2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "utils/net.h"
26 static int net_ads_gpo_usage(int argc, const char **argv)
29 "net ads gpo <COMMAND>\n"\
30 "<COMMAND> can be either:\n"\
31 " ADDLINK Link a container to a GPO\n"\
32 " APPLY Apply all GPOs\n"\
33 " DELETELINK Delete a gPLink from a container\n"\
34 " EFFECTIVE Lists all GPOs assigned to a machine\n"\
35 " GETGPO Lists specified GPO\n"\
36 " GETLINK Lists gPLink of a containter\n"\
37 " HELP Prints this help message\n"\
38 " LIST Lists all GPOs\n"\
44 static int net_ads_gpo_effective(int argc, const char **argv)
49 const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
50 LDAPMessage *res = NULL;
53 struct GROUP_POLICY_OBJECT *gpo_list;
61 mem_ctx = talloc_init("net_ads_gpo_effective");
62 if (mem_ctx == NULL) {
66 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
71 status = ads_startup(False, &ads);
72 if (!ADS_ERR_OK(status)) {
76 status = ads_do_search_all(ads, ads->config.bind_path,
80 if (!ADS_ERR_OK(status)) {
84 if (ads_count_replies(ads, res) != 1) {
85 printf("no result\n");
89 dn = ads_get_dn(ads, res);
94 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
98 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
99 flags |= GPO_LIST_FLAG_MACHINE;
102 printf("%s: '%s' has dn: '%s'\n",
103 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
106 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
107 if (!ADS_ERR_OK(status)) {
111 printf("unsorted full dump of all GPOs for this machine:\n");
114 struct GROUP_POLICY_OBJECT *gpo = gpo_list;
116 for (gpo = gpo_list; gpo; gpo = gpo->next) {
117 dump_gpo(mem_ctx, gpo);
121 printf("sorted full dump of all GPOs valid for this machine:\n");
124 ads_memfree(ads, dn);
125 ads_msgfree(ads, res);
128 talloc_destroy(mem_ctx);
132 static int net_ads_gpo_list(int argc, const char **argv)
136 LDAPMessage *res = NULL;
138 LDAPMessage *msg = NULL;
139 struct GROUP_POLICY_OBJECT gpo;
142 const char *attrs[] = {
148 "gPCMachineExtensionNames",
149 "gPCUserExtensionNames",
153 mem_ctx = talloc_init("net_ads_gpo_list");
154 if (mem_ctx == NULL) {
158 status = ads_startup(False, &ads);
159 if (!ADS_ERR_OK(status)) {
163 status = ads_do_search_all(ads, ads->config.bind_path,
165 "(objectclass=groupPolicyContainer)", attrs, &res);
166 if (!ADS_ERR_OK(status)) {
167 d_printf("search failed: %s\n", ads_errstr(status));
171 num_reply = ads_count_replies(ads, res);
173 d_printf("Got %d replies\n\n", num_reply);
175 /* dump the results */
176 for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
178 if ((dn = ads_get_dn(ads, msg)) == NULL) {
182 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
184 if (!ADS_ERR_OK(status)) {
185 d_printf("parse failed: %s\n", ads_errstr(status));
186 ads_memfree(ads, dn);
190 dump_gpo(mem_ctx, &gpo);
191 ads_memfree(ads, dn);
195 ads_msgfree(ads, res);
197 talloc_destroy(mem_ctx);
203 static int net_ads_gpo_apply(int argc, const char **argv)
208 const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
209 LDAPMessage *res = NULL;
212 struct GROUP_POLICY_OBJECT *gpo_list;
220 mem_ctx = talloc_init("net_ads_gpo_apply");
221 if (mem_ctx == NULL) {
225 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
226 if (filter == NULL) {
230 status = ads_startup(False, &ads);
231 if (!ADS_ERR_OK(status)) {
