able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/admin/admt/arext/setpwd/setpass.cpp
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

1058 lines
39 KiB
C++
Raw Permalink Blame History

//---------------------------------------------------------------------------
// SetPass.cpp
//
// Comment: This is a COM object extension for the MCS DCTAccountReplicator.
// This object implements the IExtendAccountMigration interface.
// The process method of this object sets the password for the
// target account according to the users specification.
//
// (c) Copyright 1995-1998, Mission Critical Software, Inc., All Rights Reserved
//
// Proprietary and confidential to Mission Critical Software, Inc.
//---------------------------------------------------------------------------
#include "stdafx.h"
#include "ResStr.h"
#include <lm.h>
#include "rpc.h"
#include "EaLen.hpp"
#include <activeds.h>
#include "ARExt.h"
#include "ARExt_i.c"
#include "ErrDCT.hpp"
#include "PWGen.hpp"
#include "TReg.hpp"
#import "DBMgr.tlb" no_namespace
StringLoader gString;
TErrorDct err;
#include "SetPwd.h"
#include "SetPass.h"
#include "pwdfuncs.h"
#include "PwRpcUtl.h"
#include "PwdSvc.h"
#define AR_Status_Created (0x00000001)
/////////////////////////////////////////////////////////////////////////////
// CSetPassword
//---------------------------------------------------------------------------
// Get and set methods for the properties.
//---------------------------------------------------------------------------
STDMETHODIMP CSetPassword::get_sName(BSTR *pVal)
{
*pVal = m_sName;
return S_OK;
}
STDMETHODIMP CSetPassword::put_sName(BSTR newVal)
{
m_sName = newVal;
return S_OK;
}
STDMETHODIMP CSetPassword::get_sDesc(BSTR *pVal)
{
*pVal = m_sDesc;
return S_OK;
}
STDMETHODIMP CSetPassword::put_sDesc(BSTR newVal)
{
m_sDesc = newVal;
return S_OK;
}
//---------------------------------------------------------------------------
// ProcessObject : This method currently records the setting of the "User
// cannot change password" flag for intra-forest user migrations
//---------------------------------------------------------------------------
STDMETHODIMP CSetPassword::PreProcessObject(
IUnknown *pSource, //in- Pointer to the source AD object
IUnknown *pTarget, //in- Pointer to the target AD object
IUnknown *pMainSettings, //in- Varset filled with the settings supplied by user
IUnknown **ppPropsToSet //in,out - Varset filled with Prop-Value pairs that will be set
// once all extension objects are executed.
)
{
/* local variables */
IVarSetPtr pVS = pMainSettings;
tstring sSAMName = L"";
/* function body */
_bstr_t sIntraforest = pVS->get(GET_BSTR(DCTVS_Options_IsIntraforest));
_bstr_t sType = pVS->get(GET_BSTR(DCTVS_CopiedAccount_Type));
_bstr_t sSrc = pVS->get(GET_BSTR(DCTVS_Options_SourceServer));
_bstr_t sAccount = pVS->get(GET_BSTR(DCTVS_CopiedAccount_SourceSam));
if ((!sIntraforest.length()) || (!sType.length()) ||
(!sSrc.length()) || (!sAccount.length()))
return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY);
sSAMName = sAccount;
if (!UStrICmp((WCHAR*)sIntraforest,GET_STRING(IDS_YES)))
{
if (!UStrICmp((WCHAR*)sType,L"user"))
{
//record the password flags set on the source account
RecordPwdFlags(sSrc, sAccount);
//we only want to record the "User cannot change password" flag, so
//clear the others
m_bUMCPNLFlagSet = false;
m_bPNEFlagSet = false;
//store the flag setting in a map
mUCCPMap.insert(CUCCPMap::value_type(sSAMName, m_bUCCPFlagSet));
}
}
//if previously migrated, store that time in a map
_bstr_t sSrcDom = pVS->get(GET_BSTR(DCTVS_Options_SourceDomain));
_bstr_t sTgtDom = pVS->get(GET_BSTR(DCTVS_Options_TargetDomain));
IVarSetPtr pVSMig(__uuidof(VarSet));
IUnknown * pUnk;
IIManageDBPtr pDb(__uuidof(IManageDB));
_variant_t varDate;
pVSMig->QueryInterface(IID_IUnknown, (void**) &pUnk);
HRESULT hrFind = pDb->raw_GetAMigratedObject(sAccount, sSrcDom, sTgtDom, &pUnk);
pUnk->Release();
//if migrated previously, store that time and date in a class map
if (hrFind == S_OK)
{
varDate = pVSMig->get(L"MigratedObjects.Time");
//store the flag setting in a map
mMigTimeMap.insert(CMigTimeMap::value_type(sSAMName, varDate));
}
return S_OK;
}
//---------------------------------------------------------------------------
// ProcessObject : This method sets the password of the target object
// by looking at the settings in the varset.
