651 lines
20 KiB
C++
651 lines
20 KiB
C++
/*---------------------------------------------------------------------------
|
|
File: ChangeDomain.cpp
|
|
|
|
Comments: Implementation of COM object that changes the domain affiliation on
|
|
a computer.
|
|
|
|
(c) Copyright 1999, Mission Critical Software, Inc., All Rights Reserved
|
|
Proprietary and confidential to Mission Critical Software, Inc.
|
|
|
|
REVISION LOG ENTRY
|
|
Revision By: Christy Boles
|
|
Revised on 02/15/99 11:21:07
|
|
|
|
---------------------------------------------------------------------------
|
|
*/
|
|
|
|
// ChangeDomain.cpp : Implementation of CChangeDomain
|
|
#include "stdafx.h"
|
|
#include "WorkObj.h"
|
|
#include "ChDom.h"
|
|
|
|
#include "Common.hpp"
|
|
#include "UString.hpp"
|
|
#include "EaLen.hpp"
|
|
#include "ResStr.h"
|
|
#include "ErrDct.hpp"
|
|
#include "TxtSid.h"
|
|
#include "TReg.hpp"
|
|
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
// CChangeDomain
|
|
|
|
|
|
#include "LSAUtils.h"
|
|
|
|
#import "NetEnum.tlb" no_namespace
|
|
#import "VarSet.tlb" no_namespace rename("property", "aproperty")
|
|
|
|
#include <lm.h> // for NetXxx API
|
|
#include <winbase.h>
|
|
|
|
TErrorDct errLocal;
|
|
|
|
typedef NET_API_STATUS (NET_API_FUNCTION* PNETJOINDOMAIN)
|
|
(
|
|
IN LPCWSTR lpServer OPTIONAL,
|
|
IN LPCWSTR lpDomain,
|
|
IN LPCWSTR lpAccountOU, OPTIONAL
|
|
IN LPCWSTR lpAccount OPTIONAL,
|
|
IN LPCWSTR lpPassword OPTIONAL,
|
|
IN DWORD fJoinOptions
|
|
);
|
|
|
|
HINSTANCE hDll = NULL;
|
|
PNETJOINDOMAIN pNetJoinDomain = NULL;
|
|
|
|
BOOL GetNetJoinDomainFunction()
|
|
{
|
|
BOOL bSuccess = FALSE;
|
|
|
|
hDll = LoadLibrary(L"NetApi32.dll");
|
|
|
|
if ( hDll )
|
|
{
|
|
pNetJoinDomain = (PNETJOINDOMAIN)GetProcAddress(hDll,"NetJoinDomain");
|
|
if ( pNetJoinDomain )
|
|
{
|
|
bSuccess = TRUE;
|
|
}
|
|
}
|
|
|
|
return bSuccess;
|
|
}
|
|
|
|
typedef HRESULT (CALLBACK * ADSGETOBJECT)(LPWSTR, REFIID, void**);
|
|
extern ADSGETOBJECT ADsGetObject;
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::ChangeToDomain(
|
|
BSTR activeComputerName, // in - computer name currently being used (old name if simultaneously renaming and changing domain)
|
|
BSTR domain, // in - domain to move computer to
|
|
BSTR newComputerName, // in - computer name the computer will join the new domain as (the name that will be in effect on reboot, if simultaneously renaming and changing domain)
|
|
BSTR * errReturn // out- string describing any errors that occurred
|
|
)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::ChangeToDomainWithSid(
|
|
BSTR activeComputerName, // in - computer name currently being used (old name if simultaneously renaming and changing domain)
|
|
BSTR domain, // in - domain to move computer to
|
|
BSTR domainSid, // in - sid of domain, as string
|
|
BSTR domainController, // in - domain controller to use
|
|
BSTR newComputerName, // in - computer name the computer will join the new domain as (the name that will be in effect on reboot, if simultaneously renaming and changing domain)
|
|
BSTR srcPath, // in - source account original LDAP path
|
|
BSTR * errReturn // out- string describing any errors that occurred
|
|
)
|
|
{
|
|
USES_CONVERSION;
|
|
|
|
HRESULT hr = S_OK;
|
|
|
|
// initialize output parameters
|
|
(*errReturn) = NULL;
|
|
|
|
//
|
|
// Use NetJoinDomain API if available (Windows 2000 and later)
|
|
// otherwise must use LSA APIs (Windows NT 4 and earlier).
