
USERENVAPI
|
|
DWORD
|
|
WINAPI
|
|
WaitForUserPolicyForegroundProcessing()
|
|
{
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
HANDLE hEvent = OpenEvent( SYNCHRONIZE, FALSE, USER_POLICY_FOREGROUND_DONE_EVENT );
|
|
|
|
if ( hEvent )
|
|
{
|
|
if ( WaitForSingleObject( hEvent, INFINITE ) == WAIT_FAILED )
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("WaitForUserPolicyForegroundProcessing: Failed, %x"), dwError ));
|
|
}
|
|
CloseHandle( hEvent );
|
|
}
|
|
else
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("WaitForUserPolicyForegroundProcessing: Failed, %x"), dwError ));
|
|
}
|
|
return dwError;
|
|
}
|
|
|
|
USERENVAPI
|
|
DWORD
|
|
WINAPI
|
|
WaitForMachinePolicyForegroundProcessing()
|
|
{
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
HANDLE hEvent = OpenEvent( SYNCHRONIZE, FALSE, MACH_POLICY_FOREGROUND_DONE_EVENT );
|
|
|
|
if ( hEvent )
|
|
{
|
|
if ( WaitForSingleObject( hEvent, INFINITE ) == WAIT_FAILED )
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("WaitForMachinePolicyForegroundProcessing: Failed, %x"), dwError ));
|
|
}
|
|
CloseHandle( hEvent );
|
|
}
|
|
else
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("WaitForMachinePolicyForegroundProcessing: Failed, %x"), dwError ));
|
|
}
|
|
return dwError;
|
|
}
|
|
|
|
extern "C" DWORD
|
|
SignalUserPolicyForegroundProcessingDone()
|
|
{
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
if ( !SetEvent( g_hPolicyForegroundDoneEventUser ) )
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("SignalUserPolicyForegroundProcessingDone: Failed, %x"), dwError ));
|
|
}
|
|
return dwError;
|
|
}
|
|
|
|
extern "C" DWORD
|
|
SignalMachinePolicyForegroundProcessingDone()
|
|
{
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
if ( !SetEvent( g_hPolicyForegroundDoneEventMach ) )
|
|
{
|
|
dwError = GetLastError();
|
|
DebugMsg((DM_VERBOSE, TEXT("SignalForMachinePolicyForegroundProcessingDone: Failed, %x"), dwError ));
|
|
}
|
|
return dwError;
|
|
}
|
|
|