235 status = ads_do_search_all(ads, ads->config.bind_path,
237 filter, attrs, &res);
239 if (!ADS_ERR_OK(status)) {
243 if (ads_count_replies(ads, res) != 1) {
244 printf("no result\n");
248 dn = ads_get_dn(ads, res);
253 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
257 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
258 flags |= GPO_LIST_FLAG_MACHINE;
261 printf("%s: '%s' has dn: '%s'\n",
262 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
265 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
266 if (!ADS_ERR_OK(status)) {
270 /* FIXME: allow to process just a single extension */
271 status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, NULL, flags);
272 if (!ADS_ERR_OK(status)) {
277 ads_memfree(ads, dn);
278 ads_msgfree(ads, res);
281 talloc_destroy(mem_ctx);
286 static int net_ads_gpo_get_link(int argc, const char **argv)
291 struct GP_LINK gp_link;
297 mem_ctx = talloc_init("add_gpo_link");
298 if (mem_ctx == NULL) {
302 status = ads_startup(False, &ads);
303 if (!ADS_ERR_OK(status)) {
307 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
308 if (!ADS_ERR_OK(status)) {
309 d_printf("get link for %s failed: %s\n", argv[0], ads_errstr(status));
313 dump_gplink(ads, mem_ctx, &gp_link);
316 talloc_destroy(mem_ctx);
322 static int net_ads_gpo_add_link(int argc, const char **argv)
333 mem_ctx = talloc_init("add_gpo_link");
334 if (mem_ctx == NULL) {
339 gpo_opt = atoi(argv[2]);
342 status = ads_startup(False, &ads);
343 if (!ADS_ERR_OK(status)) {
347 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
348 if (!ADS_ERR_OK(status)) {
349 d_printf("add link failed: %s\n", ads_errstr(status));
354 talloc_destroy(mem_ctx);
360 static int net_ads_gpo_delete_link(int argc, const char **argv)
370 mem_ctx = talloc_init("delete_gpo_link");
371 if (mem_ctx == NULL) {
375 status = ads_startup(False, &ads);
376 if (!ADS_ERR_OK(status)) {
380 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
381 if (!ADS_ERR_OK(status)) {
382 d_printf("delete link failed: %s\n", ads_errstr(status));
387 talloc_destroy(mem_ctx);
393 static int net_ads_gpo_get_gpo(int argc, const char **argv)
398 struct GROUP_POLICY_OBJECT gpo;
399 uint32 sysvol_gpt_version;
405 mem_ctx = talloc_init("add_gpo_get_gpo");
406 if (mem_ctx == NULL) {
410 status = ads_startup(False, &ads);
411 if (!ADS_ERR_OK(status)) {
415 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
416 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
418 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
421 if (!ADS_ERR_OK(status)) {
422 d_printf("get gpo for [%s] failed: %s\n", argv[0], ads_errstr(status));
426 dump_gpo(mem_ctx, &gpo);
428 status = ADS_ERROR_NT(ads_gpo_get_sysvol_gpt_version(ads, mem_ctx, gpo.file_sys_path, &sysvol_gpt_version));
429 if (!ADS_ERR_OK(status)) {
433 printf("sysvol GPT version: %d\n", sysvol_gpt_version);
436 talloc_destroy(mem_ctx);
442 int net_ads_gpo(int argc, const char **argv)
444 struct functable func[] = {
445 {"LIST", net_ads_gpo_list},
446 {"EFFECTIVE", net_ads_gpo_effective},
447 {"ADDLINK", net_ads_gpo_add_link},
448 {"DELETELINK", net_ads_gpo_delete_link},
449 {"GETLINK", net_ads_gpo_get_link},
450 {"GETGPO", net_ads_gpo_get_gpo},
451 {"HELP", net_ads_gpo_usage},
452 {"APPLY", net_ads_gpo_apply},
456 return net_run_function(argc, argv, func, net_ads_gpo_usage);
459 #endif /* HAVE_ADS */