651 lines
20 KiB
C++
Raw Permalink Normal View History

2001-01-01 00:00:00 +01:00
/*---------------------------------------------------------------------------
File: ChangeDomain.cpp
Comments: Implementation of COM object that changes the domain affiliation on
a computer.
(c) Copyright 1999, Mission Critical Software, Inc., All Rights Reserved
Proprietary and confidential to Mission Critical Software, Inc.
REVISION LOG ENTRY
Revision By: Christy Boles
Revised on 02/15/99 11:21:07
---------------------------------------------------------------------------
*/
// ChangeDomain.cpp : Implementation of CChangeDomain
#include "stdafx.h"
#include "WorkObj.h"
#include "ChDom.h"
#include "Common.hpp"
#include "UString.hpp"
#include "EaLen.hpp"
#include "ResStr.h"
#include "ErrDct.hpp"
#include "TxtSid.h"
#include "TReg.hpp"
/////////////////////////////////////////////////////////////////////////////
// CChangeDomain
#include "LSAUtils.h"
#import "NetEnum.tlb" no_namespace
#import "VarSet.tlb" no_namespace rename("property", "aproperty")
#include <lm.h> // for NetXxx API
#include <winbase.h>
TErrorDct errLocal;
typedef NET_API_STATUS (NET_API_FUNCTION* PNETJOINDOMAIN)
(
IN LPCWSTR lpServer OPTIONAL,
IN LPCWSTR lpDomain,
IN LPCWSTR lpAccountOU, OPTIONAL
IN LPCWSTR lpAccount OPTIONAL,
IN LPCWSTR lpPassword OPTIONAL,
IN DWORD fJoinOptions
);
HINSTANCE hDll = NULL;
PNETJOINDOMAIN pNetJoinDomain = NULL;
BOOL GetNetJoinDomainFunction()
{
BOOL bSuccess = FALSE;
hDll = LoadLibrary(L"NetApi32.dll");
if ( hDll )
{
pNetJoinDomain = (PNETJOINDOMAIN)GetProcAddress(hDll,"NetJoinDomain");
if ( pNetJoinDomain )
{
bSuccess = TRUE;
}
}
return bSuccess;
}
typedef HRESULT (CALLBACK * ADSGETOBJECT)(LPWSTR, REFIID, void**);
extern ADSGETOBJECT ADsGetObject;
STDMETHODIMP
CChangeDomain::ChangeToDomain(
BSTR activeComputerName, // in - computer name currently being used (old name if simultaneously renaming and changing domain)
BSTR domain, // in - domain to move computer to
BSTR newComputerName, // in - computer name the computer will join the new domain as (the name that will be in effect on reboot, if simultaneously renaming and changing domain)
BSTR * errReturn // out- string describing any errors that occurred
)
{
HRESULT hr = S_OK;
return hr;
}
STDMETHODIMP
CChangeDomain::ChangeToDomainWithSid(
BSTR activeComputerName, // in - computer name currently being used (old name if simultaneously renaming and changing domain)
BSTR domain, // in - domain to move computer to
BSTR domainSid, // in - sid of domain, as string
BSTR domainController, // in - domain controller to use
BSTR newComputerName, // in - computer name the computer will join the new domain as (the name that will be in effect on reboot, if simultaneously renaming and changing domain)
BSTR srcPath, // in - source account original LDAP path
BSTR * errReturn // out- string describing any errors that occurred
)
{
USES_CONVERSION;
HRESULT hr = S_OK;
// initialize output parameters
(*errReturn) = NULL;
//
// Use NetJoinDomain API if available (Windows 2000 and later)
// otherwise must use LSA APIs (Windows NT 4 and earlier).
//
if (GetNetJoinDomainFunction())
{
DWORD dwError = ERROR_SUCCESS;
//
// If a preferred domain controller is specified then use it.
//
_bstr_t strNewDomain = domain;
if (SysStringLen(domainController) > 0)
{
//
// The preferred domain controller may only be specified for uplevel
// (W2K or later) domains. During undo of a computer migration the
// target domain may be a downlevel (NT4) domain. If unable to obtain
// operating system version information from the specified domain
// controller or the operating system is downlevel then don't specify
// a preferred domain controller.