//---------------------------------------------------------------------------
STDMETHODIMP CSetPassword::ProcessObject(
IUnknown *pSource, //in- Pointer to the source AD object
IUnknown *pTarget, //in- Pointer to the target AD object
IUnknown *pMainSettings, //in- Varset filled with the settings supplied by user
IUnknown **ppPropsToSet //in,out - Varset filled with Prop-Value pairs that will be set
// once all extension objects are executed.
)
{
_bstr_t sType;
_bstr_t sFileName;
IVarSetPtr pVS = pMainSettings;
WCHAR password[LEN_Path];
bool bGenerate = false;
bool bGenerated = false;
DWORD dwMinUC = 0, dwMinLC = 0, dwMinDigits = 1, dwMinSpecial = 0, dwMaxAlpha = 10, dwMinLen = 4;
_variant_t var;
// TErrorDct err;
WCHAR fileName[LEN_Path];
bool bCopiedPwd = false;
HRESULT hrPwd = ERROR_SUCCESS;
// Get the Error log filename from the Varset
var = pVS->get(GET_BSTR(DCTVS_Options_Logfile));
wcscpy(fileName, (WCHAR*)V_BSTR(&var));
VariantInit(&var);
// Open the error log
err.LogOpen(fileName, 1);
_bstr_t sXXX = GET_BSTR(DCTVS_Options_TargetServer);
_variant_t vMach = pVS->get(sXXX);
_variant_t vTgtName = pVS->get(GET_BSTR(DCTVS_CopiedAccount_TargetSam));
_bstr_t sSrc = pVS->get(GET_BSTR(DCTVS_Options_SourceServer));
_bstr_t sSrcDom = pVS->get(GET_BSTR(DCTVS_Options_SourceDomain));
_bstr_t sMach = vMach;
_bstr_t sTgtName = vTgtName;
_bstr_t sAccount = pVS->get(GET_BSTR(DCTVS_CopiedAccount_SourceSam));
_bstr_t sSkip = pVS->get(GET_BSTR(DCTVS_CopiedAccount_DoNotUpdatePassword));
_bstr_t sTgtCN = pVS->get(GET_BSTR(DCTVS_CopiedAccount_TargetName));
_bstr_t sIntraforest = pVS->get(GET_BSTR(DCTVS_Options_IsIntraforest));
_bstr_t sCopyPwd = pVS->get(GET_BSTR(DCTVS_AccountOptions_CopyPasswords));
_bstr_t sPwdDC = pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordDC));
if ( !UStrICmp((WCHAR*)sSkip,(WCHAR*)sAccount) )
{
return S_OK;
}
if ( sTgtCN.length() == 0 )
sTgtCN = sTgtName;
// strip off the CN= from the beginning of the name, if necessary
if ( !UStrICmp(sTgtCN,"CN=",3) )
{
sTgtCN = _bstr_t(((WCHAR*)sTgtCN)+3);
}
dwMaxAlpha = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MaxConsecutiveAlpha));
dwMinDigits = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinDigit));
dwMinLC = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinLower));
dwMinUC = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinUpper));
dwMinSpecial = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinSpecial));
dwMinLen = (LONG)pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordPolicy_MinLength));
// if the values are all 0 s then we make up something
if ( (dwMaxAlpha + dwMinDigits + dwMinLC + dwMinUC + dwMinSpecial) == 0 )
{
dwMinDigits = 3;
dwMinSpecial = 3;
dwMinUC = 3;
dwMinLC = 3;
}
sType = pVS->get(GET_BSTR(DCTVS_CopiedAccount_Type)).bstrVal;
//for intra-forest migration of a user, reset the user's
//original "User cannot change password" flag, whose value is
//stored in the map
if ( ! UStrICmp((WCHAR*)sIntraforest,GET_STRING(IDS_YES)) )
{
if ( ! UStrICmp((WCHAR*)sType,L"user" ) )
{
//get the UCCP flag from the map
CUCCPMap::iterator itUCCPMap;
tstring sSam = sAccount;
itUCCPMap = mUCCPMap.find(sSam);
if (itUCCPMap != mUCCPMap.end())
m_bUCCPFlagSet = itUCCPMap->second;
else
m_bUCCPFlagSet = false;
m_bUMCPNLFlagSet = false;
m_bPNEFlagSet = false;
ResetPwdFlags(pTarget, sMach, sTgtName);
return S_OK;
}
}
// Set the password for this account.
