2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "utils/net.h"
26 static int net_ads_gpo_usage(int argc, const char **argv)
29 "net ads gpo <COMMAND>\n"\
30 "<COMMAND> can be either:\n"\
31 " ADDLINK Link a container to a GPO\n"\
32 " APPLY Apply all GPOs\n"\
33 " DELETELINK Delete a gPLink from a container\n"\
34 " EFFECTIVE Lists all GPOs assigned to a machine\n"\
35 " GETGPO Lists specified GPO\n"\
36 " GETLINK Lists gPLink of a containter\n"\
37 " HELP Prints this help message\n"\
38 " LIST Lists all GPOs\n"\
44 static int net_ads_gpo_effective(int argc, const char **argv)
49 const char *attrs[] = { "userAccountControl", NULL };
50 LDAPMessage *res = NULL;
53 struct GROUP_POLICY_OBJECT *gpo_list;
56 struct GROUP_POLICY_OBJECT *gpo;
60 printf("usage: net ads gpo effective <username|machinename>\n");
64 mem_ctx = talloc_init("net_ads_gpo_effective");
65 if (mem_ctx == NULL) {
69 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
74 status = ads_startup(False, &ads);
75 if (!ADS_ERR_OK(status)) {
79 status = ads_do_search_all(ads, ads->config.bind_path,
83 if (!ADS_ERR_OK(status)) {
87 if (ads_count_replies(ads, res) != 1) {
88 printf("no result\n");
92 dn = ads_get_dn(ads, res);
97 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
101 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
102 flags |= GPO_LIST_FLAG_MACHINE;
105 printf("\n%s: '%s' has dn: '%s'\n\n",
106 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
109 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
110 if (!ADS_ERR_OK(status)) {
114 for (gpo = gpo_list; gpo; gpo = gpo->next) {
116 char *server, *share, *nt_path, *unix_path;
118 printf("--------------------------------------\n");
119 printf("Name:\t\t\t%s\n", gpo->display_name);
120 printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
122 GPO_VERSION_USER(gpo->version),
123 GPO_VERSION_MACHINE(gpo->version));
125 result = ads_gpo_explode_filesyspath(ads, mem_ctx, gpo->file_sys_path,
126 &server, &share, &nt_path, &unix_path);
127 if (!NT_STATUS_IS_OK(result)) {
128 printf("got: %s\n", nt_errstr(result));
131 printf("GPO stored on server: %s, share: %s\n", server, share);
132 printf("\tremote path:\t%s\n", nt_path);
133 printf("\tlocal path:\t%s\n", unix_path);
137 ads_memfree(ads, dn);
138 ads_msgfree(ads, res);
141 talloc_destroy(mem_ctx);
145 static int net_ads_gpo_list(int argc, const char **argv)
149 LDAPMessage *res = NULL;
151 LDAPMessage *msg = NULL;
152 struct GROUP_POLICY_OBJECT gpo;
155 const char *attrs[] = {
161 "gPCMachineExtensionNames",
162 "gPCUserExtensionNames",
166 mem_ctx = talloc_init("net_ads_gpo_list");
167 if (mem_ctx == NULL) {
171 status = ads_startup(False, &ads);
172 if (!ADS_ERR_OK(status)) {
176 status = ads_do_search_all(ads, ads->config.bind_path,
178 "(objectclass=groupPolicyContainer)", attrs, &res);
179 if (!ADS_ERR_OK(status)) {
180 d_printf("search failed: %s\n", ads_errstr(status));
184 num_reply = ads_count_replies(ads, res);
186 d_printf("Got %d replies\n\n", num_reply);
188 /* dump the results */
189 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
191 if ((dn = ads_get_dn(ads, msg)) == NULL) {
195 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
197 if (!ADS_ERR_OK(status)) {
198 d_printf("parse failed: %s\n", ads_errstr(status));
199 ads_memfree(ads, dn);
203 dump_gpo(mem_ctx, &gpo);
204 ads_memfree(ads, dn);
208 ads_msgfree(ads, res);
210 talloc_destroy(mem_ctx);
216 static int net_ads_gpo_apply(int argc, const char **argv)
221 const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
222 LDAPMessage *res = NULL;
225 struct GROUP_POLICY_OBJECT *gpo_list;
230 printf("usage: net ads gpo apply <username|machinename>\n");
