A
Anthony Hunter
What API's would I use to check to see if the currently logged in user
is part of a specific policy?
Thanks,
Anthony
is part of a specific policy?
Thanks,
Anthony
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
C
Christopher Maloney
Go to a command prompt on the computer that the user is logged in on and
type "gpresult"(without quotes). This will list all settings applied by
each group policy.
type "gpresult"(without quotes). This will list all settings applied by
each group policy.
A
Anthony Hunter
I've found the GetGPOList() API, but I'm not quite sure how to use it. I
can't find any detailed examples.
Anthony
can't find any detailed examples.
Anthony
D
Darren Mar-Elia
If you're really talking APIs, then you can call RSoPCreateSession to
generate WMI RSoP logging data yourself, and then you can get at the RSoP
data that way. If you just want to get the list of GPOs processed by a user,
you can query the registry for that information. Let me know if you want
details on the keys to look at.
generate WMI RSoP logging data yourself, and then you can get at the RSoP
data that way. If you just want to get the list of GPOs processed by a user,
you can query the registry for that information. Let me know if you want
details on the keys to look at.
D
Darren Mar-Elia
GetGPOList() is typically used if you're writing your own Client Side
Extension. I suppose you could call it on its own, but its probably easier
to use one of the other methods mentioned in my previous post.
Extension. I suppose you could call it on its own, but its probably easier
to use one of the other methods mentioned in my previous post.
A
Anthony Hunter
You wouldn't happen to know where I could find some C++ examples of what
I want to do?
Thanks,
Anthony
I want to do?
Thanks,
Anthony
A
Anthony Hunter
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
D
Darren Mar-Elia
Well, if you just want to get a list of the GPOs that are applying to a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this has to run
in the context of the currently logged on user. Under the History key, you
get a set of keys organized by Client Side Extension that enumerate the GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used it before but
I suppose that its as good as any other mechanism. Its documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this has to run
in the context of the currently logged on user. Under the History key, you
get a set of keys organized by Client Side Extension that enumerate the GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used it before but
I suppose that its as good as any other mechanism. Its documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
A
Anthony Hunter
I'm going to try and use the GetAppliedGPOList(), but I'm not sure how
to set the GUID. I've seen in other postings about get the correct guid from
the registry, but how do I set the variable? It's probably fairly simple,
just something I've never had to do before.
Thanks,
Anthony
to set the GUID. I've seen in other postings about get the correct guid from
the registry, but how do I set the variable? It's probably fairly simple,
just something I've never had to do before.
Thanks,
Anthony
D
Darren Mar-Elia
This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
A
Anthony Hunter
Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size, domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size, domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
D
Darren Mar-Elia
So do you get back any kind of GPO struct or just nothing? In other words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
Darren Mar-Elia said:This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
A
Anthony Hunter
pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
null. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
Darren Mar-Elia said:So do you get back any kind of GPO struct or just nothing? In other words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.aspThis GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
I'm going to try and use the GetAppliedGPOList(), but I'm not sure how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly simple,
just something I've never had to do before.
Thanks,
Anthony
Well, if you just want to get a list of the GPOs that are applying to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used it before
but
I suppose that its as good as any other mechanism. Its documented
here:at--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?
Thanks,
Anthony
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get
theprocessedRSoP
data that way. If you just want to get the list of GPOs
byloggeda
user,
you can query the registry for that information. Let me know if you
want
details on the keys to look at.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Go to a command prompt on the computer that the user is
inon
and
type "gpresult"(without quotes). This will list all settings
applied
by
each group policy.
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?
Thanks,
Anthony
D
Darren Mar-Elia
Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:
-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.
In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:
-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.
In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
Darren Mar-Elia said:So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly
simple,
just something I've never had to do before.
Thanks,
Anthony
message
Well, if you just want to get a list of the GPOs that are applying to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used it
before
but
I suppose that its as good as any other mechanism. Its documented
here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?
Thanks,
Anthony
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get at
the
RSoP
data that way. If you just want to get the list of GPOs processed
by
a
user,
you can query the registry for that information. Let me know
if
you
want
details on the keys to look at.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Go to a command prompt on the computer that the user is logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.
"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?
Thanks,
Anthony
A
Anthony Hunter
Ok, I'm getting a lot closer, thanks for all the help.
My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.
//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}
DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================
Thanks,
Anthony
My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.
//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}
DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================
Thanks,
Anthony
Darren Mar-Elia said:Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:
-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.
In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
right.So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Ok, I think I have it coded, but I not sure if it is working
ThewantGROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
This GUID variable is referring to the client side extension you
toapplyingreturn information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly
simple,
just something I've never had to do before.
