2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
25 static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
30 const char *dn = NULL;
31 struct GROUP_POLICY_OBJECT *gpo_list = NULL;
32 struct GROUP_POLICY_OBJECT *read_list = NULL;
35 struct GROUP_POLICY_OBJECT *gpo;
37 struct nt_user_token *token = NULL;
39 if (argc < 1 || c->display_usage) {
41 "net ads gpo refresh <username|machinename>\n"
42 " Lists all GPOs assigned to an account and "
44 " username\tUser to refresh GPOs for\n"
45 " machinename\tMachine to refresh GPOs for\n");
49 mem_ctx = talloc_init("net_ads_gpo_refresh");
50 if (mem_ctx == NULL) {
54 status = ads_startup(c, false, &ads);
55 if (!ADS_ERR_OK(status)) {
56 d_printf("failed to connect AD server: %s\n", ads_errstr(status));
60 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
61 if (!ADS_ERR_OK(status)) {
62 d_printf("failed to find samaccount for %s\n", argv[0]);
66 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
67 flags |= GPO_LIST_FLAG_MACHINE;
70 d_printf("\n%s: '%s' has dn: '%s'\n\n",
71 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
74 d_printf("* fetching token ");
75 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
76 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
78 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
81 if (!ADS_ERR_OK(status)) {
82 d_printf("failed: %s\n", ads_errstr(status));
85 d_printf("finished\n");
87 d_printf("* fetching GPO List ");
88 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
89 if (!ADS_ERR_OK(status)) {
90 d_printf("failed: %s\n", ads_errstr(status));
93 d_printf("finished\n");
95 d_printf("* refreshing Group Policy Data ");
96 if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
99 d_printf("failed: %s\n", nt_errstr(result));
102 d_printf("finished\n");
104 d_printf("* storing GPO list to registry ");
107 WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
109 if (!W_ERROR_IS_OK(werr)) {
110 d_printf("failed: %s\n", dos_errstr(werr));
115 d_printf("finished\n");
117 if (c->opt_verbose) {
119 d_printf("* dumping GPO list\n");
121 for (gpo = gpo_list; gpo; gpo = gpo->next) {
123 dump_gpo(ads, mem_ctx, gpo, 0);
125 char *server, *share, *nt_path, *unix_path;
127 d_printf("--------------------------------------\n");
128 d_printf("Name:\t\t\t%s\n", gpo->display_name);
129 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
131 GPO_VERSION_USER(gpo->version),
132 GPO_VERSION_MACHINE(gpo->version));
134 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
135 &server, &share, &nt_path,
137 if (!NT_STATUS_IS_OK(result)) {
138 d_printf("got: %s\n", nt_errstr(result));
141 d_printf("GPO stored on server: %s, share: %s\n", server, share);
142 d_printf("\tremote path:\t%s\n", nt_path);
143 d_printf("\tlocal path:\t%s\n", unix_path);
148 d_printf("* re-reading GPO list from registry ");
151 WERROR werr = gp_reg_state_read(mem_ctx, flags,
152 &token->user_sids[0],
154 if (!W_ERROR_IS_OK(werr)) {
155 d_printf("failed: %s\n", dos_errstr(werr));
160 d_printf("finished\n");
162 if (c->opt_verbose) {
164 d_printf("* dumping GPO list from registry\n");
166 for (gpo = read_list; gpo; gpo = gpo->next) {
168 dump_gpo(ads, mem_ctx, gpo, 0);
171 char *server, *share, *nt_path, *unix_path;
173 d_printf("--------------------------------------\n");
174 d_printf("Name:\t\t\t%s\n", gpo->display_name);
175 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
177 GPO_VERSION_USER(gpo->version),
178 GPO_VERSION_MACHINE(gpo->version));
180 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
181 &server, &share, &nt_path,
183 if (!NT_STATUS_IS_OK(result)) {
184 d_printf("got: %s\n", nt_errstr(result));
187 d_printf("GPO stored on server: %s, share: %s\n", server, share);
188 d_printf("\tremote path:\t%s\n", nt_path);
189 d_printf("\tlocal path:\t%s\n", unix_path);
196 talloc_destroy(mem_ctx);
