2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
25 static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
30 const char *dn = NULL;
31 struct GROUP_POLICY_OBJECT *gpo_list = NULL;
32 struct GROUP_POLICY_OBJECT *read_list = NULL;
35 struct GROUP_POLICY_OBJECT *gpo;
37 struct nt_user_token *token = NULL;
39 if (argc < 1 || c->display_usage) {
40 d_printf("%s\n%s\n%s",
42 _("net ads gpo refresh <username|machinename>"),
43 _(" Lists all GPOs assigned to an account and "
45 " username\tUser to refresh GPOs for\n"
46 " machinename\tMachine to refresh GPOs for\n"));
50 mem_ctx = talloc_init("net_ads_gpo_refresh");
51 if (mem_ctx == NULL) {
55 status = ads_startup(c, false, &ads);
56 if (!ADS_ERR_OK(status)) {
57 d_printf(_("failed to connect AD server: %s\n"), ads_errstr(status));
61 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
62 if (!ADS_ERR_OK(status)) {
63 d_printf(_("failed to find samaccount for %s\n"), argv[0]);
67 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
68 flags |= GPO_LIST_FLAG_MACHINE;
71 d_printf(_("\n%s: '%s' has dn: '%s'\n\n"),
72 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
75 d_printf(_("* fetching token "));
76 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
77 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
79 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
82 if (!ADS_ERR_OK(status)) {
83 d_printf(_("failed: %s\n"), ads_errstr(status));
86 d_printf(_("finished\n"));
88 d_printf(_("* fetching GPO List "));
89 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
90 if (!ADS_ERR_OK(status)) {
91 d_printf(_("failed: %s\n"),
95 d_printf(_("finished\n"));
97 d_printf(_("* Refreshing Group Policy Data "));
98 if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
99 cache_path(GPO_CACHE_DIR),
103 d_printf(_("failed: %s\n"), nt_errstr(result));
106 d_printf(_("finished\n"));
108 d_printf(_("* storing GPO list to registry "));
111 WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
113 if (!W_ERROR_IS_OK(werr)) {
114 d_printf(_("failed: %s\n"), win_errstr(werr));
119 d_printf(_("finished\n"));
121 if (c->opt_verbose) {
123 d_printf(_("* dumping GPO list\n"));
125 for (gpo = gpo_list; gpo; gpo = gpo->next) {
127 dump_gpo(ads, mem_ctx, gpo, 0);
129 char *server, *share, *nt_path, *unix_path;
131 d_printf("--------------------------------------\n");
132 d_printf("Name:\t\t\t%s\n", gpo->display_name);
133 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
135 GPO_VERSION_USER(gpo->version),
136 GPO_VERSION_MACHINE(gpo->version));
138 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
139 &server, &share, &nt_path,
141 if (!NT_STATUS_IS_OK(result)) {
142 d_printf("got: %s\n", nt_errstr(result));
145 d_printf("GPO stored on server: %s, share: %s\n", server, share);
146 d_printf("\tremote path:\t%s\n", nt_path);
147 d_printf("\tlocal path:\t%s\n", unix_path);
152 d_printf(_("* re-reading GPO list from registry "));
155 WERROR werr = gp_reg_state_read(mem_ctx, flags,
156 &token->user_sids[0],
158 if (!W_ERROR_IS_OK(werr)) {
159 d_printf(_("failed: %s\n"), win_errstr(werr));
164 d_printf(_("finished\n"));
166 if (c->opt_verbose) {
168 d_printf(_("* dumping GPO list from registry\n"));
170 for (gpo = read_list; gpo; gpo = gpo->next) {
172 dump_gpo(ads, mem_ctx, gpo, 0);
175 char *server, *share, *nt_path, *unix_path;
177 d_printf("--------------------------------------\n");
178 d_printf("Name:\t\t\t%s\n", gpo->display_name);
179 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
181 GPO_VERSION_USER(gpo->version),
182 GPO_VERSION_MACHINE(gpo->version));
184 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
185 &server, &share, &nt_path,
187 if (!NT_STATUS_IS_OK(result)) {
188 d_printf("got: %s\n", nt_errstr(result));
191 d_printf("GPO stored on server: %s, share: %s\n", server, share);
192 d_printf("\tremote path:\t%s\n", nt_path);
193 d_printf("\tlocal path:\t%s\n", unix_path);
200 talloc_destroy(mem_ctx);