Thanks,
Anthony
message
Well, if you just want to get a list of the GPOs that are
tohttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.aspa
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used it
before
but
I suppose that its as good as any other mechanism. Its documented
here:wrote--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?
Thanks,
Anthony
"Darren Mar-Elia" <[email protected]>
ingetmessage
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can
atthe
RSoP
data that way. If you just want to get the list of GPOs processed
by
a
user,
you can query the registry for that information. Let me know
if
you
want
details on the keys to look at.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Go to a command prompt on the computer that the user is logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.
"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?
Thanks,
Anthony
D
Darren Mar-Elia
Check out this sample--maybe it will help:
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:Ok, I'm getting a lot closer, thanks for all the help.
My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.
//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}
DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================
Thanks,
Anthony
Darren Mar-Elia said:Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:
-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.
In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that
apply.
In the code below you're asking for any security policy that applies
to a
particular domain user, however most security policy (except for stuff
like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Ok, I think I have it coded, but I not sure if it is working right.
The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL,
pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
message
This GUID variable is referring to the client side extension you want
to
return information on. For example, if you want to find out what
Software
Installation policy was applied, you would pass the GUID of the
Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K
and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the
correct
guid
from
the registry, but how do I set the variable? It's probably
fairly
simple,
just something I've never had to do before.
Thanks,
Anthony
in
message
Well, if you just want to get a list of the GPOs that are applying
to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the
History
key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used
it
before
but
I suppose that its as good as any other mechanism. Its
documented
here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.
Anthony
message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?
Thanks,
Anthony
in
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get
at
the
RSoP
data that way. If you just want to get the list of GPOs
processed
by
a
user,
you can query the registry for that information. Let me
know
if
you
want
details on the keys to look at.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Go to a command prompt on the computer that the user is
logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.
"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?
Thanks,
Anthony
A
Anthony Hunter
That example did help. Thanks again for all the help! I've got this
working now.
Anthony
working now.
Anthony
Darren Mar-Elia said:Check out this sample--maybe it will help:
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Anthony Hunter said:Ok, I'm getting a lot closer, thanks for all the help.
My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.
//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}
DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================
Thanks,
Anthony
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.aspAnthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:
-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.
In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check outpGPOList--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
pSid = <void> yet LookupAccountName() returns success, and
=http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.aspnull. Something is definately wrong, just not sure what.
What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.
Thanks,
Anthony
So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that
apply.
In the code below you're asking for any security policy that applies
to a
particular domain user, however most security policy (except for stuff
like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Ok, I think I have it coded, but I not sure if it is working right.
The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?
//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;
GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL,
pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}
FreeSid( pSid );
}
//===================================
Thanks,
Anthony
message
This GUID variable is referring to the client side extension you want
to
return information on. For example, if you want to find out what
Software
Installation policy was applied, you would pass the GUID of the
Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K
and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the
correct
guid
from
the registry, but how do I set the variable? It's probably
fairly
simple,
just something I've never had to do before.
Thanks,
Anthony
in
message
Well, if you just want to get a list of the GPOs that are applying
to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the
History
key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.
Also, you could try calling GetAppliedGPOList(). I've not used
it
before
but
I suppose that its as good as any other mechanism. Its
documented
here:up--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
message
I need code that will work on Win2000 and higher. I looked
thewroteRSoPCreateSession() and it only works onWinXP and higher.
Anthony
"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
inmessage
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?
Thanks,
Anthony
in
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get
at
the
RSoP
data that way. If you just want to get the list of GPOs
processed
by
a
user,
you can query the registry for that information. Let me
know
if
you
want
details on the keys to look at.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
Go to a command prompt on the computer that the user is
logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.
"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?
Thanks,
Anthony
A
Anthony Hunter
I thought I was done, but I have one more problem to solve. Right now
my check works great for a specific user, but not if that user is part of a
group which is assigned to the policy. Any ideas on how to get that to
work?
Thanks
Anthony
my check works great for a specific user, but not if that user is part of a
group which is assigned to the policy. Any ideas on how to get that to
work?
Thanks
Anthony
D
Darren Mar-Elia
Well, you're probably going to have to get the list of groups the user is a
member of and check that as well as just their account. This is not that
straightforward to chase down, especially in multi-domain environments. In
any case, you're interested in the memberOf attribute on the user object,
which will contain links to the groups they are a direct member of.
member of and check that as well as just their account. This is not that
straightforward to chase down, especially in multi-domain environments. In
any case, you're interested in the memberOf attribute on the user object,
which will contain links to the groups they are a direct member of.
A
Anthony Hunter
Got it working. Used the NetUserGetLocalGroups and NetUserGetGroups
API's. Works like a charm.
Thanks again,
Anthony
API's. Works like a charm.
Thanks again,
Anthony