Exemplo n.º 1
0
        /// <summary>
        /// Removes the given security identifier (SID) from the local Administrators group.
        /// </summary>
        /// <param name="userSid">
        /// The security identifier (SID) to be removed from the local Administrators group.
        /// </param>
        /// <param name="reason">
        /// The reason for the removal.
        /// </param>
        public static void RemoveUser(SecurityIdentifier userSid, RemovalReason reason)
        {
            // TODO: Only do this if the user is a member of the group?

            if ((LocalAdminGroup != null) && (userSid != null))
            {
                SecurityIdentifier[] localAdminSids = GetLocalGroupMembers(LocalAdminGroup.SamAccountName);

                foreach (SecurityIdentifier sid in localAdminSids)
                {
                    if (sid == userSid)
                    {
                        string accountName = GetAccountNameFromSID(userSid);
                        int    result      = RemoveLocalGroupMembers(LocalAdminGroup.SamAccountName, userSid);
                        if (result == 0)
                        {
                            EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);
                            encryptedSettings.RemoveUser(userSid);

                            string reasonString = Properties.Resources.RemovalReasonUnknown;
                            switch (reason)
                            {
                            case RemovalReason.ServiceStopped:
                                reasonString = Properties.Resources.RemovalReasonServiceStopped;
                                break;

                            case RemovalReason.Timeout:
                                reasonString = Properties.Resources.RemovalReasonTimeout;
                                break;

                            case RemovalReason.UserLogoff:
                                reasonString = Properties.Resources.RemovalReasonUserLogoff;
                                break;

                            case RemovalReason.UserRequest:
                                reasonString = Properties.Resources.RemovalReasonUserRequest;
                                break;
                            }
                            string message = string.Format(Properties.Resources.UserRemoved, userSid, accountName, reasonString);
                            ApplicationLog.WriteEvent(message, EventID.UserRemovedFromAdminsSuccess, System.Diagnostics.EventLogEntryType.Information);
                        }
                        else
                        {
                            ApplicationLog.WriteEvent(string.Format(Properties.Resources.RemovingUserReturnedError, userSid, accountName, result), EventID.UserRemovedFromAdminsFailure, System.Diagnostics.EventLogEntryType.Warning);
                        }
                    }
                }
            }
        }
Exemplo n.º 2
0
        /// <summary>
        /// Validates that all of the users stored in the on-disk user list
        /// are in the local Adminstrators group if they're supposed to be, and vice-vera.
        /// </summary>
        public static void ValidateAllAddedUsers()
        {
            // Get a list of the users stored in the on-disk list.
            EncryptedSettings encryptedSettings = new EncryptedSettings(EncryptedSettings.SettingsFilePath);

            SecurityIdentifier[] addedUserList = encryptedSettings.AddedUserSIDs;

            // Get a list of the current members of the Administrators group.
            SecurityIdentifier[] localAdminSids = null;
            if ((addedUserList.Length > 0) && (LocalAdminGroup != null))
            {
                localAdminSids = GetLocalGroupMembers(LocalAdminGroup.SamAccountName);
            }

            for (int i = 0; i < addedUserList.Length; i++)
            {
                bool sidFoundInAdminsGroup = false;
                if ((addedUserList[i] != null) && (localAdminSids != null))
                {
                    foreach (SecurityIdentifier sid in localAdminSids)
                    {
                        if (sid == addedUserList[i])
                        {
                            sidFoundInAdminsGroup = true;
                            break;
                        }
                    }

                    AdminGroupManipulator adminGroup = new AdminGroupManipulator();

                    if (sidFoundInAdminsGroup)
                    {  // User's SID was found in the local administrators group.
                        DateTime?expirationTime = encryptedSettings.GetExpirationTime(addedUserList[i]);

                        if (expirationTime.HasValue)
                        {     // The user's rights expire at some point.
                            if (expirationTime.Value > DateTime.Now)
                            { // The user's administrator rights expire in the future.
                              // Nothing to do here, since the user is already in the administrators group.
                            }
                            else
                            { // The user's administrator rights have expired.
                                LocalAdministratorGroup.RemoveUser(addedUserList[i], RemovalReason.Timeout);
                            }
                        }

