/// <summary>
/// Determine if a principal should be processed.
/// Just a wrapper around Cmdlet.ShouldProcess, with localized string
/// formatting.
/// </summary>
/// <param name="principal">Name of the principal to be removed.</param>
/// <param name="groupName">
/// Name of the group from which the members will be removed.
/// </param>
/// <returns>
/// True if the principal should be processed, false otherwise.
/// </returns>
private bool CheckShouldProcess(LocalPrincipal principal, string groupName)
{
if (principal == null)
{
return(false);
}
string msg = StringUtil.Format(Strings.ActionRemoveGroupMember, principal.ToString());
return(ShouldProcess(groupName, msg));
}
/// <summary>
/// Remove members from a group specified by SID.
/// </summary>
/// <param name="groupSid">
/// A <see cref="SecurityIdentifier"/> object identifying the group
/// from which the members will be removed.
/// </param>
private void ProcessSid(SecurityIdentifier groupSid)
{
foreach (var member in this.Member)
{
LocalPrincipal principal = MakePrincipal(groupSid.ToString(), member);
if (principal != null)
{
var ex = sam.RemoveLocalGroupMember(groupSid, principal);
if (ex != null)
{
WriteError(ex.MakeErrorRecord());
}
}
}
}
/// <summary>
/// Remove members from a group.
/// </summary>
/// <param name="group">
/// A <see cref="LocalGroup"/> object representing the group from which
/// the members will be removed.
/// </param>
private void ProcessGroup(LocalGroup group)
{
string groupId = group.Name ?? group.SID.ToString();
foreach (var member in this.Member)
{
LocalPrincipal principal = MakePrincipal(groupId, member);
if (principal != null)
{
var ex = sam.RemoveLocalGroupMember(group, principal);
if (ex != null)
{
WriteError(ex.MakeErrorRecord());
}
}
}
}
/// <summary>
/// Creates a list of <see cref="LocalPrincipal"/> objects
/// ready to be processed by the cmdlet.
/// </summary>
/// <param name="groupId">
/// Name or SID (as a string) of the group we'll be removing from.
/// This string is used primarily for specifying the target
/// in WhatIf scenarios.
/// </param>
/// <param name="member">
/// LocalPrincipal object to be processed
/// </param>
/// <returns>
/// LocalPrincipal object processed and ready to be removed
/// </returns>
/// <remarks>
/// <para>
/// LocalPrincipal object in the Member parameter may not be complete,
/// particularly those created from a name or a SID string given to the
/// Member cmdlet parameter. The object returned from this method contains at the very least, contain a valid SID.
/// </para>
/// <para>
/// Any Member object provided by name or SID string will be looked up
/// to ensure that such an object exists. If an object is not found,
/// an error message is displayed by PowerShell and null will be returned from this method
/// </para>
/// <para>
/// This method also handles the WhatIf scenario. If the Cmdlet's
/// <b>ShouldProcess</b> method returns false on any Member object
/// </para>
/// </remarks>
private LocalPrincipal MakePrincipal(string groupId, LocalPrincipal member)
{
LocalPrincipal principal = null;
// if the member has a SID, we can use it directly
if (member.SID != null)
{
principal = member;
}
else // otherwise it must have been constructed by name
{
SecurityIdentifier sid = this.TrySid(member.Name);
if (sid != null)
{
member.SID = sid;
principal = member;
}
else
{
try
{
principal = sam.LookupAccount(member.Name);
}
catch (Exception ex)
{
WriteError(ex.MakeErrorRecord());
}
}
}
if (CheckShouldProcess(principal, groupId))
{
return(principal);
}
return(null);
}
/// <summary>
/// Creates a list of <see cref="LocalPrincipal"/> objects
/// ready to be processed by the cmdlet.
/// </summary>
/// <param name="groupId">
/// Name or SID (as a string) of the group we'll be removing from.
/// This string is used primarily for specifying the target
/// in WhatIf scenarios.