|
|
//
|
|
|
|
if (GetNetJoinDomainFunction())
|
|
{
|
|
DWORD dwError = ERROR_SUCCESS;
|
|
|
|
//
|
|
// If a preferred domain controller is specified then use it.
|
|
//
|
|
|
|
_bstr_t strNewDomain = domain;
|
|
|
|
if (SysStringLen(domainController) > 0)
|
|
{
|
|
//
|
|
// The preferred domain controller may only be specified for uplevel
|
|
// (W2K or later) domains. During undo of a computer migration the
|
|
// target domain may be a downlevel (NT4) domain. If unable to obtain
|
|
// operating system version information from the specified domain
|
|
// controller or the operating system is downlevel then don't specify
|
|
// a preferred domain controller.
|
|
//
|
|
|
|
PWKSTA_INFO_100 pInfo = NULL;
|
|
|
|
NET_API_STATUS nasStatus = NetWkstaGetInfo(domainController, 100, (LPBYTE*)&pInfo);
|
|
|
|
if ((nasStatus == NERR_Success) && pInfo)
|
|
{
|
|
if (pInfo->wki100_ver_major >= 5)
|
|
{
|
|
NetApiBufferFree(pInfo);
|
|
|
|
strNewDomain += L"\\";
|
|
strNewDomain += domainController;
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Join Options
|
|
//
|
|
|
|
const DWORD JOIN_OPTIONS = NETSETUP_JOIN_DOMAIN | NETSETUP_DOMAIN_JOIN_IF_JOINED | NETSETUP_JOIN_UNSECURE;
|
|
|
|
//
|
|
// Check whether a new computer name has been specified.
|
|
//
|
|
|
|
if (SysStringLen(newComputerName) == 0)
|
|
{
|
|
//
|
|
// A new name has not been specified therefore simply
|
|
// join the new domain with the current computer name.
|
|
//
|
|
|
|
dwError = pNetJoinDomain(NULL, strNewDomain, NULL, NULL, NULL, JOIN_OPTIONS);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// A new name has been specified therefore computer must be re-named during join.
|
|
//
|
|
// The current APIs only support joining a domain with the current name and then
|
|
// re-naming the computer in the domain after the join. Unfortunately the re-name
|
|
// in the domain requires the credentials of a security principal with the rights
|
|
// to change the name of the computer in the domain or that this process be running
|
|
// under the security context of a security principal with the rights to change the
|
|
// name of the computer in the domain. Since these requirements cannot be met with
|
|
// ADMT the following trick (read hack) must be used.
|
|
//
|
|
// Set the active computer name in the registry to the new name during the duration
|
|
// of the NetJoinDomain call so that the computer is joined to the new domain with
|
|
// the new name without requiring a subsequent re-name in the new domain.
|
|
//
|
|
|
|
TRegKey key;
|
|
static WCHAR c_szKey[] = L"System\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName";
|
|
|
|
dwError = key.Open(c_szKey, HKEY_LOCAL_MACHINE);
|
|
|
|
if (dwError == ERROR_SUCCESS)
|
|
{
|
|
static WCHAR c_szKeyValue[] = L"ComputerName";
|
|
WCHAR szOldComputerName[MAX_PATH];
|
|
|
|
dwError = key.ValueGetStr(c_szKeyValue, szOldComputerName, MAX_PATH - 1);
|
|
|
|
if (dwError == ERROR_SUCCESS)
|
|
{
|
|
dwError = key.ValueSetStr(c_szKeyValue, OLE2CW(newComputerName));
|
|
|
|
if (dwError == ERROR_SUCCESS)
|
|
{
|
|