200 static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv)
204 LDAPMessage *res = NULL;
206 LDAPMessage *msg = NULL;
207 struct GROUP_POLICY_OBJECT gpo;
210 const char *attrs[] = {
216 "gPCMachineExtensionNames",
217 "gPCUserExtensionNames",
218 "ntSecurityDescriptor",
222 if (c->display_usage) {
224 "net ads gpo listall\n"
225 " List all GPOs on the DC\n");
229 mem_ctx = talloc_init("net_ads_gpo_list_all");
230 if (mem_ctx == NULL) {
234 status = ads_startup(c, false, &ads);
235 if (!ADS_ERR_OK(status)) {
239 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
241 "(objectclass=groupPolicyContainer)",
243 DACL_SECURITY_INFORMATION,
246 if (!ADS_ERR_OK(status)) {
247 d_printf("search failed: %s\n", ads_errstr(status));
251 num_reply = ads_count_replies(ads, res);
253 d_printf("Got %d replies\n\n", num_reply);
255 /* dump the results */
256 for (msg = ads_first_entry(ads, res);
258 msg = ads_next_entry(ads, msg)) {
260 if ((dn = ads_get_dn(ads, msg)) == NULL) {
264 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
266 if (!ADS_ERR_OK(status)) {
267 d_printf("ads_parse_gpo failed: %s\n",
269 ads_memfree(ads, dn);
273 dump_gpo(ads, mem_ctx, &gpo, 0);
274 ads_memfree(ads, dn);
278 ads_msgfree(ads, res);
280 talloc_destroy(mem_ctx);
286 static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
290 LDAPMessage *res = NULL;
292 const char *dn = NULL;
295 struct GROUP_POLICY_OBJECT *gpo_list;
296 struct nt_user_token *token = NULL;
298 if (argc < 1 || c->display_usage) {
300 "net ads gpo list <username|machinename>\n"
301 " Lists all GPOs for machine/user\n"
302 " username\tUser to list GPOs for\n"
303 " machinename\tMachine to list GPOs for\n");
307 mem_ctx = talloc_init("net_ads_gpo_list");
308 if (mem_ctx == NULL) {
312 status = ads_startup(c, false, &ads);
313 if (!ADS_ERR_OK(status)) {
317 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
318 if (!ADS_ERR_OK(status)) {
322 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
323 flags |= GPO_LIST_FLAG_MACHINE;
326 d_printf("%s: '%s' has dn: '%s'\n",
327 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
330 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
331 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
333 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
336 if (!ADS_ERR_OK(status)) {
340 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
341 if (!ADS_ERR_OK(status)) {
345 dump_gpo_list(ads, mem_ctx, gpo_list, 0);
348 ads_msgfree(ads, res);
350 talloc_destroy(mem_ctx);
357 static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
362 const char *dn = NULL;
363 struct GROUP_POLICY_OBJECT *gpo_list;
366 struct nt_user_token *token = NULL;
367 const char *filter = NULL;
369 if (argc < 1 || c->display_usage) {
371 "net ads gpo apply <username|machinename>\n"
372 " Apply GPOs for machine/user\n"
373 " username\tUsername to apply GPOs for\n"
374 " machinename\tMachine to apply GPOs for\n");
378 mem_ctx = talloc_init("net_ads_gpo_apply");
379 if (mem_ctx == NULL) {
384 filter = cse_gpo_name_to_guid_string(argv[1]);
387 status = ads_startup(c, false, &ads);
388 if (!ADS_ERR_OK(status)) {
389 d_printf("got: %s\n", ads_errstr(status));
393 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
394 if (!ADS_ERR_OK(status)) {
395 d_printf("failed to find samaccount for %s: %s\n",
396 argv[0], ads_errstr(status));
400 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
401 flags |= GPO_LIST_FLAG_MACHINE;
405 flags |= GPO_INFO_FLAG_VERBOSE;
408 d_printf("%s: '%s' has dn: '%s'\n",
409 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
412 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
413 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
415 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
418 if (!ADS_ERR_OK(status)) {
422 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
423 if (!ADS_ERR_OK(status)) {
427 status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