//
PWKSTA_INFO_100 pInfo = NULL;
NET_API_STATUS nasStatus = NetWkstaGetInfo(domainController, 100, (LPBYTE*)&pInfo);
if ((nasStatus == NERR_Success) && pInfo)
{
if (pInfo->wki100_ver_major >= 5)
{
NetApiBufferFree(pInfo);
strNewDomain += L"\\";
strNewDomain += domainController;
}
}
}
//
// Join Options
//
const DWORD JOIN_OPTIONS = NETSETUP_JOIN_DOMAIN | NETSETUP_DOMAIN_JOIN_IF_JOINED | NETSETUP_JOIN_UNSECURE;
//
// Check whether a new computer name has been specified.
//
if (SysStringLen(newComputerName) == 0)
{
//
// A new name has not been specified therefore simply
// join the new domain with the current computer name.
//
dwError = pNetJoinDomain(NULL, strNewDomain, NULL, NULL, NULL, JOIN_OPTIONS);
}
else
{
//
// A new name has been specified therefore computer must be re-named during join.
//
// The current APIs only support joining a domain with the current name and then
// re-naming the computer in the domain after the join. Unfortunately the re-name
// in the domain requires the credentials of a security principal with the rights
// to change the name of the computer in the domain or that this process be running
// under the security context of a security principal with the rights to change the
// name of the computer in the domain. Since these requirements cannot be met with
// ADMT the following trick (read hack) must be used.
//
// Set the active computer name in the registry to the new name during the duration
// of the NetJoinDomain call so that the computer is joined to the new domain with
// the new name without requiring a subsequent re-name in the new domain.
//
TRegKey key;
static WCHAR c_szKey[] = L"System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName";
dwError = key.Open(c_szKey, HKEY_LOCAL_MACHINE);
if (dwError == ERROR_SUCCESS)
{
static WCHAR c_szKeyValue[] = L"ComputerName";
WCHAR szOldComputerName[MAX_PATH];
dwError = key.ValueGetStr(c_szKeyValue, szOldComputerName, MAX_PATH - 1);
if (dwError == ERROR_SUCCESS)
{
dwError = key.ValueSetStr(c_szKeyValue, OLE2CW(newComputerName));
if (dwError == ERROR_SUCCESS)
{
dwError = pNetJoinDomain(NULL, strNewDomain, NULL, NULL, NULL, JOIN_OPTIONS);
key.ValueSetStr(c_szKeyValue, szOldComputerName);
key.Close();
}
}
}
}
hr = HRESULT_FROM_WIN32(dwError);
}
else
{
do // once
{
LSA_HANDLE PolicyHandle = NULL;
LPWSTR Workstation; // target machine of policy update
WCHAR Password[LEN_Password];
PSID DomainSid=NULL; // Sid representing domain to trust
PSERVER_INFO_101 si101 = NULL;
DWORD Type;
NET_API_STATUS nas;
NTSTATUS Status;
WCHAR errMsg[1000];
WCHAR TrustedDomainName[LEN_Domain];
WCHAR LocalMachine[MAX_PATH] = L"";
DWORD lenLocalMachine = DIM(LocalMachine);
LPWSTR activeWorkstation = L"";
// use the target name, if provided
if ( newComputerName && UStrLen((WCHAR*)newComputerName) )
{
Workstation = (WCHAR*)newComputerName;
if ( ! activeComputerName || ! UStrLen((WCHAR*)activeComputerName) )
{
activeWorkstation = LocalMachine;
}
else
{
activeWorkstation = (WCHAR*)activeComputerName;
}
}
else
{
if (! activeComputerName || ! UStrLen((WCHAR*)activeComputerName) )
{
GetComputerName(LocalMachine,&lenLocalMachine);
Workstation = LocalMachine;
activeWorkstation = L"";
}
else
{
Workstation = (WCHAR*)activeComputerName;
activeWorkstation = Workstation;
}
}
wcscpy(TrustedDomainName,(WCHAR*)domain);
if ( Workstation[0] == L'\\' )
Workstation += 2;
// Use a default password
for ( UINT p = 0 ; p < wcslen(Workstation) ; p++ )
Password[p] = towlower(Workstation[p]);
Password[wcslen(Workstation)] = 0;
// ensure that the password is truncated at 14 characters
Password[14] = 0;
//
// insure the target machine is NOT a DC, as this operation is
// only appropriate against a workstation.
