How to check a policy?

[Anthony Hunter]

What API's would I use to check to see if the currently logged in user
is part of a specific policy?



Thanks,
Anthony

 

[Christopher Maloney]

Go to a command prompt on the computer that the user is logged in on and
type "gpresult"(without quotes). This will list all settings applied by
each group policy.

 

[Anthony Hunter]

I've found the GetGPOList() API, but I'm not quite sure how to use it. I
can't find any detailed examples.


Anthony

 

[Darren Mar-Elia]

If you're really talking APIs, then you can call RSoPCreateSession to
generate WMI RSoP logging data yourself, and then you can get at the RSoP
data that way. If you just want to get the list of GPOs processed by a user,
you can query the registry for that information. Let me know if you want
details on the keys to look at.

 

[Darren Mar-Elia]

GetGPOList() is typically used if you're writing your own Client Side
Extension. I suppose you could call it on its own, but its probably easier
to use one of the other methods mentioned in my previous post.

 

[Anthony Hunter]

You wouldn't happen to know where I could find some C++ examples of what
I want to do?


Thanks,
Anthony

 

[Anthony Hunter]

I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.


Anthony

 

[Darren Mar-Elia]

Well, if you just want to get a list of the GPOs that are applying to a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this has to run
in the context of the currently logged on user. Under the History key, you
get a set of keys organized by Client Side Extension that enumerate the GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used it before but
I suppose that its as good as any other mechanism. Its documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp

 

[Anthony Hunter]

I'm going to try and use the GetAppliedGPOList(), but I'm not sure how
to set the GUID. I've seen in other postings about get the correct guid from
the registry, but how do I set the variable? It's probably fairly simple,
just something I've never had to do before.


Thanks,
Anthony

 

[Darren Mar-Elia]

This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

 

[Anthony Hunter]

Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size, domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

 

[Darren Mar-Elia]

So do you get back any kind of GPO struct or just nothing? In other words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

 

[Anthony Hunter]

pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.

What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.



Thanks,
Anthony

So do you get back any kind of GPO struct or just nothing? In other words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security
//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



I'm going to try and use the GetAppliedGPOList(), but I'm not sure how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly simple,
just something I've never had to do before.


Thanks,
Anthony

Well, if you just want to get a list of the GPOs that are applying to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used it before
but
I suppose that its as good as any other mechanism. Its documented
here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.


Anthony

message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?


Thanks,
Anthony

message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get

at
the

RSoP
data that way. If you just want to get the list of GPOs

processed
by

a
user,
you can query the registry for that information. Let me know if you
want
details on the keys to look at.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Go to a command prompt on the computer that the user is

logged
in

on
and
type "gpresult"(without quotes). This will list all settings
applied
by
each group policy.


in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?



Thanks,
Anthony

 

[Darren Mar-Elia]

Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:

-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.

In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.

What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.



Thanks,
Anthony

So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

Ok, I think I have it coded, but I not sure if it is working right. The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security

//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

This GUID variable is referring to the client side extension you want to
return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly
simple,
just something I've never had to do before.


Thanks,
Anthony

message
Well, if you just want to get a list of the GPOs that are applying to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used it
before
but
I suppose that its as good as any other mechanism. Its documented
here:


http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.


Anthony

message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?


Thanks,
Anthony

message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get at
the
RSoP
data that way. If you just want to get the list of GPOs processed
by
a
user,
you can query the registry for that information. Let me know
if
you
want
details on the keys to look at.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Go to a command prompt on the computer that the user is logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.


"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?



Thanks,
Anthony

 

[Anthony Hunter]

Ok, I'm getting a lot closer, thanks for all the help.

My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.

//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}

DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================


Thanks,
Anthony

Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:

-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.

In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.

What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.



Thanks,
Anthony

So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that apply.
In the code below you're asking for any security policy that applies to a
particular domain user, however most security policy (except for stuff like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Ok, I think I have it coded, but I not sure if it is working

right.
The

GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security

//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL, pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

This GUID variable is referring to the client side extension you

want
to

return information on. For example, if you want to find out what Software
Installation policy was applied, you would pass the GUID of the Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the correct guid
from
the registry, but how do I set the variable? It's probably fairly
simple,
just something I've never had to do before.


