권한에 관한 부분은 상당히 방대한 양이라.. 그냥 필요해서 쓰는것만 추려봤습니다.
MSDN에 잘 나와았지만 대부분 WCHAR 타입의 인자를 넘겨야해서 그냥 껍데기를
씌운 형태입니다. ^^;
1. 유저 영역
-> 유저 생성, 유저 삭제, 유저 목록, 암호 변경, 유저가 속한 그룹 목록, 유저 정보등..
2. 그룹 영역
-> 그룹 생성, 그룹 삭제, 그룹 목록, 그룹에 유저 추가, 그룹에서 유저 삭제등..
3. 권한 영역
-> 유저의 SID 얻어오기, SID를 문자열로 만들기, 현재 유저의 권한 얻어오기
권한의 활성화/비활성화, 프로세스에 속한 권한 목록 얻어오기, 권한 상승
프로세스 소유자 얻어오기 등등...
// Policy.h: interface for the CPolicy class.
//
//////////////////////////////////////////////////////////////////////
#if !defined(AFX_POLICY_H__8DE86AF1_C525_4546_A661_0FC4D12902EF__INCLUDED_)
#define AFX_POLICY_H__8DE86AF1_C525_4546_A661_0FC4D12902EF__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#define RTN_OK 0
#define RTN_USAGE 1
#define RTN_ERROR 13
#include <ntsecapi.h>
#include <vector>
#include <comutil.h>
#include <lm.h>
#include <sddl.h>
#include <Ntsecapi.h>
namespace CLM // Control Local Machine
{
LPCTSTR GetLogonUser();
LPCTSTR GetHostName();
LPCTSTR GetDomainName();
LPWCH MBtoWC(LPCTSTR src, PWCHAR dst, int dstlen);
LPTSTR WCtoMB(LPCWCH src, LPTSTR dst, int dstlen);
void InitLsaString(PLSA_UNICODE_STRING LsaString, LPWSTR String);
NTSTATUS OpenPolicy(
LPCTSTR ServerName, // machine to open policy
DWORD DesiredAccess, // desired access to policy
PLSA_HANDLE PolicyHandle); // resultant policy handle, must be LsaClose(PolicyHandle)
NTSTATUS OpenPolicy(
PLSA_HANDLE PolicyHandle); // resultant policy handle, must be LsaClose(PolicyHandle)
BOOL GetUserSid(
LPCTSTR servername, // where to lookup account
LPCTSTR username, // account of interest
PSID *Sid); // resultant buffer containing SID, must be HeapFree(GetProcessHeap(), 0, pSid);
BOOL GetCurrentUserSid(
PSID *pSid); // resultant buffer containing SID, must be HeapFree(GetProcessHeap(), 0, pSid);
BOOL GetSIDToString(PSID sid, LPTSTR& strstring);
namespace USER
{
/* Declared in Lmaccess.h; include Lm.h. Use Netapi32.lib.
NetUserAdd Adds a user account and assigns a password and privilege level.
NetUserChangePassword Changes a user's password for a specified network server or domain.
NetUserDel Deletes a user account from the server.
NetUserEnum Lists all user accounts on a server.
NetUserGetGroups Returns a list of global group names to which a user belongs.
NetUserGetInfo Returns information about a particular user account on a server.
NetUserGetLocalGroups Returns a list of local group names to which a user belongs.
NetUserSetGroups Sets global group memberships for a specified user account.
NetUserSetInfo Sets the password and other elements of a user account.
*/
NET_API_STATUS NetUserAdd(
LPCTSTR servername, // NULL is localcomputer
LPCTSTR username, // Not NULL
LPCTSTR password, // allow NULL
LPCTSTR comment, // allow NULL
DWORD privilege, // USER_PRIV_GUEST, USER_PRIV_USER, USER_PRIV_ADMIN
DWORD flags); // 권한에 대한 제한. UF_SCRIPT | UF_DONT_EXPIRE_PASSWD 기타 등등..
NET_API_STATUS NetUserChangePassword(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username, // NULL is current logon user
LPCTSTR oldpassword, // current password, Not NULL
LPCTSTR newpassword); // new password, Not NULL
NET_API_STATUS NetUserDel(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username); // Not NULL
NET_API_STATUS NetUserEnum(
LPCTSTR domainname, // NULL is localcomputer
LPDWORD dwCount, // user count
LPUSER_INFO_20& userinfos); // user info array, must be free -> NetApiBufferFree(userinfos);
NET_API_STATUS NetUserGetGroups(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username, // NULL is current user
std::vector<_bstr_t>& parray); // global group name array
NET_API_STATUS NetUserGetInfo(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username, // NULL is current user
LPUSER_INFO_20& userinfos); // user info array, must be free -> NetApiBufferFree(userinfos);
NET_API_STATUS NetUserGetLocalGroups(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username, // NULL is current user
std::vector<_bstr_t>& parray); // local group name array
NET_API_STATUS NetUserSetGroups(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR username, // NULL is current user
LPCTSTR groupname); // Not NULL, global groupname
}
namespace GROUP
{
/* Declared in Lmaccess.h; include Lm.h. Use Netapi32.lib.