if ( (_wcsicmp((WCHAR*)sType,L"user") == 0) || (_wcsicmp((WCHAR*)sType, L"computer") == 0) )
{
if ( !_wcsicmp((WCHAR*)sType,L"user" ) )
{
//we will not migrate passwords if replacing and password reuse policy on the target is 2 or greater
if (!CanCopyPassword(pVS, sSrc, sAccount))
{
err.MsgWrite(0,DCT_MSG_PW_COPY_NOT_TRIED_S,(WCHAR*)sTgtCN);
return S_OK;
}
_bstr_t bstrGenerate = pVS->get(GET_BSTR(DCTVS_AccountOptions_GenerateStrongPasswords));
if (bstrGenerate == GET_BSTR(IDS_YES))
{
bGenerate = true;
}
if (bGenerate)
{
// generate a strong password
BOOL pwGeneratedRc = EaPasswordGenerate(dwMinUC, dwMinLC, dwMinDigits, dwMinSpecial, dwMaxAlpha, dwMinLen, password, LEN_Path);
bGenerated = ( pwGeneratedRc == 0 );
if ( !bGenerated )
wcsncpy(password,(WCHAR*)(sTgtName),15);
// ensure that the password is NULL terminated
password[14] = 0;
}
else
{
// set the password to the first 14 characters of the username
wcsncpy(password,(WCHAR*)(sTgtName),15);
// Convert the password to lower case.
// ensure that the password is NULL terminated
password[14] = 0;
for ( DWORD i = 0; i < wcslen(password); i++ )
password[i] = towlower(password[i]);
// if the password is invalid then generate a password
// if (!IsValidPassword(password))
// {
// err.MsgWrite(0, DCT_MSG_USERNAME_INVALID_FOR_PASSWORD_S, (PCWSTR)sTgtCN);
// EaPasswordGenerate(dwMinUC, dwMinLC, dwMinDigits, dwMinSpecial, dwMaxAlpha, dwMinLen, password, LEN_Path);
// TODO: if password generation fails then what? Should not fail though as that would be a logic error?
// bGenerated = true;
// }
}
}
else
{
// computer, set the password to the first 14 characters of the computer name, in lower case,
// without the trailing $
UStrCpy(password, (WCHAR*)sTgtName, DIM(password));
if ( password[UStrLen(password) - 1] == L'$' )
password[UStrLen(password) - 1] = L'\0'; // remove trailing $ from machine name
password[14] = L'\0'; // truncate to max password length of 14
// Convert the password to lower case.
for ( DWORD i = 0; i < wcslen(password); i++ )
password[i] = towlower(password[i]);
}
// BSTR sPassword = password;
// We are going to use the Net API to set the password.
USER_INFO_1003 pInfo;
DWORD pDw;
WCHAR server[MAX_PATH];
bool bFailedCopyPwd = false;
//place the new password in the info structure
pInfo.usri1003_password = password;
long rc = NetUserSetInfo((WCHAR*)sMach,
(WCHAR*)sTgtName, 1003, (LPBYTE) &pInfo, &pDw);
if ( rc != 0 )
{
if ( bGenerated )
{
err.SysMsgWrite(ErrW,rc,DCT_MSG_PW_GENERATE_FAILED_S,(WCHAR*)sTgtCN);
}
else
{
err.SysMsgWrite(ErrW,rc,DCT_MSG_FAILED_SET_PASSWORD_TO_USERNAME_SD,(WCHAR*)sTgtCN,rc);
if ( rc == NERR_PasswordTooShort )
{
// try to generate a password
EaPasswordGenerate(dwMinUC, dwMinLC, dwMinDigits, dwMinSpecial, dwMaxAlpha, dwMinLen, password, LEN_Path);
rc = NetUserSetInfo((WCHAR*)sMach,(WCHAR*)sTgtName,1003,(LPBYTE)&pInfo,&pDw);
if ( rc )
{
err.SysMsgWrite(ErrW,rc,DCT_MSG_PW_GENERATE_FAILED_S,(WCHAR*)sTgtCN);
}
else //else complex password generated, if requested to copy password
{ //we now try to do that and only log that complex pwd generated if copy fails
//if we are migrating the user's password, then set it here
if ( !UStrICmp((WCHAR*)sCopyPwd,GET_STRING(IDS_YES)) )
{
//record the password flags set on the source account
RecordPwdFlags(sSrc, sAccount);
//clear the "User cannot change password" flag if it is set
ClearUserCanChangePwdFlag(sMach, sTgtName);
//set the change password flag to get past the minimum pwd age policy
