/*++
Copyright (c) 1996 Microsoft Corporation
Module Name:
sceutil.h
Abstract:
This module defines the data structures and function prototypes
shared by both SCE client and SCE server
Author:
Jin Huang (jinhuang) 23-Jan-1998
Revision History:
jinhuang (splitted from scep.h)
--*/
#ifndef _sceutil_
#define _sceutil_
#include <ntlsa.h>
#include <cfgmgr32.h>
typedef struct _SCE_USER_PRIV_LOOKUP {
UINT Value;
PWSTR Name;
}SCE_USER_PRIV_LOOKUP;
static SCE_USER_PRIV_LOOKUP SCE_Privileges[] = {
{0, (PWSTR)SE_NETWORK_LOGON_NAME},
// Access the computer from network
{SE_TCB_PRIVILEGE, (PWSTR)SE_TCB_NAME},
// Act as part of the operating System
{SE_MACHINE_ACCOUNT_PRIVILEGE, (PWSTR)SE_MACHINE_ACCOUNT_NAME},
// Add workstations to the domain
{SE_BACKUP_PRIVILEGE, (PWSTR)SE_BACKUP_NAME},
// Back up files and directories
{SE_CHANGE_NOTIFY_PRIVILEGE, (PWSTR)SE_CHANGE_NOTIFY_NAME},
// Bypass traverse checking
{SE_SYSTEMTIME_PRIVILEGE, (PWSTR)SE_SYSTEMTIME_NAME},
// Change the system time
{SE_CREATE_PAGEFILE_PRIVILEGE, (PWSTR)SE_CREATE_PAGEFILE_NAME},
// Create a pagefile
{SE_CREATE_TOKEN_PRIVILEGE, (PWSTR)SE_CREATE_TOKEN_NAME},
// Create a token object
{SE_CREATE_PERMANENT_PRIVILEGE, (PWSTR)SE_CREATE_PERMANENT_NAME},
// Create permanent shared objects
{SE_DEBUG_PRIVILEGE, (PWSTR)SE_DEBUG_NAME},
// Debug programs
{SE_REMOTE_SHUTDOWN_PRIVILEGE, (PWSTR)SE_REMOTE_SHUTDOWN_NAME},
// Force shutdown from a remote system
{SE_AUDIT_PRIVILEGE, (PWSTR)SE_AUDIT_NAME},
// Generate security audits
{SE_INCREASE_QUOTA_PRIVILEGE, (PWSTR)SE_INCREASE_QUOTA_NAME},
// Increase quotas
{SE_INC_BASE_PRIORITY_PRIVILEGE,(PWSTR)SE_INC_BASE_PRIORITY_NAME},
// Increase scheduling priority
{SE_LOAD_DRIVER_PRIVILEGE, (PWSTR)SE_LOAD_DRIVER_NAME},
// Load and unload device drivers
{SE_LOCK_MEMORY_PRIVILEGE, (PWSTR)SE_LOCK_MEMORY_NAME},
// Lock pages in memory
{0, (PWSTR)SE_BATCH_LOGON_NAME},
// Logon as a batch job
{0, (PWSTR)SE_SERVICE_LOGON_NAME},
// Logon as a service
{0, (PWSTR)SE_INTERACTIVE_LOGON_NAME},
// Logon locally
{SE_SECURITY_PRIVILEGE, (PWSTR)SE_SECURITY_NAME},
// Manage auditing and security log
{SE_SYSTEM_ENVIRONMENT_PRIVILEGE, (PWSTR)SE_SYSTEM_ENVIRONMENT_NAME},
// Modify firmware environment variables
{SE_PROF_SINGLE_PROCESS_PRIVILEGE,(PWSTR)SE_PROF_SINGLE_PROCESS_NAME},
// Profile single process
{SE_SYSTEM_PROFILE_PRIVILEGE, (PWSTR)SE_SYSTEM_PROFILE_NAME},
// Profile system performance
{SE_ASSIGNPRIMARYTOKEN_PRIVILEGE, (PWSTR)SE_ASSIGNPRIMARYTOKEN_NAME},
// Replace a process-level token
{SE_RESTORE_PRIVILEGE, (PWSTR)SE_RESTORE_NAME},
// Restore files and directories
{SE_SHUTDOWN_PRIVILEGE, (PWSTR)SE_SHUTDOWN_NAME},
// Shut down the system
{SE_TAKE_OWNERSHIP_PRIVILEGE, (PWSTR)SE_TAKE_OWNERSHIP_NAME},
// Take ownership of files or other objects
// {SE_UNSOLICITED_INPUT_PRIVILEGE,(PWSTR)SE_UNSOLICITED_INPUT_NAME},
// Unsolicited Input is obsolete and unused
{0, (PWSTR)SE_DENY_NETWORK_LOGON_NAME},
// Deny access the computer from network
{0, (PWSTR)SE_DENY_BATCH_LOGON_NAME},
// Deny Logon as a batch job
{0, (PWSTR)SE_DENY_SERVICE_LOGON_NAME},
// Deny Logon as a service
{0, (PWSTR)SE_DENY_INTERACTIVE_LOGON_NAME},
// Deny logon locally
{SE_UNDOCK_PRIVILEGE, (PWSTR)SE_UNDOCK_NAME},
// Undock privilege
{SE_SYNC_AGENT_PRIVILEGE, (PWSTR)SE_SYNC_AGENT_NAME},
// Sync agent privilege
{SE_ENABLE_DELEGATION_PRIVILEGE,(PWSTR)SE_ENABLE_DELEGATION_NAME},
// enable delegation privilege
{SE_MANAGE_VOLUME_PRIVILEGE, (PWSTR)SE_MANAGE_VOLUME_NAME},
// (NTFS) Manage volume privilege
{0, (PWSTR)SE_REMOTE_INTERACTIVE_LOGON_NAME},
// (TS) logon locally from a TS session
{0, (PWSTR)SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME}
// (TS) deny logon locally from a TS session
};
typedef struct _SCE_TEMP_NODE_ {
PWSTR Name;
DWORD Len;
BOOL bFree;
} SCE_TEMP_NODE, *PSCE_TEMP_NODE;
//
// This structure is used to find well known name locally for performance.