//
nas = NetServerGetInfo(activeWorkstation, 101, (LPBYTE *)&si101);
if(nas != NERR_Success)
{
hr = HRESULT_FROM_WIN32(nas);
break;
}
// Use LSA APIs
Type = si101->sv101_type;
if( (Type & SV_TYPE_DOMAIN_CTRL) ||
(Type & SV_TYPE_DOMAIN_BAKCTRL) )
{
swprintf(errMsg,GET_STRING(IDS_NotAllowedOnDomainController));
hr = E_NOTIMPL;
break;
}
//
// do not allow a workstation to trust itself
//
if(lstrcmpiW(TrustedDomainName, Workstation) == 0)
{
swprintf(errMsg,GET_STRING(IDS_CannotTrustSelf),
TrustedDomainName);
hr = E_INVALIDARG;
break;
}
if( lstrlenW(TrustedDomainName ) > MAX_COMPUTERNAME_LENGTH )
{
TrustedDomainName[MAX_COMPUTERNAME_LENGTH] = L'\0'; // truncate
}
if ( ! m_bNoChange )
{
//
// build the DomainSid of the domain to trust
//
DomainSid = SidFromString(domainSid);
if(!DomainSid )
{
hr = HRESULT_FROM_WIN32(GetLastError());
break;
}
}
if ( (!m_bNoChange) && (si101->sv101_version_major < 4) )
{
// For NT 3.51 machines, we must move the computer to a workgroup, and
// then move it into the new domain
hr = ChangeToWorkgroup(SysAllocString(activeWorkstation),SysAllocString(L"WORKGROUP"),errReturn);
if (FAILED(hr)) {
break;
}
Status = QueryWorkstationTrustedDomainInfo(PolicyHandle,DomainSid,m_bNoChange);
if ( Status != STATUS_SUCCESS )
{
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
break;
}
}
//
// see if the computer account exists on the domain
//
//
// open the policy on this computer
//
Status = OpenPolicy(
activeWorkstation,
DELETE | // to remove a trust
POLICY_VIEW_LOCAL_INFORMATION | // to view trusts
POLICY_CREATE_SECRET | // for password set operation
POLICY_TRUST_ADMIN, // for trust creation
&PolicyHandle
);
if( Status != STATUS_SUCCESS )
{
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
break;
}
if ( ! m_bNoChange )
{
Status = QueryWorkstationTrustedDomainInfo(PolicyHandle,DomainSid,m_bNoChange);
if (Status == STATUS_SUCCESS) {
Status = SetWorkstationTrustedDomainInfo(
PolicyHandle,
DomainSid,
TrustedDomainName,
Password,
errMsg
);
}
}
if( Status != STATUS_SUCCESS )
{
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
break;
}
//
// Update the primary domain to match the specified trusted domain
//
if (! m_bNoChange )
{
Status = SetPrimaryDomain(PolicyHandle, DomainSid, TrustedDomainName);
if(Status != STATUS_SUCCESS)
{
// DisplayNtStatus(errMsg,"SetPrimaryDomain", Status,NULL);
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
break;
}
}
NetApiBufferFree(si101);
// Cleanup
//LocalFree(Workstation);
//
// free the Sid which was allocated for the TrustedDomain Sid
//
if(DomainSid)
{
FreeSid(DomainSid);
}
//
// close the policy handle
//
if ( PolicyHandle )
{
LsaClose(PolicyHandle);
}
} while (false); // do once
if (FAILED(hr))
{
(*errReturn) = NULL;
}
}
return hr;
}
STDMETHODIMP
CChangeDomain::ChangeToWorkgroup(
BSTR Computer, // in - name of computer to update
BSTR Workgroup, // in - name of workgroup to join
BSTR * errReturn // out- text describing error if failure
)
{
HRESULT hr = S_OK;
LSA_HANDLE PolicyHandle = NULL;
LPWSTR Workstation; // target machine of policy update
LPWSTR TrustedDomainName; // domain to join
PSERVER_INFO_101 si101;
DWORD Type;
NET_API_STATUS nas;
NTSTATUS Status;
WCHAR errMsg[1000] = L"";
// BOOL bSessionEstablished = FALSE;
// initialize output parameters
(*errReturn) = NULL;
Workstation = (WCHAR*)Computer;
TrustedDomainName = (WCHAR*)Workgroup;
errLocal.DbgMsgWrite(0,L"Changing to workgroup...");
//
// insure the target machine is NOT a DC, as this operation is
// only appropriate against a workstation.