SetUserMustChangePwdFlag(pTarget);
//prepare the server name
server[0] = L'\\';
server[1] = L'\\';
UStrCpy(server+2,(WCHAR*)sPwdDC);
//call the member function to copy the password. If success, set flag, else
//failed, log the generated password message
if ((hrPwd = CopyPassword(_bstr_t(server), sMach, sAccount, sTgtName, _bstr_t(password))) == ERROR_SUCCESS)
{
err.MsgWrite(0,DCT_MSG_PWCOPIED_S,(WCHAR*)sTgtCN);
bCopiedPwd = true;
//reset the password flags as were on the source account
ResetPwdFlags(pTarget, sMach, sTgtName);
}
else
{
bFailedCopyPwd = true;
}
}//end if migrate password
else //else not copy password, so post the complex password generated message
err.MsgWrite(0,DCT_MSG_PWGENERATED_S,(WCHAR*)sTgtCN);
}
}
}
}
else //else success
{
//if complex password generated, if requested to copy password
//we now try to do that and only log that complex pwd generated if copy fails
if ( bGenerated )
{
//if we are migrating the user's password, then set it here
if ( !UStrICmp((WCHAR*)sCopyPwd,GET_STRING(IDS_YES)) )
{
//record the password flags set on the source account
RecordPwdFlags(sSrc, sAccount);
//clear the "User cannot change password" flag if it is set
ClearUserCanChangePwdFlag(sMach, sTgtName);
//set the change password flag to get past the minimum pwd age policy
SetUserMustChangePwdFlag(pTarget);
//prepare the server name
server[0] = L'\\';
server[1] = L'\\';
UStrCpy(server+2,(WCHAR*)sPwdDC);
//call the member function to copy the password. If success, set flag, else
//failed, log the generated password message
if ((hrPwd = CopyPassword(_bstr_t(server), sMach, sAccount, sTgtName, _bstr_t(password))) == ERROR_SUCCESS)
{
err.MsgWrite(0,DCT_MSG_PWCOPIED_S,(WCHAR*)sTgtCN);
bCopiedPwd = true;
//reset the password flags as were on the source account
ResetPwdFlags(pTarget, sMach, sTgtName);
}
else
{
bFailedCopyPwd = true;
}
}//end if migrate password
else //else not copy password, so post the complex password generated message
err.MsgWrite(0,DCT_MSG_PWGENERATED_S,(WCHAR*)sTgtCN);
}
else
{
err.MsgWrite(0,DCT_MSG_SET_PASSWORD_TO_USERNAME_S,(WCHAR*)sTgtCN);
}
}
//if user being migrated and that user's password was not copied, write
//password to the password file
if ((_wcsicmp((WCHAR*)sType,L"user") == 0) && (bCopiedPwd == false))
{
if ( !m_bTriedToOpenFile )
{
m_bTriedToOpenFile = true;
// we should see if the varset specifies a file name
var = pVS->get(GET_BSTR(DCTVS_AccountOptions_PasswordFile));
sFileName = var;
if ( sFileName.length() > 0 )
{
// we have the file name so lets open it and save the handle.
m_passwordLog.LogOpen(sFileName, TRUE, 1);
}
//failure to get to password file so store it elsewhere and
//post that new file location in the migration log
if (!m_passwordLog.IsOpen() )
{
WCHAR sPasswordFile[MAX_PATH];
if (GetDirectory(sPasswordFile))//place log in default log dir
wcscat(sPasswordFile, L"Logs\\passwords.txt");
else
wcscpy(sPasswordFile, L"c:\\passwords.txt");
m_passwordLog.LogOpen(sPasswordFile, TRUE, 1);//open this log file
if ( m_passwordLog.IsOpen() )
{
if (!bFailedCopyPwd)
err.MsgWrite(0,DCT_MSG_NEW_PASSWORD_LOG_S,(WCHAR*)sFileName,sPasswordFile);
else
err.MsgWrite(0,DCT_MSG_NEW_PASSWORD_LOG_CPY_FAILED_S,sPasswordFile);
}
}
else if (bFailedCopyPwd)
{
WCHAR sPasswordFile[MAX_PATH];
wcscpy(sPasswordFile, (WCHAR*)sFileName);
err.MsgWrite(0,DCT_MSG_NEW_PASSWORD_LOG_CPY_FAILED_S,sPasswordFile);
}
}
// Log the new password in the password log.
