public static void ValidateAllAddedPrincipals() { SecurityIdentifier[] localAdminSids = null; /* string[] addedSids = PrincipalList.GetSIDs(); */ SecurityIdentifier[] addedSids = PrincipalList.GetSIDs(); if ((addedSids.Length > 0) && (LocalAdminGroup != null)) { localAdminSids = GetLocalGroupMembers(null, LocalAdminGroup.SamAccountName); } for (int i = 0; i < addedSids.Length; i++) { bool sidFoundInAdminsGroup = false; if ((addedSids[i] != null) && (localAdminSids != null)) { foreach (SecurityIdentifier sid in localAdminSids) { if (sid == addedSids[i]) { sidFoundInAdminsGroup = true; break; } } if (sidFoundInAdminsGroup) { // Principal's SID was found in the local administrators group. if (PrincipalList.GetExpirationTime(addedSids[i]).HasValue) { // The principal's rights expire at some point. if (PrincipalList.GetExpirationTime(addedSids[i]).Value > DateTime.Now) { // The principal's administrator rights expire in the future. // Nothing to do here, since the principal is already in the administrators group. } else { // The principal's administrator rights have expired. #if DEBUG string accountName = GetAccountNameFromSID(addedSids[i]); ApplicationLog.WriteInformationEvent(string.Format("Principal {0} ({1}) has been removed from the Administrators group by an outside process. Removing the principal from Make Me Admin's list.", addedSids[i], string.IsNullOrEmpty(accountName) ? "unknown account" : accountName), EventID.DebugMessage); #endif LocalAdministratorGroup.RemovePrincipal(addedSids[i], RemovalReason.Timeout); } } // TODO: This should be put back in, but it needs to account for the fact that // some principals may be added without expiration times. /* * else * { // The principal's rights never expire. This should never happen. * // Remove the principal from the administrator group. #if DEBUG * string accountName = GetAccountNameFromSID(addedSids[i]); * ApplicationLog.WriteInformationEvent(string.Format("Principal {0} ({1}) has been removed from the Administrators group by an outside process. Removing the principal from Make Me Admin's list.", addedSids[i], string.IsNullOrEmpty(accountName) ? "unknown account" : accountName), EventID.DebugMessage); #endif * LocalAdministratorGroup.RemovePrincipal(addedSids[i], RemovalReason.Timeout); * * if ( * (Settings.AutomaticAddAllowed != null) && * (Settings.AutomaticAddAllowed.Length > 0) && * (Shared.UserIsAuthorized(userIdentity, Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied)) * ) * { #if DEBUG * ApplicationLog.WriteInformationEvent("User is allowed to be automatically added!", EventID.DebugMessage); #endif * LocalAdministratorGroup.AddPrincipal(userIdentity, null, null); * } * } */ } else { // Principal's SID was not found in the local administrators group. if (PrincipalList.GetExpirationTime(addedSids[i]).HasValue) { // The principal's rights expire at some point. if (PrincipalList.GetExpirationTime(addedSids[i]).Value > DateTime.Now) { // The principal's administrator rights expire in the future. string accountName = GetAccountNameFromSID(addedSids[i]); if (Settings.OverrideRemovalByOutsideProcess) { // TODO: i18n. ApplicationLog.WriteInformationEvent(string.Format("Principal {0} ({1}) has been removed from the Administrators group by an outside process. Adding the principal back to the Administrators group.", addedSids[i], string.IsNullOrEmpty(accountName) ? "unknown account" : accountName), EventID.PrincipalRemovedByExternalProcess); AddPrincipalToAdministrators(addedSids[i], null); } else { // TODO: i18n. ApplicationLog.WriteInformationEvent(string.Format("Principal {0} ({1}) has been removed from the Administrators group by an outside process. Removing the principal from Make Me Admin's list.", addedSids[i], string.IsNullOrEmpty(accountName) ? "unknown account" : accountName), EventID.PrincipalRemovedByExternalProcess); PrincipalList.RemoveSID(addedSids[i]); Settings.SIDs = PrincipalList.GetSIDs().Select(p => p.Value).ToArray <string>(); } } else { // The principal's administrator rights have expired. // No need to remove from the administrators group, as we already know the SID // is not present in the group. #if DEBUG ApplicationLog.WriteInformationEvent(string.Format("Removing SID \"{0}\" from the principal list.", addedSids[i]), EventID.DebugMessage); #endif PrincipalList.RemoveSID(addedSids[i]); Settings.SIDs = PrincipalList.GetSIDs().Select(p => p.Value).ToArray <string>(); } } /* * Rights shouldn't need to be removed here, as we already know the SID is not * a member of the local administrator group. * else * { // The principal's rights never expire. This should never happen. * // Remove the principal from the administrator. group. * LocalAdministratorGroup.RemovePrincipal(addedSids[i], RemovalReason.Timeout); * } */ } } } }