Thanks,
Anthony

message
Well, if you just want to get a list of the GPOs that are

applying
to

a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the History key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used it
before
but
I suppose that its as good as any other mechanism. Its documented
here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.


Anthony

message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?


Thanks,
Anthony

"Darren Mar-Elia" <[email protected]>

wrote
in

message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can

get
at

the
RSoP
data that way. If you just want to get the list of GPOs processed
by
a
user,
you can query the registry for that information. Let me know
if
you
want
details on the keys to look at.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Go to a command prompt on the computer that the user is logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.


"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?



Thanks,
Anthony

 

[Darren Mar-Elia]

Check out this sample--maybe it will help:


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

Ok, I'm getting a lot closer, thanks for all the help.

My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.

//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}

DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================


Thanks,
Anthony

Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:

-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.

In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out
http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

pSid = <void> yet LookupAccountName() returns success, and pGPOList =
null. Something is definately wrong, just not sure what.

What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.



Thanks,
Anthony

So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that
apply.
In the code below you're asking for any security policy that applies
to a
particular domain user, however most security policy (except for stuff
like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Ok, I think I have it coded, but I not sure if it is working right.
The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security

//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL,
pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

message
This GUID variable is referring to the client side extension you want
to
return information on. For example, if you want to find out what
Software
Installation policy was applied, you would pass the GUID of the
Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K
and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the
correct
guid
from
the registry, but how do I set the variable? It's probably
fairly
simple,
just something I've never had to do before.


Thanks,
Anthony

in
message
Well, if you just want to get a list of the GPOs that are applying
to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the
History
key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used
it
before
but
I suppose that its as good as any other mechanism. Its
documented
here:



http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I need code that will work on Win2000 and higher. I looked up the
RSoPCreateSession() and it only works onWinXP and higher.


Anthony

message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?


Thanks,
Anthony

in
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get
at
the
RSoP
data that way. If you just want to get the list of GPOs
processed
by
a
user,
you can query the registry for that information. Let me
know
if
you
want
details on the keys to look at.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Go to a command prompt on the computer that the user is
logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.


"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?



Thanks,
Anthony

 

[Anthony Hunter]

That example did help. Thanks again for all the help! I've got this
working now.


Anthony

Check out this sample--maybe it will help:


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

Ok, I'm getting a lot closer, thanks for all the help.

My last problem to solve, is how you properly access an array of
LSA_UNICODE_STRING structures. I'm calling the api
LsaEnumerateAccountRights(), which is returning successfully, and I can
access the first value, but not the rest.

//======================================
PLSA_UNICODE_STRING userRights;
userRights = NULL;
ULONG count = 0;
returnValue = LsaEnumerateAccountRights( policyHandle, pSid, &userRights,
&count );
if ( returnValue != 0 )
{
return;
}

DWORD i;
char p[256] = "";
for ( i = 0; i < count; ++ i )
{
wchar_t *pPolicy = userRights->Buffer;
WideCharToMultiByte( CP_ACP, 0, pPolicy, -1, p, sizeof( p ), NULL,
NULL );
printf( "priv %u: %s\n", i, p );
}
//======================================


Thanks,
Anthony

Anthony-
Ok, that is a completely different thing that you're after. There is no way
to query the contents of a GPO programmatically to ask if a particular user
is assigned to a particular policy. What you can do is either:

-- use RSoP to determine what effective policy is on a XP or Win2k3 box
-- query the local SAM on the machine in question to see if your user in
question has been granted the specific right you're after.

In your case, you're probably better off with the 2nd approach. There are
APIs available for this--check out

http://msdn.microsoft.com/library/d...gmt/security/managing_account_permissions.asp

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



pSid = <void> yet LookupAccountName() returns success, and

pGPOList
=

null. Something is definately wrong, just not sure what.

