public static void TreatErrorMessage(DirectoryServicesCOMException e)
{
/** http://www-01.ibm.com/support/docview.wss?uid=swg21290631
* 525 - user not found
* 52e - invalid credentials
* 530 - not permitted to logon at this time
* 531 - not permitted to logon at this workstation
* 532 - password expired
* 533 - account disabled
* 534 - The user has not been granted the requested logon type at this machine
* 701 - account expired
* 773 - user must reset password
* 775 - user account locked */
string msg = e.ExtendedErrorMessage ?? "";
if (msg.Contains("525"))
{
throw new AdException(AdError.UserNotFound, "User Not found (525)", e);
}
if (msg.Contains("52e"))
{
throw new AdException(AdError.IncorrectPassword, "Invalid Credentials (52e)", e);
}
if (msg.Contains("530"))
{
throw new AdException(AdError.NotPermittedToLogonAtThisTime, "Not permitted to logon at this time (530)", e);
}
if (msg.Contains("531"))
{
throw new AdException(AdError.NotPermittedToLogonAtThisWorkstation, "Not permitted to logon at this workstation (531)", e);
}
if (msg.Contains("532"))
{
throw new AdException(AdError.ExpiredPassword, "Expired Password (532)", e);
}
if (msg.Contains("533"))
{
throw new AdException(AdError.AccountDisabled, "Account Disabled (533)", e);
}
if (msg.Contains("534"))
{
throw new AdException(AdError.UserNotGrantedRequestedLogonType, "User has not been granted the requested logon type at this machine (534)", e);
}
if (msg.Contains("701"))
{
throw new AdException(AdError.AccountExpired, "Account Expired (701)", e);
}
if (msg.Contains("773"))
{
throw new AdException(AdError.UserMustResetPassword, "User must Reset Password (733)", e);
}
if (msg.Contains("775"))
{
throw new AdException(AdError.AccountLocked, "User Account Locked (775)", e);
}
throw new AdException("Unkown Error", e);
}
/// <summary>
/// Converts a DirectoryServicesCOMException into more meaningful ICF exception (e.g. AlreadyExistsException).
/// </summary>
///
/// Actually, it is questionable if the exception mapping can be done in a universal way like this,
/// or whether it has to be specific for individual operations (search, create, update, ...). We
/// will see.
public static Exception ComToIcfException(DirectoryServicesCOMException originalException, String message)
{
LOGGER.TraceEvent(TraceEventType.Information, CAT_DEFAULT, "ErrorCode = {0}, ExtendedError = {1}, ExtendedErrorMessage = {2}",
originalException.ErrorCode, originalException.ExtendedError, originalException.ExtendedErrorMessage);
if (originalException.ErrorCode == -2147463168 || // ADS_BAD_PATHNAME
originalException.ErrorCode == -2147016656) // LDAP_NO_SUCH_OBJECT
{
return(new NoSuchAdObjectException(originalException.Message + ": " + message, originalException));
// not sure if the exception is related to the object as a whole, or to some of its attributes
// therefore we don't return UnknownUidException directly
}
else if (originalException.ErrorCode == -2147217911) // ADO_PERMISSION_DENIED
{
return(new PermissionDeniedException(originalException.Message + ": " + message, originalException));
}
else if (originalException.ErrorCode == -2147024891) // ADS_INSUFFICIENT_RIGHTS
{
return(new PermissionDeniedException(originalException.Message + ": " + message, originalException));
}
else if (originalException.ErrorCode == -2147023570) // LDAP_INVALID_CREDENTIALS
{
return(new InvalidCredentialException(originalException.Message + ": " + message, originalException));
}
else if (originalException.ErrorCode == -2147019886) // LDAP_ALREADY_EXISTS
{
return(new AlreadyExistsException(originalException.Message + ": " + message, originalException));
}
else if (originalException.ErrorCode == -2147016691) // LDAP_ATTRIBUTE_OR_VALUE_EXISTS This error occurs primarily when you try to add members to groups that have been members of this group beforehand.