dwError = pNetJoinDomain(NULL, strNewDomain, NULL, NULL, NULL, JOIN_OPTIONS);
|
|
|
|
key.ValueSetStr(c_szKeyValue, szOldComputerName);
|
|
key.Close();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
hr = HRESULT_FROM_WIN32(dwError);
|
|
}
|
|
else
|
|
{
|
|
do // once
|
|
{
|
|
LSA_HANDLE PolicyHandle = NULL;
|
|
LPWSTR Workstation; // target machine of policy update
|
|
WCHAR Password[LEN_Password];
|
|
PSID DomainSid=NULL; // Sid representing domain to trust
|
|
PSERVER_INFO_101 si101 = NULL;
|
|
DWORD Type;
|
|
NET_API_STATUS nas;
|
|
NTSTATUS Status;
|
|
WCHAR errMsg[1000];
|
|
WCHAR TrustedDomainName[LEN_Domain];
|
|
WCHAR LocalMachine[MAX_PATH] = L"";
|
|
DWORD lenLocalMachine = DIM(LocalMachine);
|
|
LPWSTR activeWorkstation = L"";
|
|
|
|
// use the target name, if provided
|
|
|
|
if ( newComputerName && UStrLen((WCHAR*)newComputerName) )
|
|
{
|
|
Workstation = (WCHAR*)newComputerName;
|
|
|
|
if ( ! activeComputerName || ! UStrLen((WCHAR*)activeComputerName) )
|
|
{
|
|
activeWorkstation = LocalMachine;
|
|
}
|
|
else
|
|
{
|
|
activeWorkstation = (WCHAR*)activeComputerName;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (! activeComputerName || ! UStrLen((WCHAR*)activeComputerName) )
|
|
{
|
|
GetComputerName(LocalMachine,&lenLocalMachine);
|
|
Workstation = LocalMachine;
|
|
activeWorkstation = L"";
|
|
}
|
|
else
|
|
{
|
|
Workstation = (WCHAR*)activeComputerName;
|
|
activeWorkstation = Workstation;
|
|
}
|
|
}
|
|
|
|
wcscpy(TrustedDomainName,(WCHAR*)domain);
|
|
|
|
if ( Workstation[0] == L'\\' )
|
|
Workstation += 2;
|
|
|
|
// Use a default password
|
|
for ( UINT p = 0 ; p < wcslen(Workstation) ; p++ )
|
|
Password[p] = towlower(Workstation[p]);
|
|
Password[wcslen(Workstation)] = 0;
|
|
|
|
// ensure that the password is truncated at 14 characters
|
|
Password[14] = 0;
|
|
//
|
|
// insure the target machine is NOT a DC, as this operation is
|
|
// only appropriate against a workstation.
|
|
//
|
|
nas = NetServerGetInfo(activeWorkstation, 101, (LPBYTE *)&si101);
|
|
if(nas != NERR_Success)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(nas);
|
|
break;
|
|
}
|
|
|
|
// Use LSA APIs
|
|
Type = si101->sv101_type;
|
|
|
|
if( (Type & SV_TYPE_DOMAIN_CTRL) ||
|
|
(Type & SV_TYPE_DOMAIN_BAKCTRL) )
|
|
{
|
|
swprintf(errMsg,GET_STRING(IDS_NotAllowedOnDomainController));
|
|
hr = E_NOTIMPL;
|
|
break;
|
|
|
|
}
|
|
|
|
//
|
|
// do not allow a workstation to trust itself
|
|
//
|
|
if(lstrcmpiW(TrustedDomainName, Workstation) == 0)
|
|
{
|
|
swprintf(errMsg,GET_STRING(IDS_CannotTrustSelf),
|
|
TrustedDomainName);
|
|
hr = E_INVALIDARG;
|
|
break;
|
|
}
|
|
|
|
if( lstrlenW(TrustedDomainName ) > MAX_COMPUTERNAME_LENGTH )
|
|
{
|
|
TrustedDomainName[MAX_COMPUTERNAME_LENGTH] = L'\0'; // truncate
|
|
}
|
|
|
|
if ( ! m_bNoChange )
|
|
{
|
|
//
|
|
// build the DomainSid of the domain to trust
|
|
//
|
|
DomainSid = SidFromString(domainSid);
|
|
if(!DomainSid )
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
break;
|
|
}
|
|
|
|
}
|
|
if ( (!m_bNoChange) && (si101->sv101_version_major < 4) )
|
|
{
|
|