protected override void OnSessionChange(SessionChangeDescription changeDescription) { switch (changeDescription.Reason) { // The user has logged off from a session, either locally or remotely. case SessionChangeReason.SessionLogoff: #if DEBUG ApplicationLog.WriteInformationEvent(string.Format("Session {0} has logged off.", changeDescription.SessionId), EventID.DebugMessage); #endif //if (Settings.RemoveAdminRightsOnLogout) //{ System.Collections.Generic.List <SecurityIdentifier> sidsToRemove = new System.Collections.Generic.List <SecurityIdentifier>(PrincipalList.GetSIDs()); /* #if DEBUG * ApplicationLog.WriteInformationEvent("SID to remove list has been retrieved.", EventID.DebugMessage); * for (int i = 0; i < sidsToRemove.Count; i++) * { * ApplicationLog.WriteInformationEvent(string.Format("SID to remove: {0}", sidsToRemove[i]), EventID.DebugMessage); * } #endif */ int[] sessionIds = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds(); foreach (int id in sessionIds) { SecurityIdentifier sid = LsaLogonSessions.LogonSessions.GetSidForSessionId(id); if (sid != null) { if (sidsToRemove.Contains(sid)) { sidsToRemove.Remove(sid); } } } /* #if DEBUG * ApplicationLog.WriteInformationEvent("SID to remove list has been updated.", EventID.DebugMessage); * for (int i = 0; i < sidsToRemove.Count; i++) * { * ApplicationLog.WriteInformationEvent(string.Format("SID to remove: {0}", sidsToRemove[i]), EventID.DebugMessage); * } #endif */ for (int i = 0; i < sidsToRemove.Count; i++) { if ( (!(PrincipalList.ContainsSID(sidsToRemove[i]) && PrincipalList.IsRemote(sidsToRemove[i]))) && (Settings.RemoveAdminRightsOnLogout || !PrincipalList.GetExpirationTime(sidsToRemove[i]).HasValue) ) { LocalAdministratorGroup.RemovePrincipal(sidsToRemove[i], RemovalReason.UserLogoff); } } /* * In theory, this code should remove the user associated with the logoff, but it doesn't work. * SecurityIdentifier sid = LsaLogonSessions.LogonSessions.GetSidForSessionId(changeDescription.SessionId); * if (!(PrincipalList.ContainsSID(sid) && PrincipalList.IsRemote(sid))) * { * LocalAdministratorGroup.RemovePrincipal(sid, RemovalReason.UserLogoff); * } */ //} /* * else * { #if DEBUG * ApplicationLog.WriteInformationEvent("Removing admin rights on log off is disabled.", EventID.DebugMessage); #endif * } */ break; // The user has logged on to a session, either locally or remotely. case SessionChangeReason.SessionLogon: #if DEBUG // TODO: i18n. ApplicationLog.WriteInformationEvent(string.Format("Session logon. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent); #endif WindowsIdentity userIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(changeDescription.SessionId); if (userIdentity != null) { /* #if DEBUG * ApplicationLog.WriteInformationEvent("User identity is not null.", EventID.DebugMessage); * ApplicationLog.WriteInformationEvent(string.Format("user name: {0}", userIdentity.Name), EventID.DebugMessage); * ApplicationLog.WriteInformationEvent(string.Format("user SID: {0}", userIdentity.User), EventID.DebugMessage); #endif */ if ( (Settings.AutomaticAddAllowed != null) && (Settings.AutomaticAddAllowed.Length > 0) && (Shared.UserIsAuthorized(userIdentity, Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied)) ) { #if DEBUG ApplicationLog.WriteInformationEvent("User is allowed to be automatically added!", EventID.DebugMessage); #endif LocalAdministratorGroup.AddPrincipal(userIdentity, null, null); } } else { // TODO: i18n. ApplicationLog.WriteWarningEvent("User identity is null.", EventID.DebugMessage); } break; /* * // The user has reconnected or logged on to a remote session. * case SessionChangeReason.RemoteConnect: * ApplicationLog.WriteInformationEvent(string.Format("Remote connect. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent); * break; */ /* * // The user has disconnected or logged off from a remote session. * case SessionChangeReason.RemoteDisconnect: * ApplicationLog.WriteInformationEvent(string.Format("Remote disconnect. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent); * break; */ /* * // The user has locked their session. * case SessionChangeReason.SessionLock: * ApplicationLog.WriteInformationEvent(string.Format("Session lock. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent); * break; */ /* * // The user has unlocked their session. * case SessionChangeReason.SessionUnlock: * ApplicationLog.WriteInformationEvent(string.Format("Session unlock. Session ID: {0}", changeDescription.SessionId), EventID.SessionChangeEvent); * break; */ } base.OnSessionChange(changeDescription); }