From b4b7785b455bd78db9db5e5852e2df34231b9362 Mon Sep 17 00:00:00 2001 From: Bryan Berns Date: Fri, 12 Aug 2016 20:00:08 -0400 Subject: [PATCH] Adjusted /RemoveOrphan,/MigrateDomain Messages --- Functions.h | 4 ++-- Helpers.cpp | 2 +- OperationHelp.cpp | 16 ++++++++++++---- OperationMigrateDomain.cpp | 3 +++ OperationRemoveOrphan.cpp | 5 +++-- repacls.vcxproj | 6 ++++-- 6 files changed, 25 insertions(+), 11 deletions(-) diff --git a/Functions.h b/Functions.h index 1616ece..d82979d 100644 --- a/Functions.h +++ b/Functions.h @@ -7,8 +7,8 @@ // helper functions VOID EnablePrivs(); const PSID GetSidFromName(std::wstring & sAccountName); -std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan); -std::wstring GetNameFromSidEx(const PSID tSid); +std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan = nullptr); +std::wstring GetNameFromSidEx(const PSID tSid, bool * bMarkAsOrphan = nullptr); std::wstring GenerateAccessMask(DWORD iCurrentMask); std::wstring GenerateInheritanceFlags(DWORD iCurrentFlags); HANDLE RegisterFileHandle(HANDLE hFile, std::wstring sOperation); diff --git a/Helpers.cpp b/Helpers.cpp index de78c9e..7c7951d 100644 --- a/Helpers.cpp +++ b/Helpers.cpp @@ -150,7 +150,7 @@ std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan) return sFullName; } -std::wstring GetNameFromSidEx(const PSID tSid) +std::wstring GetNameFromSidEx(const PSID tSid, bool * bMarkAsOrphan) { // if sid is resolvable then return the account name std::wstring sName = GetNameFromSid(tSid, NULL); diff --git a/OperationHelp.cpp b/OperationHelp.cpp index 0d743d6..4ad5114 100644 --- a/OperationHelp.cpp +++ b/OperationHelp.cpp @@ -12,7 +12,7 @@ ClassFactory * OperationHelp::RegisteredFactoryAltTwo = OperationHelp::OperationHelp(std::queue & oArgList) : Operation(oArgList) { std::wcout << -LR"( + LR"( repacls.exe /Path ... other options .... Repacls was developed to address large scale migrations, transitions, health @@ -52,6 +52,14 @@ or end of your command as to not confuse them with ordered parameters. computer name. To include hidden, non-administrative shares, append :IncludeHidden to the computer name. +/DomainPaths [:AdminOnly|IncludeHidden|StopOnError] + Specifies a domain to scan for member servers that should be processed. + For each server that is found, a /SharePaths command is processed + for that particular server. This takes the same extra parameters as + /SharePaths including another option StopOnError to stop processing if + the shares of any particular computer can not be read; if not specified + an error will be shown on the screen but processing will continue. + /Quiet Hides all non-error output. This option will greatly enhance performance if a large number of changes are being processed. Alternatively, it is @@ -165,7 +173,10 @@ Commands That Can Alter Security (When /WhatIf Is Not Present) /ReplaceAccount Search for an account and replace it with another account. +)"; +std::wcout << +LR"( /Report This command will write a comma separated value file with the fields of filename, security descriptor part (e.g., DACL), account name, permissions, @@ -175,10 +186,7 @@ Commands That Can Alter Security (When /WhatIf Is Not Present) An optional qualifier after regular expression can be specified after the regular expression to refine what part of the security descriptor to scan. See Other Notes & Limitations section for more information. -)"; -std::wcout << -LR"( /SetOwner Will set the owner of the file to the name specified. diff --git a/OperationMigrateDomain.cpp b/OperationMigrateDomain.cpp index f41abb0..16a4cc3 100644 --- a/OperationMigrateDomain.cpp +++ b/OperationMigrateDomain.cpp @@ -63,6 +63,9 @@ SidActionResult OperationMigrateDomain::DetermineSid(WCHAR * const sSdPart, Obje std::wstring sTargetAccountName = sTargetDomain + (wcsstr(sSourceAccountName.c_str(), L"\\") + 1); PSID tTargetAccountSid = GetSidFromName(sTargetAccountName); + // exit if no match was found + if (tTargetAccountSid == nullptr) return SidActionResult::Nothing; + // do a reverse lookup to see if this might be a sid history item if (GetNameFromSidEx(tTargetAccountSid) == sSourceAccountName) return SidActionResult::Nothing; diff --git a/OperationRemoveOrphan.cpp b/OperationRemoveOrphan.cpp index 131536a..527727c 100644 --- a/OperationRemoveOrphan.cpp +++ b/OperationRemoveOrphan.cpp @@ -23,6 +23,7 @@ OperationRemoveOrphan::OperationRemoveOrphan(std::queue & oArgList // do a reverse lookup of the name for reporting sDomainName = GetNameFromSidEx(tDomainSid); + sDomainName = sDomainName.substr(0, sDomainName.find(L"\\")); // flag this as being an ace-level action AppliesToDacl = true; @@ -51,11 +52,11 @@ SidActionResult OperationRemoveOrphan::DetermineSid(WCHAR * const sSdPart, Objec // see if the sid is unresolvable; if it is then this is not an orphan bool bIsOrphan = false; - GetNameFromSid(tCurrentSid, &bIsOrphan); + std::wstring sSid = GetNameFromSidEx(tCurrentSid, &bIsOrphan); if (!bIsOrphan) return SidActionResult::Nothing; // update the sid in the ace - InputOutput::AddInfo(L"Removing orphan of security identifier or domain '" + sDomainName + L"'", sSdPart); + InputOutput::AddInfo(L"Removing orphan of security identifier '" + sSid + L"' from domain '" + sDomainName + L"'", sSdPart); tResultantSid = NULL; return SidActionResult::Remove; } diff --git a/repacls.vcxproj b/repacls.vcxproj index e11adb6..9450d2e 100644 --- a/repacls.vcxproj +++ b/repacls.vcxproj @@ -139,13 +139,15 @@ Speed MultiThreaded 4100 + false Console true true - true + false true + RequireAdministrator @@ -168,7 +170,7 @@ Console true true - true + false RequireAdministrator true