// For NT 3.51 machines, we must move the computer to a workgroup, and
|
|
// then move it into the new domain
|
|
hr = ChangeToWorkgroup(SysAllocString(activeWorkstation),SysAllocString(L"WORKGROUP"),errReturn);
|
|
|
|
if (FAILED(hr)) {
|
|
break;
|
|
}
|
|
|
|
Status = QueryWorkstationTrustedDomainInfo(PolicyHandle,DomainSid,m_bNoChange);
|
|
|
|
if ( Status != STATUS_SUCCESS )
|
|
{
|
|
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// see if the computer account exists on the domain
|
|
//
|
|
|
|
//
|
|
// open the policy on this computer
|
|
//
|
|
Status = OpenPolicy(
|
|
activeWorkstation,
|
|
DELETE | // to remove a trust
|
|
POLICY_VIEW_LOCAL_INFORMATION | // to view trusts
|
|
POLICY_CREATE_SECRET | // for password set operation
|
|
POLICY_TRUST_ADMIN, // for trust creation
|
|
&PolicyHandle
|
|
);
|
|
|
|
if( Status != STATUS_SUCCESS )
|
|
{
|
|
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
|
|
break;
|
|
}
|
|
|
|
if ( ! m_bNoChange )
|
|
{
|
|
Status = QueryWorkstationTrustedDomainInfo(PolicyHandle,DomainSid,m_bNoChange);
|
|
if (Status == STATUS_SUCCESS) {
|
|
Status = SetWorkstationTrustedDomainInfo(
|
|
PolicyHandle,
|
|
DomainSid,
|
|
TrustedDomainName,
|
|
Password,
|
|
errMsg
|
|
);
|
|
}
|
|
}
|
|
|
|
if( Status != STATUS_SUCCESS )
|
|
{
|
|
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Update the primary domain to match the specified trusted domain
|
|
//
|
|
if (! m_bNoChange )
|
|
{
|
|
Status = SetPrimaryDomain(PolicyHandle, DomainSid, TrustedDomainName);
|
|
|
|
if(Status != STATUS_SUCCESS)
|
|
{
|
|
// DisplayNtStatus(errMsg,"SetPrimaryDomain", Status,NULL);
|
|
hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(Status));
|
|
break;
|
|
}
|
|
}
|
|
|
|
NetApiBufferFree(si101);
|
|
|
|
// Cleanup
|
|
|
|
//LocalFree(Workstation);
|
|
|
|
//
|
|
// free the Sid which was allocated for the TrustedDomain Sid
|
|
//
|
|
if(DomainSid)
|
|
{
|
|
FreeSid(DomainSid);
|
|
}
|
|
|
|
//
|
|
// close the policy handle
|
|
//
|
|
if ( PolicyHandle )
|
|
{
|
|
LsaClose(PolicyHandle);
|
|
}
|
|
|
|
} while (false); // do once
|
|
|
|
if (FAILED(hr))
|
|
{
|
|
(*errReturn) = NULL;
|
|
}
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::ChangeToWorkgroup(
|
|
BSTR Computer, // in - name of computer to update
|
|
BSTR Workgroup, // in - name of workgroup to join
|
|
BSTR * errReturn // out- text describing error if failure
|
|
)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
LSA_HANDLE PolicyHandle = NULL;
|
|
LPWSTR Workstation; // target machine of policy update
|
|
LPWSTR TrustedDomainName; // domain to join
|
|
PSERVER_INFO_101 si101;
|
|
DWORD Type;
|
|
NET_API_STATUS nas;
|
|
NTSTATUS Status;
|
|
WCHAR errMsg[1000] = L"";
|
|
// BOOL bSessionEstablished = FALSE;
|
|
|
|
// initialize output parameters
|
|
(*errReturn) = NULL;
|
|
|
|
Workstation = (WCHAR*)Computer;
|
|
TrustedDomainName = (WCHAR*)Workgroup;
|
|
|
|
errLocal.DbgMsgWrite(0,L"Changing to workgroup...");
|
|
//
|
|
// insure the target machine is NOT a DC, as this operation is
|
|
// only appropriate against a workstation.