//
typedef struct _WELL_KNOWN_NAME_LOOKUP {
PWSTR StrSid;
WCHAR Name[36];
} WELL_KNOWN_NAME_LOOKUP, *PWELL_KNOWN_NAME_LOOKUP;
#define TABLE_SIZE 33
static WELL_KNOWN_NAME_LOOKUP NameTable[] = {
//Universal well-known
{ L"S-1-1-0", L'\0' }, //Everyone
//{ L"S-1-2-0", L'\0' }, //Local
{ L"S-1-3-0", L'\0' }, //Creator Owner
{ L"S-1-3-1", L'\0' }, //Creator Group
{ L"S-1-3-2", L'\0' }, //Creator Owner Server
{ L"S-1-3-3", L'\0' }, //Creator Group Server
//NT well-known
//{ L"S-1-5", L'\0' }, //NT Pseudo Domain
{ L"S-1-5-1", L'\0' }, //Dialup
{ L"S-1-5-2", L'\0' }, //Network
{ L"S-1-5-3", L'\0' }, //Batch
{ L"S-1-5-4", L'\0' }, //Interactive
{ L"S-1-5-6", L'\0' }, //Service
{ L"S-1-5-7", L'\0' }, //Anonymous Logon
{ L"S-1-5-8", L'\0' }, //Proxy
{ L"S-1-5-9", L'\0' }, //Enterprise Domain Controllers
{ L"S-1-5-10", L'\0' }, //Self
{ L"S-1-5-11", L'\0' }, //Authenticated Users
{ L"S-1-5-12", L'\0' }, //Restricted
{ L"S-1-5-13", L'\0' }, //Terminal Server User
{ L"S-1-5-18", L'\0' }, //Local system
{ L"S-1-5-19", L'\0' }, //Local Service
{ L"S-1-5-20", L'\0' }, //Network Service
//Builtin
{ L"S-1-5-32-544", L'\0' }, //Administrtors
{ L"S-1-5-32-545", L'\0' }, //Users
{ L"S-1-5-32-546", L'\0' }, //Guests
{ L"S-1-5-32-547", L'\0' }, //Power Users
{ L"S-1-5-32-548", L'\0' }, //Account Operators
{ L"S-1-5-32-549", L'\0' }, //Server Operators
{ L"S-1-5-32-550", L'\0' }, //Print Operators
{ L"S-1-5-32-551", L'\0' }, //Backup Operators
{ L"S-1-5-32-552", L'\0' }, //Replicator
{ L"S-1-5-32-553", L'\0' }, //Ras Servers
{ L"S-1-5-32-554", L'\0' }, //PREW2KCOMPACCESS
{ L"S-1-5-32-555", L'\0' }, //Remote desktop users
{ L"S-1-5-32-556", L'\0' } // network configuraiton operators
};
//
// Bit masks encoding rsop area information
//
#define SCE_RSOP_PASSWORD_INFO (0x1)
#define SCE_RSOP_LOCKOUT_INFO (0x1 << 1)
#define SCE_RSOP_LOGOFF_INFO (0x1 << 2)
#define SCE_RSOP_ADMIN_INFO (0x1 << 3)
#define SCE_RSOP_GUEST_INFO (0x1 << 4)
#define SCE_RSOP_GROUP_INFO (0x1 << 5)
#define SCE_RSOP_PRIVILEGE_INFO (0x1 << 6)
#define SCE_RSOP_FILE_SECURITY_INFO (0x1 << 7)
#define SCE_RSOP_REGISTRY_SECURITY_INFO (0x1 << 8)
#define SCE_RSOP_AUDIT_LOG_MAXSIZE_INFO (0x1 << 9)
#define SCE_RSOP_AUDIT_LOG_RETENTION_INFO (0x1 << 10)
#define SCE_RSOP_AUDIT_LOG_GUEST_INFO (0x1 << 11)
#define SCE_RSOP_AUDIT_EVENT_INFO (0x1 << 12)
#define SCE_RSOP_KERBEROS_INFO (0x1 << 13)
#define SCE_RSOP_REGISTRY_VALUE_INFO (0x1 << 14)
#define SCE_RSOP_SERVICES_INFO (0x1 << 15)
#define SCE_RSOP_FILE_SECURITY_INFO_CHILD (0x1 << 16)