429 if (!ADS_ERR_OK(status)) {
430 d_printf("failed to process gpo list: %s\n",
437 talloc_destroy(mem_ctx);
442 static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
447 struct GP_LINK gp_link;
449 if (argc < 1 || c->display_usage) {
451 "net ads gpo linkget <container>\n"
452 " Lists gPLink of a containter\n"
453 " container\tContainer to get link for\n");
457 mem_ctx = talloc_init("add_gpo_link");
458 if (mem_ctx == NULL) {
462 status = ads_startup(c, false, &ads);
463 if (!ADS_ERR_OK(status)) {
467 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
468 if (!ADS_ERR_OK(status)) {
469 d_printf("get link for %s failed: %s\n", argv[0],
474 dump_gplink(ads, mem_ctx, &gp_link);
477 talloc_destroy(mem_ctx);
483 static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
490 if (argc < 2 || c->display_usage) {
492 "net ads gpo linkadd <linkdn> <gpodn> [options]\n"
493 " Link a container to a GPO\n"
494 " linkdn\tContainer to link to a GPO\n"
495 " gpodn\tGPO to link container to\n");
496 d_printf("note: DNs must be provided properly escaped.\n");
497 d_printf("See RFC 4514 for details\n");
501 mem_ctx = talloc_init("add_gpo_link");
502 if (mem_ctx == NULL) {
507 gpo_opt = atoi(argv[2]);
510 status = ads_startup(c, false, &ads);
511 if (!ADS_ERR_OK(status)) {
515 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
516 if (!ADS_ERR_OK(status)) {
517 d_printf("link add failed: %s\n", ads_errstr(status));
522 talloc_destroy(mem_ctx);
530 static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
536 if (argc < 2 || c->display_usage) {
538 "net ads gpo linkdelete <linkdn> <gpodn>\n"
539 " Delete a GPO link\n"
540 " <linkdn>\tContainer to delete GPO from\n"
541 " <gpodn>\tGPO to delete from container\n");
545 mem_ctx = talloc_init("delete_gpo_link");
546 if (mem_ctx == NULL) {
550 status = ads_startup(c, false, &ads);
551 if (!ADS_ERR_OK(status)) {
555 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
556 if (!ADS_ERR_OK(status)) {
557 d_printf("delete link failed: %s\n", ads_errstr(status));
562 talloc_destroy(mem_ctx);
570 static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
575 struct GROUP_POLICY_OBJECT gpo;
577 if (argc < 1 || c->display_usage) {
579 "net ads gpo getgpo <gpo>\n"
580 " List speciefied GPO\n"
581 " gpo\t\tGPO to list\n");
585 mem_ctx = talloc_init("ads_gpo_get_gpo");
586 if (mem_ctx == NULL) {
590 status = ads_startup(c, false, &ads);
591 if (!ADS_ERR_OK(status)) {
595 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
596 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
598 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
601 if (!ADS_ERR_OK(status)) {
602 d_printf("get gpo for [%s] failed: %s\n", argv[0],
607 dump_gpo(ads, mem_ctx, &gpo, 1);
610 talloc_destroy(mem_ctx);
616 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
618 struct functable func[] = {
624 "Apply GPO to container",
625 "net ads gpo apply\n"
626 " Apply GPO to container"
633 "List specified GPO",
634 "net ads gpo getgpo\n"
635 " List specified GPO"
639 net_ads_gpo_link_add,
641 "Link a container to a GPO",
642 "net ads gpo linkadd\n"
643 " Link a container to a GPO"
648 net_ads_gpo_link_delete,
650 "Delete GPO link from a container",
651 "net ads gpo linkdelete\n"
652 " Delete GPO link from a container"
657 net_ads_gpo_link_get,
659 "Lists gPLink of containter",
660 "net ads gpo linkget\n"
661 " Lists gPLink of containter"
667 "Lists all GPOs for machine/user",
669 " Lists all GPOs for machine/user"
673 net_ads_gpo_list_all,
675 "Lists all GPOs on a DC",
676 "net ads gpo listall\n"
677 " Lists all GPOs on a DC"
683 "Lists all GPOs assigned to an account and downloads "
685 "net ads gpo refresh\n"
686 " Lists all GPOs assigned to an account and "
689 {NULL, NULL, 0, NULL, NULL}
692 return net_run_function(c, argc, argv, "net ads gpo", func);
695 #endif /* HAVE_ADS */