static
DWORD
LwpsLegacyCreateSecurityDescriptor(
IN BOOLEAN bIsWorldReadable,
IN OUT PSECURITY_DESCRIPTOR_ABSOLUTE *ppSecurityDescriptor
)
{
NTSTATUS status = STATUS_SUCCESS;
int EE = 0;
PSECURITY_DESCRIPTOR_ABSOLUTE pSecDesc = NULL;
PACL pDacl = NULL;
PSID pRootSid = NULL;
PSID pAdminsSid = NULL;
PSID pEveryoneSid = NULL;
PSID pOwnerSid = NULL;
PSID pGroupSid = NULL;
DWORD dwError = 0;
status = RtlAllocateWellKnownSid(WinLocalSystemSid, NULL, &pRootSid);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
status = RtlAllocateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &pAdminsSid);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
if (bIsWorldReadable)
{
status = RtlAllocateWellKnownSid(WinWorldSid, NULL, &pEveryoneSid);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
}
status = LW_RTL_ALLOCATE(
&pSecDesc,
VOID,
SECURITY_DESCRIPTOR_ABSOLUTE_MIN_SIZE);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
status = RtlCreateSecurityDescriptorAbsolute(
pSecDesc,
SECURITY_DESCRIPTOR_REVISION);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
// Owner: Root
status = RtlDuplicateSid(&pOwnerSid, pRootSid);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
status = RtlSetOwnerSecurityDescriptor(
pSecDesc,
pOwnerSid,
FALSE);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
pOwnerSid = NULL;
// Group: Administrators
status = RtlDuplicateSid(&pGroupSid, pAdminsSid);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
status = RtlSetGroupSecurityDescriptor(
pSecDesc,
pGroupSid,
FALSE);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
pGroupSid = NULL;
// Do not set Sacl currently
// DACL
status = LwpsLegacyBuildRestrictedDaclForKey(
pRootSid,
pEveryoneSid,
&pDacl);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
status = RtlSetDaclSecurityDescriptor(
pSecDesc,
TRUE,
pDacl,
FALSE);
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
pDacl = NULL;
if (!RtlValidSecurityDescriptor(pSecDesc))
{
status = STATUS_INVALID_SECURITY_DESCR;
GOTO_CLEANUP_ON_STATUS_EE(status, EE);
}
cleanup:
if (status)
{
if (pSecDesc)
{
LwpsLegacyFreeSecurityDescriptor(&pSecDesc);
}
}
LW_RTL_FREE(&pDacl);
LW_RTL_FREE(&pRootSid);
LW_RTL_FREE(&pAdminsSid);
LW_RTL_FREE(&pEveryoneSid);
LW_RTL_FREE(&pOwnerSid);
LW_RTL_FREE(&pGroupSid);
*ppSecurityDescriptor = pSecDesc;
dwError = LwNtStatusToWin32Error(status);
LSA_PSTORE_LOG_LEAVE_ERROR_EE(dwError, EE);
return dwError;
}
static
NTSTATUS
LsaDisableMachineAccount(
IN PCWSTR pwszDCName,
IN LW_PIO_CREDS pCreds,
IN PCWSTR pwszMachineAccountName
)
{
const DWORD dwConnAccess = SAMR_ACCESS_OPEN_DOMAIN |
SAMR_ACCESS_ENUM_DOMAINS;
const DWORD dwDomainAccess = DOMAIN_ACCESS_ENUM_ACCOUNTS |
DOMAIN_ACCESS_OPEN_ACCOUNT |
DOMAIN_ACCESS_LOOKUP_INFO_2;
const DWORD dwUserAccess = USER_ACCESS_GET_ATTRIBUTES |
USER_ACCESS_SET_ATTRIBUTES |