if ( m_passwordLog.IsOpen() )
{
m_passwordLog.MsgWrite(L"%ls,%ls",(WCHAR*)(pVS->get(GET_BSTR(DCTVS_CopiedAccount_TargetSam)).bstrVal),password);
}
}//end if migrating user
}//end if migrating user or computer
//change password flags on the account if we did not copy the password
if (( pTarget ) && (!bCopiedPwd))
{
// We want to clear "user cannot change password" and "password never expire flag"
USER_INFO_1008 usr1008;
USER_INFO_20 * usr20;
DWORD errParam = 0;
DWORD rc = NetUserGetInfo((WCHAR*) sSrc, (WCHAR*)sAccount, 20, (LPBYTE *)&usr20);
_bstr_t strDisable = pVS->get(GET_BSTR(DCTVS_AccountOptions_DisableCopiedAccounts));
_bstr_t strSame = pVS->get(GET_BSTR(DCTVS_AccountOptions_TgtStateSameAsSrc));
long val = pVS->get(GET_WSTR(DCTVS_CopiedAccount_UserFlags));
BOOL bDisable = FALSE;
BOOL bSame = FALSE;
if ( ! UStrICmp(strDisable,GET_STRING(IDS_YES)) )
bDisable = TRUE;
if ( ! UStrICmp(strSame,GET_STRING(IDS_YES)) )
bSame = TRUE;
if ( !rc )
{
usr1008.usri1008_flags = usr20->usri20_flags & ~UF_DONT_EXPIRE_PASSWD;
// we won't turn off the user cannot change password, we will just expire the password below.
// This will lock out any account with user cannot change password set, and the admin will
// have to manually unlock the account.
//usr1008.usri1008_flags &= ~UF_PASSWD_CANT_CHANGE;
// for the computer account we need to set the UF_PASSWD_NOTREQD
if ( !_wcsicmp((WCHAR*)sType,L"computer") )
{
usr1008.usri1008_flags |= UF_PASSWD_NOTREQD;
// make sure the disable state for the computer account is the same as for the source computer
if ( usr20->usri20_flags & UF_ACCOUNTDISABLE )
{
usr1008.usri1008_flags |= UF_ACCOUNTDISABLE;
}
else
{
usr1008.usri1008_flags &= ~UF_ACCOUNTDISABLE;
}
}
else
{
// for user accounts, the disable flag is set based on the disable option
// make sure that the disable flag is set properly!
if ((bDisable) || (bSame && (val & UF_ACCOUNTDISABLE)))
{
usr1008.usri1008_flags |= UF_ACCOUNTDISABLE;
}
else
{
usr1008.usri1008_flags &= ~UF_ACCOUNTDISABLE;
}
}
NetUserSetInfo((WCHAR*) sMach, (WCHAR*) sTgtName, 1008, (LPBYTE)&usr1008, &errParam);
NetApiBufferFree(usr20);
}
// Require the users to change the password at next logon since we created new passwords for them
SetUserMustChangePwdFlag(pTarget);
}
err.LogClose();
return S_OK;
}
//---------------------------------------------------------------------------
// ProcessUndo : Since we cant undo the password setting we will ignore this.
//---------------------------------------------------------------------------
STDMETHODIMP CSetPassword::ProcessUndo(
IUnknown *pSource, //in- Pointer to the source AD object
IUnknown *pTarget, //in- Pointer to the target AD object
IUnknown *pMainSettings, //in- Varset filled with the settings supplied by user
IUnknown **ppPropsToSet //in,out - Varset filled with Prop-Value pairs that will be set
// once all extension objects are executed.
)
{
_bstr_t sType;
_bstr_t sSam;
_bstr_t sServer;
_bstr_t sIntraforest;
WCHAR password[LEN_Path];
DWORD rc = 0;
DWORD pDw = 0;
IVarSetPtr pVs = pMainSettings;
sIntraforest = pVs->get(GET_BSTR(DCTVS_Options_IsIntraforest));
sSam = pVs->get(GET_BSTR(DCTVS_CopiedAccount_SourceSam));
sType = pVs->get(GET_BSTR(DCTVS_CopiedAccount_Type));
sServer = pVs->get(GET_BSTR(DCTVS_Options_TargetServer));
if ((!sIntraforest.length()) || (!sType.length()) ||
(!sSam.length()) || (!sServer.length()))
return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY);
//if this is user intra-forest, call preprocess the first time in and
//precess the second
if (!UStrICmp((WCHAR*)sIntraforest,GET_STRING(IDS_YES)))
{
if (!UStrICmp((WCHAR*)sType,L"user"))
{
//see if this SAM is in the undone list (every entry in the list has a ","
//on each side of it
_bstr_t sTemp = _bstr_t(L",") + sSam + _bstr_t(L",");
//if found, that means it is post migration, so call process
if (wcsstr((PCWSTR)m_sUndoneUsers, sTemp))
{
ProcessObject(pSource, pTarget, pMainSettings, ppPropsToSet);
}
else //else pre-migration, so add to the list and call preprocess
{
//add to the list with an ending ","
m_sUndoneUsers += sSam;
m_sUndoneUsers += L",";
PreProcessObject(pSource, pTarget, pMainSettings, ppPropsToSet);
}
}
}
if (!_wcsicmp((WCHAR*) sType, L"computer"))
{
USER_INFO_1003 buf;
rc = 0;
if ( !rc )
{
// Create a lower case password from the sam account name. Do not include the trailing $.