{
return(originalException); // if we returned AlreadyExistsException here the caller might be confused WHAT does 'already exist'
}
else if (originalException.ErrorCode == -2147016657) // LDAP_CONSTRAINT_VIOLATION
{
if (originalException.ExtendedError == 8648)
{
// userPrincipalName already exists; see https://technet.microsoft.com/en-us/library/dn535779.aspx
return(new AlreadyExistsException("UserPrincipalName already exists: " + originalException.Message + ": " + originalException.ExtendedErrorMessage + ": " + message, originalException));
}
else
{
return(originalException); // here will be something like SchemaException when it will be available
}
}
else
{
return(originalException);
}
}
public static string TreatErrorMessage(DirectoryServicesCOMException e, bool isAdmin)
{
/** http://www-01.ibm.com/support/docview.wss?uid=swg21290631
* 525 - user not found
* 52e - invalid credentials
* 530 - not permitted to logon at this time
* 531 - not permitted to logon at this workstation
* 532 - password expired
* 533 - account disabled
* 534 - The user has not been granted the requested logon type at this machine
* 701 - account expired
* 773 - user must reset password
* 775 - user account locked */
string msg = e.ExtendedErrorMessage ?? "";
if (msg.Contains("525"))
{
return(isAdmin? "AdminUserNotFound": "UserNotFound");
}
if (msg.Contains("52e"))
{
return(isAdmin ? "AdminUserPwdError":"UserPwdError");
}
if (msg.Contains("532"))
{
return(isAdmin ? "AdminPwdExpired":"PwdExpired");
}
if (msg.Contains("533"))
{
return(isAdmin ? "AdminActDisabled": "ActDisabled");
}
if (msg.Contains("701"))
{
return(isAdmin ? "AdminActExpired":"ActExpired");
}
if (msg.Contains("775"))
{
return(isAdmin ? "AdminMaxFailedLoginAttempts":"MaxFailedLoginAttempts");
}
return(e.Message);
}
internal static void ResetMachineAccountPassword(string domain, string localMachineName, string server, PSCredential credential, PSCmdlet cmdlet)
{
SAMAPI.LSA_UNICODE_STRING structure;
string userName;
string stringFromSecureString;
string cannotFindMachineAccountFromServer;
DirectoryEntry directoryEntry = null;
DirectoryEntry directoryEntry1 = null;
DirectorySearcher directorySearcher = null;
string randomPassword = null;
string str = server;
string str1 = str;
if (str == null)
{
str1 = domain;
}
string str2 = str1;
try
{
try
{
if (credential != null)
{
userName = credential.UserName;
}
else
{
userName = null;
}
string str3 = userName;
if (credential != null)
{
stringFromSecureString = Utils.GetStringFromSecureString(credential.Password);
}
else
{
stringFromSecureString = null;
}
string str4 = stringFromSecureString;
directoryEntry = new DirectoryEntry(string.Concat("LDAP://", str2), str3, str4, AuthenticationTypes.Secure);
directorySearcher = new DirectorySearcher(directoryEntry);
string[] strArrays = new string[5];
strArrays[0] = "(&(objectClass=computer)(|(cn=";
strArrays[1] = localMachineName;
strArrays[2] = ")(dn=";
strArrays[3] = localMachineName;
strArrays[4] = ")))";
directorySearcher.Filter = string.Concat(strArrays);
SearchResult searchResult = directorySearcher.FindOne();
if (searchResult != null)
{
directoryEntry1 = searchResult.GetDirectoryEntry();
randomPassword = ComputerWMIHelper.GetRandomPassword(120);
object[] objArray = new object[1];
objArray[0] = randomPassword;
directoryEntry1.Invoke("SetPassword", objArray);
directoryEntry1.Properties["LockOutTime"].Value = 0;
}
else
{
if (server != null)
{
cannotFindMachineAccountFromServer = ComputerResources.CannotFindMachineAccountFromServer;
}
else
{
cannotFindMachineAccountFromServer = ComputerResources.CannotFindMachineAccountFromDomain;
}
string str5 = cannotFindMachineAccountFromServer;
string str6 = StringUtil.Format(str5, str2);
ErrorRecord errorRecord = new ErrorRecord(new InvalidOperationException(str6), "CannotFindMachineAccount", ErrorCategory.OperationStopped, localMachineName);
cmdlet.ThrowTerminatingError(errorRecord);
}
}
#if !MONO
catch (DirectoryServicesCOMException directoryServicesCOMException1)
{
DirectoryServicesCOMException directoryServicesCOMException = directoryServicesCOMException1;