USER_ACCESS_SET_PASSWORD;
NTSTATUS ntStatus = STATUS_SUCCESS;
SAMR_BINDING hSamrBinding = NULL;
CONNECT_HANDLE hConnect = NULL;
PSID pBuiltinSid = NULL;
DWORD dwResume = 0;
DWORD dwSize = 256;
PWSTR *ppwszDomainNames = NULL;
DWORD i = 0;
DWORD dwNumEntries = 0;
PSID pSid = NULL;
PSID pDomainSid = NULL;
DOMAIN_HANDLE hDomain = NULL;
PDWORD pdwRids = NULL;
PDWORD pdwTypes = NULL;
ACCOUNT_HANDLE hUser = NULL;
DWORD dwLevel = 0;
UserInfo *pInfo = NULL;
DWORD dwFlagsDisable = 0;
UserInfo Info;
memset(&Info, 0, sizeof(Info));
ntStatus = SamrInitBindingDefault(&hSamrBinding,
pwszDCName,
pCreds);
BAIL_ON_NT_STATUS(ntStatus);
ntStatus = SamrConnect2(hSamrBinding,
pwszDCName,
dwConnAccess,
&hConnect);
BAIL_ON_NT_STATUS(ntStatus);
ntStatus = RtlAllocateWellKnownSid(
WinBuiltinDomainSid,
NULL,
&pBuiltinSid);
BAIL_ON_NT_STATUS(ntStatus);
do
{
ntStatus = SamrEnumDomains(hSamrBinding,
hConnect,
&dwResume,
dwSize,
&ppwszDomainNames,
&dwNumEntries);
BAIL_ON_NT_STATUS(ntStatus);
if (ntStatus != STATUS_SUCCESS &&
ntStatus != STATUS_MORE_ENTRIES)
{
BAIL_ON_NT_STATUS(ntStatus);
}
for (i = 0; pDomainSid == NULL && i < dwNumEntries; i++)
{
ntStatus = SamrLookupDomain(hSamrBinding,
hConnect,
ppwszDomainNames[i],
&pSid);
BAIL_ON_NT_STATUS(ntStatus);
if (!RtlEqualSid(pSid, pBuiltinSid))
{
ntStatus = RtlDuplicateSid(&pDomainSid, pSid);
BAIL_ON_NT_STATUS(ntStatus);
}
SamrFreeMemory(pSid);
pSid = NULL;
}
if (ppwszDomainNames)
{
SamrFreeMemory(ppwszDomainNames);
ppwszDomainNames = NULL;
}
}
while (ntStatus == STATUS_MORE_ENTRIES);
ntStatus = SamrOpenDomain(hSamrBinding,
hConnect,
dwDomainAccess,
pDomainSid,
&hDomain);
BAIL_ON_NT_STATUS(ntStatus);
ntStatus = SamrLookupNames(hSamrBinding,
hDomain,
1,
(PWSTR*)&pwszMachineAccountName,
&pdwRids,
&pdwTypes,
NULL);
if (ntStatus == STATUS_NONE_MAPPED)
{
BAIL_ON_LSA_ERROR(NERR_SetupAlreadyJoined);
}
ntStatus = SamrOpenUser(hSamrBinding,
hDomain,
dwUserAccess,
pdwRids[0],
&hUser);
BAIL_ON_NT_STATUS(ntStatus);
dwLevel = 16;
ntStatus = SamrQueryUserInfo(hSamrBinding,
hUser,
dwLevel,
&pInfo);
BAIL_ON_NT_STATUS(ntStatus);
dwFlagsDisable = pInfo->info16.account_flags | ACB_DISABLED;
Info.info16.account_flags = dwFlagsDisable;
ntStatus = SamrSetUserInfo2(hSamrBinding,
hUser,
dwLevel,
&Info);
BAIL_ON_NT_STATUS(ntStatus);
cleanup:
if (hSamrBinding && hUser)
{
SamrClose(hSamrBinding, hUser);
}
if (hSamrBinding && hDomain)
{
SamrClose(hSamrBinding, hDomain);
}
if (hSamrBinding && hConnect)
{
SamrClose(hSamrBinding, hConnect);
}
if (hSamrBinding)
{
SamrFreeBinding(&hSamrBinding);
}
if (pInfo)
{
SamrFreeMemory(pInfo);
}
if (pdwRids)
{
SamrFreeMemory(pdwRids);
}
if (pdwTypes)
{
SamrFreeMemory(pdwTypes);
}
if (ppwszDomainNames)
{
SamrFreeMemory(ppwszDomainNames);
}
RTL_FREE(&pBuiltinSid);
RTL_FREE(&pDomainSid);
return ntStatus;
error:
goto cleanup;
}