234 mem_ctx = talloc_init("net_ads_gpo_apply");
235 if (mem_ctx == NULL) {
239 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
240 if (filter == NULL) {
244 status = ads_startup(False, &ads);
245 if (!ADS_ERR_OK(status)) {
249 status = ads_do_search_all(ads, ads->config.bind_path,
251 filter, attrs, &res);
253 if (!ADS_ERR_OK(status)) {
257 if (ads_count_replies(ads, res) != 1) {
258 printf("no result\n");
262 dn = ads_get_dn(ads, res);
267 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
271 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
272 flags |= GPO_LIST_FLAG_MACHINE;
275 printf("%s: '%s' has dn: '%s'\n",
276 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
279 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
280 if (!ADS_ERR_OK(status)) {
284 /* FIXME: allow to process just a single extension */
285 status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, NULL, flags);
286 if (!ADS_ERR_OK(status)) {
291 ads_memfree(ads, dn);
292 ads_msgfree(ads, res);
295 talloc_destroy(mem_ctx);
300 static int net_ads_gpo_get_link(int argc, const char **argv)
305 struct GP_LINK gp_link;
308 printf("usage: net ads gpo getlink <linkname>\n");
312 mem_ctx = talloc_init("add_gpo_link");
313 if (mem_ctx == NULL) {
317 status = ads_startup(False, &ads);
318 if (!ADS_ERR_OK(status)) {
322 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
323 if (!ADS_ERR_OK(status)) {
324 d_printf("get link for %s failed: %s\n", argv[0], ads_errstr(status));
328 dump_gplink(ads, mem_ctx, &gp_link);
331 talloc_destroy(mem_ctx);
337 static int net_ads_gpo_add_link(int argc, const char **argv)
345 printf("usage: net ads gpo addlink <linkdn> <gpodn> [options]\n");
349 mem_ctx = talloc_init("add_gpo_link");
350 if (mem_ctx == NULL) {
355 gpo_opt = atoi(argv[2]);
358 status = ads_startup(False, &ads);
359 if (!ADS_ERR_OK(status)) {
363 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
364 if (!ADS_ERR_OK(status)) {
365 d_printf("add link failed: %s\n", ads_errstr(status));
370 talloc_destroy(mem_ctx);
376 static int net_ads_gpo_delete_link(int argc, const char **argv)
386 mem_ctx = talloc_init("delete_gpo_link");
387 if (mem_ctx == NULL) {
391 status = ads_startup(False, &ads);
392 if (!ADS_ERR_OK(status)) {
396 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
397 if (!ADS_ERR_OK(status)) {
398 d_printf("delete link failed: %s\n", ads_errstr(status));
403 talloc_destroy(mem_ctx);
409 static int net_ads_gpo_get_gpo(int argc, const char **argv)
414 struct GROUP_POLICY_OBJECT gpo;
415 uint32 sysvol_gpt_version;
422 mem_ctx = talloc_init("add_gpo_get_gpo");
423 if (mem_ctx == NULL) {
427 status = ads_startup(False, &ads);
428 if (!ADS_ERR_OK(status)) {
432 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
433 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
435 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
438 if (!ADS_ERR_OK(status)) {
439 d_printf("get gpo for [%s] failed: %s\n", argv[0], ads_errstr(status));
443 dump_gpo(mem_ctx, &gpo);
445 status = ADS_ERROR_NT(ads_gpo_get_sysvol_gpt_version(ads, mem_ctx,
449 if (!ADS_ERR_OK(status)) {
453 printf("sysvol GPT version: %d\n", sysvol_gpt_version);
456 talloc_destroy(mem_ctx);
462 int net_ads_gpo(int argc, const char **argv)
464 struct functable func[] = {
465 {"LIST", net_ads_gpo_list},
466 {"EFFECTIVE", net_ads_gpo_effective},
467 {"ADDLINK", net_ads_gpo_add_link},
468 {"DELETELINK", net_ads_gpo_delete_link},
469 {"GETLINK", net_ads_gpo_get_link},
470 {"GETGPO", net_ads_gpo_get_gpo},
471 {"HELP", net_ads_gpo_usage},
472 {"APPLY", net_ads_gpo_apply},
476 return net_run_function(argc, argv, func, net_ads_gpo_usage);
479 #endif /* HAVE_ADS */