204 static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv)
208 LDAPMessage *res = NULL;
210 LDAPMessage *msg = NULL;
211 struct GROUP_POLICY_OBJECT gpo;
214 const char *attrs[] = {
220 "gPCMachineExtensionNames",
221 "gPCUserExtensionNames",
222 "ntSecurityDescriptor",
226 if (c->display_usage) {
228 "net ads gpo listall\n"
231 _("List all GPOs on the DC"));
235 mem_ctx = talloc_init("net_ads_gpo_list_all");
236 if (mem_ctx == NULL) {
240 status = ads_startup(c, false, &ads);
241 if (!ADS_ERR_OK(status)) {
245 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
247 "(objectclass=groupPolicyContainer)",
249 DACL_SECURITY_INFORMATION,
252 if (!ADS_ERR_OK(status)) {
253 d_printf(_("search failed: %s\n"), ads_errstr(status));
257 num_reply = ads_count_replies(ads, res);
259 d_printf(_("Got %d replies\n\n"), num_reply);
261 /* dump the results */
262 for (msg = ads_first_entry(ads, res);
264 msg = ads_next_entry(ads, msg)) {
266 if ((dn = ads_get_dn(ads, mem_ctx, msg)) == NULL) {
270 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
272 if (!ADS_ERR_OK(status)) {
273 d_printf(_("ads_parse_gpo failed: %s\n"),
278 dump_gpo(ads, mem_ctx, &gpo, 0);
282 ads_msgfree(ads, res);
284 TALLOC_FREE(mem_ctx);
290 static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
294 LDAPMessage *res = NULL;
296 const char *dn = NULL;
299 struct GROUP_POLICY_OBJECT *gpo_list;
300 struct nt_user_token *token = NULL;
302 if (argc < 1 || c->display_usage) {
303 d_printf("%s\n%s\n%s",
305 _("net ads gpo list <username|machinename>"),
306 _(" Lists all GPOs for machine/user\n"
307 " username\tUser to list GPOs for\n"
308 " machinename\tMachine to list GPOs for\n"));
312 mem_ctx = talloc_init("net_ads_gpo_list");
313 if (mem_ctx == NULL) {
317 status = ads_startup(c, false, &ads);
318 if (!ADS_ERR_OK(status)) {
322 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
323 if (!ADS_ERR_OK(status)) {
327 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
328 flags |= GPO_LIST_FLAG_MACHINE;
331 d_printf(_("%s: '%s' has dn: '%s'\n"),
332 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
335 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
336 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
338 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
341 if (!ADS_ERR_OK(status)) {
345 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
346 if (!ADS_ERR_OK(status)) {
350 dump_gpo_list(ads, mem_ctx, gpo_list, 0);
353 ads_msgfree(ads, res);
355 talloc_destroy(mem_ctx);
362 static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
367 const char *dn = NULL;
368 struct GROUP_POLICY_OBJECT *gpo_list;
371 struct nt_user_token *token = NULL;
372 const char *filter = NULL;
374 if (argc < 1 || c->display_usage) {
376 "net ads gpo apply <username|machinename>\n"
377 " Apply GPOs for machine/user\n"
378 " username\tUsername to apply GPOs for\n"
379 " machinename\tMachine to apply GPOs for\n");
383 mem_ctx = talloc_init("net_ads_gpo_apply");
384 if (mem_ctx == NULL) {
389 filter = cse_gpo_name_to_guid_string(argv[1]);
392 status = ads_startup(c, false, &ads);
393 if (!ADS_ERR_OK(status)) {
394 d_printf("got: %s\n", ads_errstr(status));
398 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
399 if (!ADS_ERR_OK(status)) {
400 d_printf("failed to find samaccount for %s: %s\n",
401 argv[0], ads_errstr(status));
405 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
406 flags |= GPO_LIST_FLAG_MACHINE;
409 if (c->opt_verbose) {
410 flags |= GPO_INFO_FLAG_VERBOSE;
413 d_printf("%s: '%s' has dn: '%s'\n",
414 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
417 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
418 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
420 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
423 if (!ADS_ERR_OK(status)) {
427 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
428 if (!ADS_ERR_OK(status)) {
432 status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
434 if (!ADS_ERR_OK(status)) {