string str7 = StringUtil.Format(ComputerResources.FailToResetPasswordOnDomain, directoryServicesCOMException.Message);
ErrorRecord errorRecord1 = new ErrorRecord(new InvalidOperationException(str7), "FailToResetPasswordOnDomain", ErrorCategory.OperationStopped, localMachineName);
cmdlet.ThrowTerminatingError(errorRecord1);
}
#endif
catch (TargetInvocationException targetInvocationException1)
{
TargetInvocationException targetInvocationException = targetInvocationException1;
string str8 = StringUtil.Format(ComputerResources.FailToResetPasswordOnDomain, targetInvocationException.InnerException.Message);
ErrorRecord errorRecord2 = new ErrorRecord(new InvalidOperationException(str8), "FailToResetPasswordOnDomain", ErrorCategory.OperationStopped, localMachineName);
cmdlet.ThrowTerminatingError(errorRecord2);
}
catch (COMException cOMException1)
{
COMException cOMException = cOMException1;
string str9 = StringUtil.Format(ComputerResources.FailToResetPasswordOnDomain, cOMException.Message);
ErrorRecord errorRecord3 = new ErrorRecord(new InvalidOperationException(str9), "FailToResetPasswordOnDomain", ErrorCategory.OperationStopped, localMachineName);
cmdlet.ThrowTerminatingError(errorRecord3);
}
}
finally
{
if (directoryEntry != null)
{
directoryEntry.Close();
directoryEntry.Dispose();
}
if (directorySearcher != null)
{
directorySearcher.Dispose();
}
if (directoryEntry1 != null)
{
directoryEntry1.Close();
directoryEntry1.Dispose();
}
}
SAMAPI.LSA_OBJECT_ATTRIBUTES zero = new SAMAPI.LSA_OBJECT_ATTRIBUTES();
zero.RootDirectory = IntPtr.Zero;
zero.ObjectName = IntPtr.Zero;
zero.Attributes = 0;
zero.SecurityDescriptor = IntPtr.Zero;
zero.SecurityQualityOfService = IntPtr.Zero;
zero.Length = Marshal.SizeOf(typeof(SAMAPI.LSA_OBJECT_ATTRIBUTES));
IntPtr intPtr = IntPtr.Zero;
IntPtr zero1 = IntPtr.Zero;
IntPtr intPtr1 = IntPtr.Zero;
SAMAPI.LSA_UNICODE_STRING lSAUNICODESTRING = new SAMAPI.LSA_UNICODE_STRING();
lSAUNICODESTRING.Buffer = IntPtr.Zero;
SAMAPI.LSA_UNICODE_STRING lSAUNICODESTRING1 = lSAUNICODESTRING;
SAMAPI.LSA_UNICODE_STRING zero2 = new SAMAPI.LSA_UNICODE_STRING();
zero2.Buffer = IntPtr.Zero;
SAMAPI.LSA_UNICODE_STRING lSAUNICODESTRING2 = zero2;
SAMAPI.LSA_UNICODE_STRING zero3 = new SAMAPI.LSA_UNICODE_STRING();
zero3.Buffer = IntPtr.Zero;
zero3.Length = 0;
zero3.MaximumLength = 0;
try
{
uint num = SAMAPI.LsaOpenPolicy(ref zero3, ref zero, 0xf0fff, out intPtr);
if (num == -1073741790)
{
string needAdminPrivilegeToResetPassword = ComputerResources.NeedAdminPrivilegeToResetPassword;
ErrorRecord errorRecord4 = new ErrorRecord(new InvalidOperationException(needAdminPrivilegeToResetPassword), "UnauthorizedAccessException", ErrorCategory.InvalidOperation, localMachineName);
cmdlet.ThrowTerminatingError(errorRecord4);
}
if (num != 0)
{
ResetComputerMachinePasswordCommand.ThrowOutLsaError(num, cmdlet);
}
SAMAPI.InitLsaString("$MACHINE.ACC", ref lSAUNICODESTRING1);
SAMAPI.InitLsaString(randomPassword, ref lSAUNICODESTRING2);
bool flag = false;
num = SAMAPI.LsaOpenSecret(intPtr, ref lSAUNICODESTRING1, 3, out zero1);
if (num == -1073741772)
{
num = SAMAPI.LsaCreateSecret(intPtr, ref lSAUNICODESTRING1, 1, out zero1);
flag = true;
}
if (num != 0)
{
ResetComputerMachinePasswordCommand.ThrowOutLsaError(num, cmdlet);
}
if (!flag)
{
num = SAMAPI.LsaQuerySecret(zero1, out intPtr1, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);
if (num != 0)
{
ResetComputerMachinePasswordCommand.ThrowOutLsaError(num, cmdlet);
}
structure = (SAMAPI.LSA_UNICODE_STRING)Marshal.PtrToStructure(intPtr1, typeof(SAMAPI.LSA_UNICODE_STRING));
}
else
{
structure = lSAUNICODESTRING2;
}
num = SAMAPI.LsaSetSecret(zero1, ref lSAUNICODESTRING2, ref structure);
if (num != 0)
{
ResetComputerMachinePasswordCommand.ThrowOutLsaError(num, cmdlet);
}
}
finally
{
if (intPtr1 != IntPtr.Zero)
{
SAMAPI.LsaFreeMemory(intPtr1);
}
if (intPtr != IntPtr.Zero)
{
SAMAPI.LsaClose(intPtr);
}
if (zero1 != IntPtr.Zero)
{
SAMAPI.LsaClose(zero1);
}
SAMAPI.FreeLsaString(ref lSAUNICODESTRING1);
SAMAPI.FreeLsaString(ref lSAUNICODESTRING2);
}
}