                        else
                        { // The user's rights never expire.
                            // Get a WindowsIdentity object for the user matching the added user SID.
                            WindowsIdentity sessionIdentity    = null;
                            WindowsIdentity userIdentity       = null;
                            int[]           loggedOnSessionIDs = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds();
                            foreach (int sessionId in loggedOnSessionIDs)
                            {
                                sessionIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(sessionId);
                                if ((sessionIdentity != null) && (sessionIdentity.User == addedUserList[i]))
                                {
                                    userIdentity = sessionIdentity;
                                    break;
                                }
                            }

                            if (
                                (Settings.AutomaticAddAllowed != null) &&
                                (Settings.AutomaticAddAllowed.Length > 0) &&
                                (adminGroup.UserIsAuthorized(Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied))
                                )
                            { // The user is an automatically-added user.
                              // Nothing to do here. The user is an automatically-added one, and their rights don't expire.
                            }
                            else
                            { // The user is not an automatically-added user.
                                // Users who are not automatically added should not have non-expiring rights. Remove this user.
                                LocalAdministratorGroup.RemoveUser(addedUserList[i], RemovalReason.Timeout);
                            }
                        }
                    }
                    else
                    { // User's SID was not found in the local administrators group.
                        DateTime?expirationTime = encryptedSettings.GetExpirationTime(addedUserList[i]);

                        if (expirationTime.HasValue)
                        {     // The user's rights expire at some point.
                            if (expirationTime.Value > DateTime.Now)
                            { // The user's administrator rights expire in the future.
                                string accountName = GetAccountNameFromSID(addedUserList[i]);
                                if (Settings.OverrideRemovalByOutsideProcess)
                                {
                                    ApplicationLog.WriteEvent(string.Format(Properties.Resources.UserRemovedByOutsideProcess + " " + Properties.Resources.AddingUserBackToAdministrators, addedUserList[i], string.IsNullOrEmpty(accountName) ? Properties.Resources.UnknownAccount : accountName), EventID.UserRemovedByExternalProcess, System.Diagnostics.EventLogEntryType.Information);
                                    AddUserToAdministrators(addedUserList[i]);
                                }
                                else
                                {
                                    ApplicationLog.WriteEvent(string.Format(Properties.Resources.UserRemovedByOutsideProcess + " " + Properties.Resources.RemovingUserFromList, addedUserList[i], string.IsNullOrEmpty(accountName) ? Properties.Resources.UnknownAccount : accountName), EventID.UserRemovedByExternalProcess, System.Diagnostics.EventLogEntryType.Information);
                                    encryptedSettings.RemoveUser(addedUserList[i]);
                                }
                            }
                            else
                            { // The user's administrator rights have expired.
                              // No need to remove from the administrators group, as we already know the SID
                              // is not present in the group.

                                encryptedSettings.RemoveUser(addedUserList[i]);
                            }
                        }
                        else
                        { // The user's rights never expire.
                            // Get a WindowsIdentity object for the user matching the added user SID.
                            WindowsIdentity sessionIdentity    = null;
                            WindowsIdentity userIdentity       = null;
                            int[]           loggedOnSessionIDs = LsaLogonSessions.LogonSessions.GetLoggedOnUserSessionIds();
                            foreach (int sessionId in loggedOnSessionIDs)
                            {
                                sessionIdentity = LsaLogonSessions.LogonSessions.GetWindowsIdentityForSessionId(sessionId);
                                if ((sessionIdentity != null) && (sessionIdentity.User == addedUserList[i]))
                                {
                                    userIdentity = sessionIdentity;
                                    break;
                                }
                            }

                            if (
                                (Settings.AutomaticAddAllowed != null) &&
                                (Settings.AutomaticAddAllowed.Length > 0) &&
                                (adminGroup.UserIsAuthorized(Settings.AutomaticAddAllowed, Settings.AutomaticAddDenied))
                                )
                            { // The user is an automatically-added user.
                              // The users rights do not expire, but they are an automatically-added user and are missing
                              // from the Administrators group. Add the user back in.

                                AddUserToAdministrators(addedUserList[i]);
                            }
                            else
                            { // The user is not an automatically-added user.
                                // The user is not in the Administrators group now, but they are
                                // listed as having non-expiring rights, even though they are not
                                // automatically added. This should never really happen, but
                                // just in case, we'll remove them from the on-disk user list.
                                encryptedSettings.RemoveUser(addedUserList[i]);
                            }
                        }
                    }
                }
            }
        }