// Password to be maximum of 14 characters.
UStrCpy(password, (WCHAR*)sSam, DIM(password));
if ( password[UStrLen(password) - 1] == L'$' )
password[UStrLen(password) - 1] = L'\0'; // remove trailing $ from machine name
password[14] = L'\0'; // truncate to max password length of 14
for ( DWORD i = 0; i < wcslen(password); i++ )
password[i] = towlower(password[i]);
buf.usri1003_password = password;
rc = NetUserSetInfo((WCHAR*) sServer, (WCHAR*) sSam, 1003, (LPBYTE) &buf, &pDw);
if ( rc == 2221 )
{
WCHAR sam[300];
UStrCpy(sam,(WCHAR*)sSam);
// remove the $ from the sam account name
sam[UStrLen(sam)-1] = 0;
rc = NetUserSetInfo((WCHAR*) sServer, sam, 1003, (LPBYTE) &buf, &pDw);
}
}
}
return HRESULT_FROM_WIN32(rc);
}
BOOL // ret - TRUE if directory found
CSetPassword::GetDirectory(
WCHAR * filename // out - string buffer to store directory name
)
{
DWORD rc = 0;
BOOL bFound = FALSE;
TRegKey key;
rc = key.OpenRead(GET_STRING(IDS_HKLM_DomainAdmin_Key),HKEY_LOCAL_MACHINE);
if ( ! rc )
{
rc = key.ValueGetStr(L"Directory",filename,MAX_PATH);
if ( ! rc )
{
if ( *filename )
bFound = TRUE;
}
}
key.Close();
return bFound;
}
//---------------------------------------------------------------------------
// IsValidPassword Method
//
// This method validates a password by converting the Unicode password string
// to an ANSI string.
//
// If any Unicode characters cannot be directly translated to an ANSI
// character and a default character must be used then the password is
// invalid.
//
// If any Unicode characters translate to multi-byte characters then the
// password is invalid.
//---------------------------------------------------------------------------
#ifndef WC_NO_BEST_FIT_CHARS
#define WC_NO_BEST_FIT_CHARS 0x00000400
#endif
bool CSetPassword::IsValidPassword(LPCWSTR pwszPassword)
{
bool bValid = false;
BOOL bUsedDefaultChar;
CHAR szPassword[PWLEN + 1];
// convert Unicode string to ANSI string
int cch = WideCharToMultiByte(
CP_ACP, // use system ANSI code page
WC_NO_BEST_FIT_CHARS, // do not use best fit characters
pwszPassword,
-1, // assume password string is zero terminated
szPassword,
sizeof (szPassword),
NULL,
&bUsedDefaultChar // will be true if default character used
);
// if no error occurred
if (cch > 0)
{
// if default character was not used
if (bUsedDefaultChar == FALSE)
{
CPINFOEX cpie;
GetCPInfoEx(CP_ACP, 0, &cpie);
// if code page defines a SBCS then password is valid
// otherwise code page defines a DBCS and the password
// must be searched for a multi-byte character
if ((cpie.LeadByte[0] == 0) && (cpie.LeadByte[1] == 0))
{
bValid = true;
}
else
{
// search for multi-byte character
bool bLeadByteFound = false;
for (int ich = 0; ich < cch; ich++)
{
if (IsDBCSLeadByteEx(CP_ACP, szPassword[ich]))
{
bLeadByteFound = true;
break;
}
}
// if no multi-byte character found
// then password is valid
if (!bLeadByteFound)
{
bValid = true;
}
}
}
}
return bValid;
}
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 4 SEPT 2000 *
* *
* This function is responsible for copying the user's password *
* in the source domain to its new account in the target domain. *
* We use the Password Migration COM Wrapper to first check the *
* configuration and establish a session with the given Password *
* Export server. Then we copy the password. The configuration *
* check, which establishes a session for this series of operations, *
* is only done once per set of accounts. *
* *
*********************************************************************/
//BEGIN CopyPassword
HRESULT CSetPassword::CopyPassword(_bstr_t srcServer, _bstr_t tgtServer, _bstr_t srcName,
_bstr_t tgtName, _bstr_t password)
{
/* local variables */
HRESULT hr = S_OK;
/* function body */
if (m_pPwdMig == NULL)
{
hr = m_pPwdMig.CreateInstance(__uuidof(PasswordMigration));
if (FAILED(hr))
{
return hr;
}
}
//if we have not checked the password DC's configuration and
//established a session, do it now
if (!m_bEstablishedSession)
hr = m_pPwdMig->raw_EstablishSession(srcServer, tgtServer);
//if success, try copying the password
if (SUCCEEDED(hr))