/// </param>
/// <param name="member">
/// LocalPrincipal object to be processed
/// </param>
/// <returns>
/// LocalPrincipal object processed and ready to be removed
/// </returns>
/// <remarks>
/// <para>
/// LocalPrincipal object in the Member parameter may not be complete,
/// particularly those created from a name or a SID string given to the
/// Member cmdlet parameter. The object returned from this method contains at the very least, contain a valid SID.
/// </para>
/// <para>
/// Any Member object provided by name or SID string will be looked up
/// to ensure that such an object exists. If an object is not found,
/// an error message is displayed by PowerShell and null will be returned from this method
/// </para>
/// <para>
/// This method also handles the WhatIf scenario. If the Cmdlet's
/// <b>ShouldProcess</b> method returns false on any Member object
/// </para>
/// </remarks>
private LocalPrincipal MakePrincipal(string groupId, LocalPrincipal member)
{
LocalPrincipal principal = null;
// if the member has a SID, we can use it directly
if (member.SID != null)
{
principal = member;
}
else // otherwise it must have been constructed by name
{
SecurityIdentifier sid = this.TrySid(member.Name);
if (sid != null)
{
member.SID = sid;
principal = member;
}
else
{
try
{
principal = sam.LookupAccount(member.Name);
}
catch (Exception ex)
{
WriteError(ex.MakeErrorRecord());
}
}
}
if (CheckShouldProcess(principal, groupId))
return principal;
return null;
}
/// <summary>
/// Determine if a principal should be processed.
/// Just a wrapper around Cmdlet.ShouldProcess, with localized string
/// formatting.
/// </summary>
/// <param name="principal">Name of the principal to be removed.</param>
/// <param name="groupName">
/// Name of the group from which the members will be removed.
/// </param>
/// <returns>
/// True if the principal should be processed, false otherwise.
/// </returns>
private bool CheckShouldProcess(LocalPrincipal principal, string groupName)
{
if (principal == null)
return false;
string msg = StringUtil.Format(Strings.ActionRemoveGroupMember, principal.ToString());
return ShouldProcess(groupName, msg);
}
/// <summary>
/// Remove members from a local group.
/// </summary>
/// <param name="groupSid">
/// A <see cref="SecurityIdentifier"/> object identifying the group from
/// which to remove members
/// </param>
/// <param name="member">
/// An Object of type <see cref="LocalPrincipal"/> identifying
/// the member to be removed.
/// </param>
/// <returns>
/// An Exception object indicating any errors encountered.
/// </returns>
/// <exception cref="GroupNotFoundException">
/// Thrown if the group could not be found.
/// </exception>
internal Exception RemoveLocalGroupMember(SecurityIdentifier groupSid, LocalPrincipal member)
{
context = new Context(ContextOperation.RemoveMember, ContextObjectType.Group, groupSid.ToString(), groupSid);
return RemoveGroupMember(groupSid, member);
}
/// <summary>
/// Remove members from a local group.
/// </summary>
/// <param name="group">
/// A <see cref="LocalGroup"/> object identifying the group from
/// which to remove members
/// </param>
/// <param name="member">
/// An object of type <see cref="LocalPrincipal"/> identifying
/// the member to be removed.
/// </param>
/// <returns>
/// An Exception object indicating any errors encountered.
/// </returns>
/// <exception cref="GroupNotFoundException">
/// Thrown if the group could not be found.
/// </exception>
internal Exception RemoveLocalGroupMember(LocalGroup group, LocalPrincipal member)
{
context = new Context(ContextOperation.RemoveMember, ContextObjectType.Group, group.Name, group);
if (group.SID == null)
context.target = group = GetLocalGroup(group.Name);
return RemoveGroupMember(group.SID, member);
}
/// <summary>
/// Create a <see cref="LocalPrincipal"/> object from information in
/// an AccountInfo object.
/// </summary>
/// <param name="info">
/// An AccountInfo object containing information about the account
/// for which the LocalPrincipal object is being created. This parameter
/// may be null, in which case this method returns null.
/// </param>
/// <returns>
/// A new LocalPrincipal object representing the account, or null if the
/// <paramref name="info"/> parameter is null.