|
|
//
|
|
do // once
|
|
{
|
|
/*if ( m_account.length() )
|
|
{
|
|
// Establish our credentials to the target machine
|
|
if (! EstablishSession(Workstation,m_domain,m_account,m_password, TRUE) )
|
|
{
|
|
// DisplayError(errMsg,"EstablishSession",GetLastError(),NULL);
|
|
hr = GetLastError();
|
|
}
|
|
else
|
|
{
|
|
bSessionEstablished = TRUE;
|
|
}
|
|
}
|
|
*/
|
|
nas = NetServerGetInfo(Workstation, 101, (LPBYTE *)&si101);
|
|
|
|
if(nas != NERR_Success)
|
|
{
|
|
//DisplayError(errMsg, "NetServerGetInfo", nas,NULL);
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
Type = si101->sv101_type;
|
|
NetApiBufferFree(si101);
|
|
|
|
if( (Type & SV_TYPE_DOMAIN_CTRL) ||
|
|
(Type & SV_TYPE_DOMAIN_BAKCTRL) )
|
|
{
|
|
swprintf(errMsg,L"Operation is not valid on a domain controller.\n");
|
|
hr = E_FAIL;
|
|
break;
|
|
|
|
}
|
|
|
|
//
|
|
// do not allow a workstation to trust itself
|
|
//
|
|
if(lstrcmpiW(TrustedDomainName, Workstation) == 0)
|
|
{
|
|
swprintf(errMsg,L"Error: Domain %ls cannot be a member of itself.\n",
|
|
TrustedDomainName);
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
if( lstrlenW(TrustedDomainName ) > MAX_COMPUTERNAME_LENGTH )
|
|
{
|
|
TrustedDomainName[MAX_COMPUTERNAME_LENGTH] = L'\0'; // truncate
|
|
}
|
|
|
|
//
|
|
// open the policy on this computer
|
|
//
|
|
Status = OpenPolicy(
|
|
Workstation,
|
|
DELETE | // to remove a trust
|
|
POLICY_VIEW_LOCAL_INFORMATION | // to view trusts
|
|
POLICY_CREATE_SECRET | // for password set operation
|
|
POLICY_TRUST_ADMIN, // for trust creation
|
|
&PolicyHandle
|
|
);
|
|
|
|
if( Status != STATUS_SUCCESS )
|
|
{
|
|
//DisplayNtStatus(errMsg,"OpenPolicy", Status,NULL);
|
|
hr = LsaNtStatusToWinError(Status);
|
|
break;
|
|
}
|
|
|
|
if( Status != STATUS_SUCCESS )
|
|
{
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
|
|
//
|
|
// Update the primary domain to match the specified trusted domain
|
|
//
|
|
if (! m_bNoChange )
|
|
{
|
|
Status = SetPrimaryDomain(PolicyHandle, NULL, TrustedDomainName);
|
|
|
|
if(Status != STATUS_SUCCESS)
|
|
{
|
|
//DisplayNtStatus(errMsg,"SetPrimaryDomain", Status,NULL);
|
|
hr = LsaNtStatusToWinError(Status);
|
|
break;
|
|
}
|
|
|
|
}
|
|
} while (false); // do once
|
|
|
|
// Cleanup
|
|
//
|
|
// close the policy handle
|
|
//
|
|
|
|
if(PolicyHandle)
|
|
{
|
|
LsaClose(PolicyHandle);
|
|
}
|
|
|
|
/*if ( bSessionEstablished )
|
|
{
|
|
EstablishSession(Workstation,m_domain,m_account,m_password,FALSE);
|
|
}
|
|
*/
|
|
if ( FAILED(hr) )
|
|
{
|
|
hr = S_FALSE;
|
|
(*errReturn) = SysAllocString(errMsg);
|
|
}
|
|
return hr;
|
|
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::ConnectAs(
|
|
BSTR domain, // in - domain name to use for credentials
|
|
BSTR user, // in - account name to use for credentials
|
|
BSTR password // in - password to use for credentials
|
|
)
|
|
{
|
|
m_domain = domain;
|
|
m_account = user;
|
|
m_password = password;
|
|
m_domainAccount = domain;
|
|
m_domainAccount += L"\\";
|
|
m_domainAccount += user;
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::get_NoChange(
|
|
BOOL * pVal // out- flag, whether to write changes
|
|
)
|
|
{
|
|
(*pVal) = m_bNoChange;
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CChangeDomain::put_NoChange(
|
|
BOOL newVal // in - flag, whether to write changes
|
|
)
|
|
{
|
|
m_bNoChange = newVal;
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
// ChangeDomain worknode: Changes the domain affiliation of a workstation or server
|
|
// (This operation cannot be performed on domain controllers)
|
|
//
|
|
// VarSet syntax:
|
|
//
|
|
// Input:
|
|
// ChangeDomain.Computer: <ComputerName>
|
|
// ChangeDomain.TargetDomain: <Domain>
|
|
// ChangeDomain.DomainIsWorkgroup: <Yes|No> default is No
|
|
// ChangeDomain.ConnectAs.Domain: <Domain> optional credentials to use
|
|
// ChangeDomain.ConnectAs.User : <Username>
|
|
// ChangeDomain.ConnectAs.Password : <Password>
|
|
//
|
|
// Output:
|
|
// ChangeDomain.ErrorText : <string-error message>
|
|
|
|
// This function is not currently used by the domain migration tool.
|
|
// The actual implementation is removed from the source.
|
|
STDMETHODIMP
|
|
CChangeDomain::Process(
|
|
IUnknown * pWorkItem
|
|
)
|
|
{
|
|
return E_NOTIMPL;
|
|
}
|
|
|