hr = m_pPwdMig->raw_CopyPassword(srcName, tgtName, password);
//if either failed, print warning in the migration.log
if (FAILED(hr))
{
IErrorInfoPtr pErrorInfo = NULL;
BSTR bstrDescription;
_bstr_t sText = GET_BSTR(IDS_Unspecified_Failure);
//get the rich error information on the failure
if (SUCCEEDED(GetErrorInfo(0, &pErrorInfo)))
{
HRESULT hrTmp = pErrorInfo->GetDescription(&bstrDescription);
if (SUCCEEDED(hrTmp)) //if got rich error info, use it
sText = _bstr_t(bstrDescription, false);
}
//print message in the log
err.MsgWrite(ErrW,DCT_MSG_PW_COPY_FAILED_S,(WCHAR*)tgtName, (WCHAR*)sText);
}
return hr;
}
//END CopyPassword
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 5 DEC 2000 *
* *
* This function is responsible for setting the "User must change*
* password at next logon" flag for a given user. We use this prior *
* to copying a user's password and after we have just set it to a *
* new complex password so that we get around the minimum password *
* age policy for the target domain. *
* *
*********************************************************************/
//BEGIN SetUserMustChangePwdFlag
void CSetPassword::SetUserMustChangePwdFlag(IUnknown *pTarget)
{
/* local variables */
IADs * pAds = NULL;
/* function body */
//set the new pwdLastSet value
HRESULT hr = pTarget->QueryInterface(IID_IADs, (void**) &pAds);
if ( SUCCEEDED(hr) )
{
// Require the users to change the password at next logon since we created new passwords for them
VARIANT var;
VariantInit(&var);
V_I4(&var)=0;
V_VT(&var)=VT_I4;
hr = pAds->Put(L"pwdLastSet",var);
hr = pAds->SetInfo();
VariantClear(&var);
if ( pAds ) pAds->Release();
}
}
//END SetUserMustChangePwdFlag
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 11 JAN 2001 *
* *
* This function is responsible for setting and clearing the *
* "User cannot change password" flag for a given user, if it was *
* originally set. *
* *
*********************************************************************/
//BEGIN ClearUserCanChangePwdFlag
void CSetPassword::ClearUserCanChangePwdFlag(LPCWSTR pwszMach, LPCWSTR pwszUser)
{
/* local variables */
USER_INFO_3 * pInfo;
DWORD pDw;
long rc;
/* function body */
//get the current flag info for this user
rc = NetUserGetInfo(pwszMach, pwszUser, 3, (LPBYTE *)&pInfo);
if (rc == 0)
{
//clear the "User cannot change password" flag if it is set
if (pInfo->usri3_flags & UF_PASSWD_CANT_CHANGE)
{
pInfo->usri3_flags &= !(UF_PASSWD_CANT_CHANGE);
NetUserSetInfo(pwszMach, pwszUser, 3, (LPBYTE)pInfo, &pDw);
}
NetApiBufferFree((LPVOID) pInfo);
}
}
//END ClearUserCanChangePwdFlag
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 22 JAN 2001 *
* *
* This function is responsible for recording the password flags *
* from a given user's source domain account. *
* *
*********************************************************************/
//BEGIN RecordPwdFlags
void CSetPassword::RecordPwdFlags(LPCWSTR pwszMach, LPCWSTR pwszUser)
{
/* local variables */
USER_INFO_3 * pInfo;
long rc;
/* function body */
//get the user password flags
rc = NetUserGetInfo(pwszMach, pwszUser, 3, (LPBYTE *)&pInfo);
if (rc == 0)
{
//record whether the "User cannot change password" flag is set
if (pInfo->usri3_flags & UF_PASSWD_CANT_CHANGE)
m_bUCCPFlagSet = true;//store whether the flag was set
else
m_bUCCPFlagSet = false;
//record whether the "Password never expires" flag is set
if (pInfo->usri3_flags & UF_DONT_EXPIRE_PASSWD)
m_bPNEFlagSet = true;//store whether the flag was set
else
m_bPNEFlagSet = false;
//record whether the "User must change password at next logon" flag is set
if (pInfo->usri3_password_expired)
m_bUMCPNLFlagSet = true;//store whether the flag was set
else
m_bUMCPNLFlagSet = false;
NetApiBufferFree((LPVOID) pInfo);
}
}
//END RecordPwdFlags
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 22 JAN 2001 *
* *
* This function is responsible for recording the password flags *
* from a given user's source domain account. *
* *
*********************************************************************/
//BEGIN ResetPwdFlags
void CSetPassword::ResetPwdFlags(IUnknown *pTarget, LPCWSTR pwszMach, LPCWSTR pwszUser)