/// </returns>
private LocalPrincipal MakeLocalPrincipalObject(AccountInfo info)
{
if (info == null)
return null; // this is a legitimate case
var rv = new LocalPrincipal(info.ToString());
rv.SID = info.Sid;
rv.PrincipalSource = GetPrincipalSource(info);
switch (info.Use)
{
case SID_NAME_USE.SidTypeAlias: //TODO: is this the right thing to do???
case SID_NAME_USE.SidTypeGroup:
case SID_NAME_USE.SidTypeWellKnownGroup:
rv.ObjectClass = Strings.ObjectClassGroup;
break;
case SID_NAME_USE.SidTypeUser:
rv.ObjectClass = Strings.ObjectClassUser;
break;
default:
rv.ObjectClass = Strings.ObjectClassOther;
break;
}
return rv;
}
/// <summary>
/// Remove members from a group.
/// </summary>
/// <param name="groupSid">
/// A <see cref="SecurityIdentifier"/> object identifying the group from
/// which to remove members
/// </param>
/// <param name="member">
/// An object of type <see cref="LocalPrincipal"/> identifying
/// the member to be removed.
/// </param>
/// <returns>
/// An IEnumerable of Exception objects indicating any errors encountered.
/// </returns>
/// <exception cref="GroupNotFoundException">
/// Thrown if the group could not be found.
/// </exception>
private Exception RemoveGroupMember(SecurityIdentifier groupSid, LocalPrincipal member)
{
var sre = GetGroupSre(groupSid); // We'll let this throw if necessary
IntPtr aliasHandle = IntPtr.Zero;
UInt32 status = SamApi.SamOpenAlias(sre.domainHandle,
Win32.MAXIMUM_ALLOWED,
sre.RelativeId,
out aliasHandle);
ThrowOnFailure(status);
// Now we're processing each member, so any further exceptions will
// be stored in the collection and returned later.
var rv = new List<Exception>();
Exception ex = null;
try
{
var sid = member.SID;
var binarySid = new byte[sid.BinaryLength];
sid.GetBinaryForm(binarySid, 0);
status = SamApi.SamRemoveMemberFromAlias(aliasHandle, binarySid);
ex = MakeException(status,
new Context {
memberId = member.ToString(),
objectId = context.objectId,
operation = context.operation,
target = context.target,
type = context.type
}
);
}
finally
{
if (aliasHandle != IntPtr.Zero)
status = SamApi.SamCloseHandle(aliasHandle);
}
return ex;
}
/// <summary>
/// Add members to a group.
/// </summary>
/// <param name="groupSid">
/// A <see cref="SecurityIdentifier"/> object identifying the group to
/// which to add members.
/// </param>
/// <param name="member">
/// An object of type <see cref="LocalPrincipal"/>identifying
/// the member to be added.
/// </param>
/// <returns>
/// An Exception object indicating any errors encountered.
/// </returns>
/// <exception cref="GroupNotFoundException">
/// Thrown if the group could not be found.
/// </exception>
private Exception AddGroupMember(SecurityIdentifier groupSid, LocalPrincipal member)
{
var sre = GetGroupSre(groupSid); // We'll let this throw if necessary
IntPtr aliasHandle = IntPtr.Zero;
UInt32 status = SamApi.SamOpenAlias(sre.domainHandle,
Win32.MAXIMUM_ALLOWED,
sre.RelativeId,
out aliasHandle);
ThrowOnFailure(status);
Exception ex = null;
try
{
var sid = member.SID;
var binarySid = new byte[sid.BinaryLength];
sid.GetBinaryForm(binarySid, 0);
status = SamApi.SamAddMemberToAlias(aliasHandle, binarySid);
ex = MakeException(status,
new Context
{
memberId = member.ToString(),
objectId = context.objectId,
operation = context.operation,
target = context.target,
type = context.type
}
);
}
finally
{
if (aliasHandle != IntPtr.Zero)
status = SamApi.SamCloseHandle(aliasHandle);
}
return ex;
}