NetLocalGroupAdd Creates a local group.
NetLocalGroupAddMembers Adds one or more users or global groups to an existing local group.
NetLocalGroupDel Deletes a local group, removing all existing members from the group.
NetLocalGroupDelMembers Removes one or more members from an existing local group.
NetLocalGroupEnum Returns information about each local group account on a server.
NetLocalGroupGetInfo Returns information about a particular local group account on a server.
NetLocalGroupGetMembers Lists all members of a specified local group.
NetLocalGroupSetInfo Sets general information about a local group.
NetLocalGroupSetMembers Assigns members to a local group.
*/
NET_API_STATUS NetLocalGroupAdd(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR groupname, // Not NULL, groupname
LPCTSTR comment); // Allow NULL
NET_API_STATUS NetLocalGroupAddMembers(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR groupname, // Not NULL, groupname
LPCTSTR username); // Not NULL, username
NET_API_STATUS NetLocalGroupDel(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR groupname); // Not NULL, groupname
NET_API_STATUS NetLocalGroupDelMembers(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR groupname, // Not NULL, groupname
LPCTSTR username); // Not NULL, username
NET_API_STATUS NetLocalGroupEnum(
LPCTSTR domainname, // NULL is localcomputer
LPDWORD dwCount, // group count
PLOCALGROUP_INFO_1& groupinfo); // group info array, must be free -> NetApiBufferFree(groupinfo);
NET_API_STATUS NetLocalGroupGetInfo(
LPCTSTR domainname, // NULL is localcomputer
LPCTSTR groupname, // Not NULL, groupname
PLOCALGROUP_INFO_1& groupinfo); // group info, must be free -> NetApiBufferFree(groupinfo);
};
namespace PRIVILEGE
{
// 현재 프로세스에 주어진 권한을 인에이블/디스에이블 시킨다.
BOOL SetProcessPrivilege(
LPCTSTR lpszPrivilege, // privilege to grant
BOOL bEnablePrivilege); // add or remove
// 사용자 계정에 특별한 권한을 추가시킨다.
NTSTATUS SetPrivilegeOnAccount(
LSA_HANDLE PolicyHandle, // open policy handle
PSID AccountSid, // SID to grant privilege to
LPWSTR PrivilegeName, // privilege to grant (Unicode)
BOOL bEnable); // enable or disable
// 해당 유저에게 할당된 부가적인 프리빌리지를 얻어온다.
// 일반적인 프리빌리지를 얻어올 경우는, 해당 유저가 띄운 프로세스를 이용하여
// 아래의 GetPrivilegeFromProcessHandle 함수를 이용하여 가져온다.
NTSTATUS EnumPrivilegeOnAccount(
LSA_HANDLE PolicyHandle, // open policy handle
PSID AccountSid, // SID to grant privilege to
std::vector<_bstr_t>& parray); // privileges array
// 프로세스 핸들을 이용하여 해당 유저 이름을 얻어온다.
BOOL GetUserFromProcessHandle(
LPTSTR AccountName, // account of interest
DWORD* cbName, // string buffer length
HANDLE hProcess = NULL); // process id, NULL is owner process
// 프로세스 아이디를 이용하여 해당 유저 이름을 얻어온다.
BOOL GetUserFromProcessID(
LPTSTR AccountName, // account of interest
DWORD* cbName, // string buffer length
DWORD nProcessID = 0xFFFFFFFF); // process id, 0xFFFFFFFF is owner process
// 프로세스 핸들을 이용하여 해당 프로세스에 설정된 프리빌리지 목록을 얻어온다.
BOOL GetPrivilegeFromProcessHandle(
std::vector<_bstr_t>& parray, // privileges array
HANDLE hProcess = NULL); // process id, NULL is owner process
// 프로세스 아이디을 이용하여 해당 프로세스에 설정된 프리빌리지 목록을 얻어온다.
BOOL GetPrivilegeFromProcessID(
std::vector<_bstr_t>& parray, // privileges array
DWORD nProcessID = 0xFFFFFFFF); // process id, 0xFFFFFFFF is owner process
};
};
#endif // !defined(AFX_POLICY_H__8DE86AF1_C525_4546_A661_0FC4D12902EF__INCLUDED_)
invalid-file