{
/* local variables */
USER_INFO_3 * pInfo = NULL;
DWORD pDw;
long rc;
/* function body */
//if the "User cannot change password" or "Password never expires"
//flag was original set, reset it
if ((m_bUCCPFlagSet) || (m_bPNEFlagSet))
{
//get the current flag info for this user
rc = NetUserGetInfo(pwszMach, pwszUser, 3, (LPBYTE *)&pInfo);
if (rc == 0)
{
if (m_bUCCPFlagSet)
pInfo->usri3_flags |= UF_PASSWD_CANT_CHANGE;
if (m_bPNEFlagSet)
pInfo->usri3_flags |= UF_DONT_EXPIRE_PASSWD;
NetUserSetInfo(pwszMach, pwszUser, 3, (LPBYTE)pInfo, &pDw);
NetApiBufferFree((LPVOID) pInfo);
}
}
//if the "User must change password at next logon" flag was original set, reset it
if (m_bUMCPNLFlagSet)
SetUserMustChangePwdFlag(pTarget);
}
//END ResetPwdFlags
/*********************************************************************
* *
* Written by: Paul Thompson *
* Date: 7 MAY 2001 *
* *
* This function is responsible for determining if we will indeed*
* set the password. If the user is being re-migrated, copy password*
* was selected, the password reuse policy on the target domain is *
* greater than 1, and the password on the source object has not been*
* changed since the last migration of that user, then we will not *
* touch the password on the existing object on the target domain. *
* *
*********************************************************************/
//BEGIN CanCopyPassword
BOOL CSetPassword::CanCopyPassword(IVarSet * pVarSet, LPCWSTR pwszMach, LPCWSTR pwszUser)
{
/* local constants */
const long MAX_REUSE_NUM_ALLOWED = 1;
/* local variables */
BOOL bCanCopy = TRUE;
_variant_t varDate;
USER_INFO_1 * pInfo = NULL;
long rc;
/* function body */
//if not copying passwords, return TRUE
_bstr_t sCopyPwd = pVarSet->get(GET_BSTR(DCTVS_AccountOptions_CopyPasswords));
if (UStrICmp((WCHAR*)sCopyPwd,GET_STRING(IDS_YES)))
return bCanCopy;
//if not previously migrated, return TRUE
_bstr_t sAccount = pVarSet->get(GET_BSTR(DCTVS_CopiedAccount_SourceSam));
//get the previous migration time from the class map
CMigTimeMap::iterator itTimeMap;
tstring sSam = sAccount;
itTimeMap = mMigTimeMap.find(sSam);
//if previously migrated, get the date this user was last migrated
if (itTimeMap != mMigTimeMap.end())
varDate = itTimeMap->second;
else //else return TRUE
return bCanCopy;
/* if not already done, check password reuse policy on the target domain */
if (m_lPwdHistoryLength == -1)
{
IADsDomain * pDomain;
_bstr_t sDom( L"WinNT://" );
_bstr_t sTgtDom = pVarSet->get(GET_BSTR(DCTVS_Options_TargetDomain));
sDom += sTgtDom;
HRESULT hr = ADsGetObject(sDom, IID_IADsDomain, (void **) &pDomain);
if (SUCCEEDED(hr))
{
//Get the password reuse policy
long lReuse;
hr = pDomain->get_PasswordHistoryLength(&lReuse);
pDomain->Release();
//if successful, store it in a class member variable
if (SUCCEEDED(hr))
m_lPwdHistoryLength = lReuse;
}
}
if ((m_lPwdHistoryLength != -1) && (m_lPwdHistoryLength <= MAX_REUSE_NUM_ALLOWED))
return bCanCopy;
/* if target account was created, we still want to copy password if object was created (Stystus == 1) */
//get the migration status for this user
long lStatus = pVarSet->get(GET_BSTR(DCTVS_CopiedAccount_Status));
//if the status field has the first bit set, then this user was
//created and we should return TRUE to copy the password
if (lStatus & AR_Status_Created)
return bCanCopy;
/* check if the source user's password has been modified since its last migration */
//get time lapsed since last migrated
COleDateTime migTime(varDate.date); //get the time last migrated
COleDateTime curTime = COleDateTime::GetCurrentTime(); //get the current time
COleDateTimeSpan elapsedTime = curTime - migTime;
DWORD migElapsed = elapsedTime.GetTotalSeconds();
//get the time the source password was last set
rc = NetUserGetInfo(pwszMach, pwszUser, 1, (LPBYTE *)&pInfo);
if (rc == 0)
{
DWORD setElapsed = pInfo->usri1_password_age;
NetApiBufferFree((LPVOID) pInfo);
//if not set since last migration, set return to FALSE
if (migElapsed < setElapsed)
bCanCopy = FALSE;
}
return bCanCopy;
}
//END CanCopyPassword
Reference in a new issue View git blame Copy permalink