435 d_printf("failed to process gpo list: %s\n",
442 talloc_destroy(mem_ctx);
447 static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
452 struct GP_LINK gp_link;
454 if (argc < 1 || c->display_usage) {
455 d_printf("%s\n%s\n%s",
457 _("net ads gpo linkget <container>"),
458 _(" Lists gPLink of a containter\n"
459 " container\tContainer to get link for\n"));
463 mem_ctx = talloc_init("add_gpo_link");
464 if (mem_ctx == NULL) {
468 status = ads_startup(c, false, &ads);
469 if (!ADS_ERR_OK(status)) {
473 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
474 if (!ADS_ERR_OK(status)) {
475 d_printf(_("get link for %s failed: %s\n"), argv[0],
480 dump_gplink(ads, mem_ctx, &gp_link);
483 talloc_destroy(mem_ctx);
489 static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
496 if (argc < 2 || c->display_usage) {
497 d_printf("%s\n%s\n%s",
499 _("net ads gpo linkadd <linkdn> <gpodn> [options]"),
500 _(" Link a container to a GPO\n"
501 " linkdn\tContainer to link to a GPO\n"
502 " gpodn\tGPO to link container to\n"));
503 d_printf(_("note: DNs must be provided properly escaped.\n"
504 "See RFC 4514 for details\n"));
508 mem_ctx = talloc_init("add_gpo_link");
509 if (mem_ctx == NULL) {
514 gpo_opt = atoi(argv[2]);
517 status = ads_startup(c, false, &ads);
518 if (!ADS_ERR_OK(status)) {
522 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
523 if (!ADS_ERR_OK(status)) {
524 d_printf(_("link add failed: %s\n"), ads_errstr(status));
529 talloc_destroy(mem_ctx);
537 static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
543 if (argc < 2 || c->display_usage) {
545 "net ads gpo linkdelete <linkdn> <gpodn>\n"
546 " Delete a GPO link\n"
547 " <linkdn>\tContainer to delete GPO from\n"
548 " <gpodn>\tGPO to delete from container\n");
552 mem_ctx = talloc_init("delete_gpo_link");
553 if (mem_ctx == NULL) {
557 status = ads_startup(c, false, &ads);
558 if (!ADS_ERR_OK(status)) {
562 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
563 if (!ADS_ERR_OK(status)) {
564 d_printf("delete link failed: %s\n", ads_errstr(status));
569 talloc_destroy(mem_ctx);
577 static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
582 struct GROUP_POLICY_OBJECT gpo;
584 if (argc < 1 || c->display_usage) {
585 d_printf("%s\n%s\n%s",
587 _("net ads gpo getgpo <gpo>"),
588 _(" List speciefied GPO\n"
589 " gpo\t\tGPO to list\n"));
593 mem_ctx = talloc_init("ads_gpo_get_gpo");
594 if (mem_ctx == NULL) {
598 status = ads_startup(c, false, &ads);
599 if (!ADS_ERR_OK(status)) {
603 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
604 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
606 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
609 if (!ADS_ERR_OK(status)) {
610 d_printf(_("get gpo for [%s] failed: %s\n"), argv[0],
615 dump_gpo(ads, mem_ctx, &gpo, 1);
618 talloc_destroy(mem_ctx);
624 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
626 struct functable func[] = {
632 "Apply GPO to container",
633 "net ads gpo apply\n"
634 " Apply GPO to container"
641 N_("List specified GPO"),
642 N_("net ads gpo getgpo\n"
643 " List specified GPO")
647 net_ads_gpo_link_add,
649 N_("Link a container to a GPO"),
650 N_("net ads gpo linkadd\n"
651 " Link a container to a GPO")
656 net_ads_gpo_link_delete,
658 "Delete GPO link from a container",
659 "net ads gpo linkdelete\n"
660 " Delete GPO link from a container"
665 net_ads_gpo_link_get,
667 N_("Lists gPLink of containter"),
668 N_("net ads gpo linkget\n"
669 " Lists gPLink of containter")
675 N_("Lists all GPOs for machine/user"),
676 N_("net ads gpo list\n"
677 " Lists all GPOs for machine/user")
681 net_ads_gpo_list_all,
683 N_("Lists all GPOs on a DC"),
684 N_("net ads gpo listall\n"
685 " Lists all GPOs on a DC")
691 N_("Lists all GPOs assigned to an account and "
693 N_("net ads gpo refresh\n"
694 " Lists all GPOs assigned to an account and "
697 {NULL, NULL, 0, NULL, NULL}
700 return net_run_function(c, argc, argv, "net ads gpo", func);
703 #endif /* HAVE_ADS */