//
do // once
{
/*if ( m_account.length() )
{
// Establish our credentials to the target machine
if (! EstablishSession(Workstation,m_domain,m_account,m_password, TRUE) )
{
// DisplayError(errMsg,"EstablishSession",GetLastError(),NULL);
hr = GetLastError();
}
else
{
bSessionEstablished = TRUE;
}
}
*/
nas = NetServerGetInfo(Workstation, 101, (LPBYTE *)&si101);
if(nas != NERR_Success)
{
//DisplayError(errMsg, "NetServerGetInfo", nas,NULL);
hr = E_FAIL;
break;
}
Type = si101->sv101_type;
NetApiBufferFree(si101);
if( (Type & SV_TYPE_DOMAIN_CTRL) ||
(Type & SV_TYPE_DOMAIN_BAKCTRL) )
{
swprintf(errMsg,L"Operation is not valid on a domain controller.\n");
hr = E_FAIL;
break;
}
//
// do not allow a workstation to trust itself
//
if(lstrcmpiW(TrustedDomainName, Workstation) == 0)
{
swprintf(errMsg,L"Error: Domain %ls cannot be a member of itself.\n",
TrustedDomainName);
hr = E_FAIL;
break;
}
if( lstrlenW(TrustedDomainName ) > MAX_COMPUTERNAME_LENGTH )
{
TrustedDomainName[MAX_COMPUTERNAME_LENGTH] = L'\0'; // truncate
}
//
// open the policy on this computer
//
Status = OpenPolicy(
Workstation,
DELETE | // to remove a trust
POLICY_VIEW_LOCAL_INFORMATION | // to view trusts
POLICY_CREATE_SECRET | // for password set operation
POLICY_TRUST_ADMIN, // for trust creation
&PolicyHandle
);
if( Status != STATUS_SUCCESS )
{
//DisplayNtStatus(errMsg,"OpenPolicy", Status,NULL);
hr = LsaNtStatusToWinError(Status);
break;
}
if( Status != STATUS_SUCCESS )
{
hr = E_FAIL;
break;
}
//
// Update the primary domain to match the specified trusted domain
//
if (! m_bNoChange )
{
Status = SetPrimaryDomain(PolicyHandle, NULL, TrustedDomainName);
if(Status != STATUS_SUCCESS)
{
//DisplayNtStatus(errMsg,"SetPrimaryDomain", Status,NULL);
hr = LsaNtStatusToWinError(Status);
break;
}
}
} while (false); // do once
// Cleanup
//
// close the policy handle
//
if(PolicyHandle)
{
LsaClose(PolicyHandle);
}
/*if ( bSessionEstablished )
{
EstablishSession(Workstation,m_domain,m_account,m_password,FALSE);
}
*/
if ( FAILED(hr) )
{
hr = S_FALSE;
(*errReturn) = SysAllocString(errMsg);
}
return hr;
}
STDMETHODIMP
CChangeDomain::ConnectAs(
BSTR domain, // in - domain name to use for credentials
BSTR user, // in - account name to use for credentials
BSTR password // in - password to use for credentials
)
{
m_domain = domain;
m_account = user;
m_password = password;
m_domainAccount = domain;
m_domainAccount += L"\\";
m_domainAccount += user;
return S_OK;
}
STDMETHODIMP
CChangeDomain::get_NoChange(
BOOL * pVal // out- flag, whether to write changes
)
{
(*pVal) = m_bNoChange;
return S_OK;
}
STDMETHODIMP
CChangeDomain::put_NoChange(
BOOL newVal // in - flag, whether to write changes
)
{
m_bNoChange = newVal;
return S_OK;
}
// ChangeDomain worknode: Changes the domain affiliation of a workstation or server
// (This operation cannot be performed on domain controllers)
//
// VarSet syntax:
//
// Input:
// ChangeDomain.Computer: <ComputerName>
// ChangeDomain.TargetDomain: <Domain>
// ChangeDomain.DomainIsWorkgroup: <Yes|No> default is No
// ChangeDomain.ConnectAs.Domain: <Domain> optional credentials to use
// ChangeDomain.ConnectAs.User : <Username>
// ChangeDomain.ConnectAs.Password : <Password>
//
// Output:
// ChangeDomain.ErrorText : <string-error message>
// This function is not currently used by the domain migration tool.
// The actual implementation is removed from the source.
STDMETHODIMP
CChangeDomain::Process(
IUnknown * pWorkItem
)
{
return E_NOTIMPL;
}