#define SCE_RSOP_REGISTRY_SECURITY_INFO_CHILD (0x1 << 17)
#define SCE_RSOP_LSA_POLICY_INFO (0x1 << 18)
#define SCE_RSOP_DISABLE_ADMIN_INFO (0x1 << 19)
#define SCE_RSOP_DISABLE_GUEST_INFO (0x1 << 20)
BOOL
ScepInitNameTable();
BOOL
ScepLookupNameTable(
IN PWSTR Name,
OUT PWSTR *StrSid
);
INT
ScepLookupPrivByName(
IN PCWSTR Right
);
INT
ScepLookupPrivByValue(
IN DWORD Priv
);
SCESTATUS
ScepGetProductType(
OUT PSCE_SERVER_TYPE srvProduct
);
SCESTATUS
ScepConvertMultiSzToDelim(
IN PWSTR pValue,
IN DWORD Len,
IN WCHAR DelimFrom,
IN WCHAR Delim
);
DWORD
ScepAddTwoNamesToNameList(
OUT PSCE_NAME_LIST *pNameList,
IN BOOL bAddSeparator,
IN PWSTR Name1,
IN ULONG Length1,
IN PWSTR Name2,
IN ULONG Length2
);
NTSTATUS
ScepDomainIdToSid(
IN PSID DomainId,
IN ULONG RelativeId,
OUT PSID *Sid
);
DWORD
ScepConvertSidToPrefixStringSid(
IN PSID pSid,
OUT PWSTR *StringSid
);
NTSTATUS
ScepConvertSidToName(
IN LSA_HANDLE LsaPolicy,
IN PSID AccountSid,
IN BOOL bFromDomain,
OUT PWSTR *AccountName,
OUT DWORD *Length OPTIONAL
);
NTSTATUS
ScepConvertNameToSid(
IN LSA_HANDLE LsaPolicy,
IN PWSTR AccountName,
OUT PSID *AccountSid
);
SCESTATUS
ScepConvertNameToSidString(
IN LSA_HANDLE LsaHandle,
IN PWSTR Name,
IN BOOL bAccountDomainOnly,
OUT PWSTR *SidString,
OUT DWORD *SidStrLen
);
SCESTATUS
ScepLookupSidStringAndAddToNameList(
IN LSA_HANDLE LsaHandle,
IN OUT PSCE_NAME_LIST *pNameList,
IN PWSTR LookupString,
IN ULONG Len
);
SCESTATUS
ScepLookupNameAndAddToSidStringList(
IN LSA_HANDLE LsaHandle,
IN OUT PSCE_NAME_LIST *pNameList,
IN PWSTR LookupString,
IN ULONG Len
);
NTSTATUS
ScepOpenLsaPolicy(
IN ACCESS_MASK access,
OUT PLSA_HANDLE pPolicyHandle,
IN BOOL bDoNotNotify
);
BOOL
ScepIsSidFromAccountDomain(
IN PSID pSid
);
BOOL
SetupINFAsUCS2(
IN LPCTSTR szName
);
WCHAR *
ScepStripPrefix(
IN LPTSTR pwszPath
);
DWORD
ScepGenerateGuid(
OUT PWSTR *ppwszGuid
);
SCESTATUS
SceInfpGetPrivileges(
IN HINF hInf,
IN BOOL bLookupAccount,
OUT PSCE_PRIVILEGE_ASSIGNMENT *pPrivileges,
OUT PSCE_ERROR_LOG_INFO *Errlog OPTIONAL
);
DWORD
ScepQueryAndAddService(
IN SC_HANDLE hScManager,
IN LPWSTR lpServiceName,
IN LPWSTR lpDisplayName,
OUT PSCE_SERVICES *pServiceList
);
NTSTATUS
ScepIsSystemContext(
IN HANDLE hUserToken,
OUT BOOL *pbSystem
);
BOOL
IsNT5();
DWORD
ScepVerifyTemplateName(
IN PWSTR InfTemplateName,
OUT PSCE_ERROR_LOG_INFO *pErrlog OPTIONAL
);
NTSTATUS
ScepLsaLookupNames2(
IN LSA_HANDLE PolicyHandle,
IN ULONG Flags,
IN PWSTR pszAccountName,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID2 *Sids
);
#endif