What I want to find out is if a specified user (domain account) is part
of the "Log on as a service" policy on the local machine.
I hope this clarifies what I'm looking for.



Thanks,
Anthony

So do you get back any kind of GPO struct or just nothing? In other
words,
you should get a bunch of structs which are the individual GPOs that
apply.
In the code below you're asking for any security policy that applies
to a
particular domain user, however most security policy (except for stuff
like
public key policy or software restriction) is typically machine-specific.
Are you sure you're asking for the right thing?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Ok, I think I have it coded, but I not sure if it is working right.
The
GROUP_POLICY_OBJECT, doesn't seem to contain any details, but it
returns
success. And ideas?

//===================================
void GroupPolicyCheck()
{
char domain[256] = "";
DWORD domainSize = sizeof( domain );
DWORD size = 256;
PSID pSid;
pSid = (PSID) new BYTE[size];
if ( pSid == NULL)
return;
memset(pSid, 0, size);
SID_NAME_USE eSidName;
DWORD err = LookupAccountName( NULL, "DOMAIN\\user", pSid, &size,
domain,
&domainSize, &eSidName );
if ( err == 0 )
err = GetLastError();
if ( IsValidSid( pSid ) == FALSE )
return;

GROUP_POLICY_OBJECT *pGPOList;
// {827D319E-6EAC-11D2-A4EA-00C04F79F83A} // Security

//{0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}
GUID guid =
{0x827D319E,0x6EAC,0x11D2,{0xA4,0xEA,0x00,0xC0,0x4F,0x79,0xF8,0x3A}};
DWORD error = GetAppliedGPOList( GPO_LIST_FLAG_MACHINE, NULL,
pSid,
&guid, &pGPOList );
if ( error == ERROR_SUCCESS )
{
FreeGPOList( pGPOList );
}

FreeSid( pSid );
}

//===================================



Thanks,
Anthony

message
This GUID variable is referring to the client side extension you want
to
return information on. For example, if you want to find out what
Software
Installation policy was applied, you would pass the GUID of the
Software
Installation CSE. All CSE GUIDs are registered on any Windows 2K
and
above
box under:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions


--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I'm going to try and use the GetAppliedGPOList(), but I'm not
sure
how
to set the GUID. I've seen in other postings about get the
correct
guid
from
the registry, but how do I set the variable? It's probably
fairly
simple,
just something I've never had to do before.


Thanks,
Anthony

in
message
Well, if you just want to get a list of the GPOs that are applying
to
a
particular user you could query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History using standard C++ registry APIs. Of course, this
has
to
run
in the context of the currently logged on user. Under the
History
key,
you
get a set of keys organized by Client Side Extension that enumerate
the
GPOs
that have run for each CSE for that user.

Also, you could try calling GetAppliedGPOList(). I've not used
it
before
but
I suppose that its as good as any other mechanism. Its
documented
here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getappliedgpolist.asp

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



message
I need code that will work on Win2000 and higher. I looked

up
the

RSoPCreateSession() and it only works onWinXP and higher.


Anthony

"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>

wrote
in

message
You wouldn't happen to know where I could find some C++
examples
of
what
I want to do?


Thanks,
Anthony

in
message
If you're really talking APIs, then you can call
RSoPCreateSession
to
generate WMI RSoP logging data yourself, and then you can get
at
the
RSoP
data that way. If you just want to get the list of GPOs
processed
by
a
user,
you can query the registry for that information. Let me
know
if
you
want
details on the keys to look at.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



Go to a command prompt on the computer that the user is
logged
in
on
and
type "gpresult"(without quotes). This will list all
settings
applied
by
each group policy.


"Anthony Hunter" <anthony.hunter@_NOSPAM_.invensys.com>
wrote
in
message
What API's would I use to check to see if the currently
logged
in
user
is part of a specific policy?



Thanks,
Anthony

 

[Anthony Hunter]

I thought I was done, but I have one more problem to solve. Right now
my check works great for a specific user, but not if that user is part of a
group which is assigned to the policy. Any ideas on how to get that to
work?


Thanks
Anthony

 

[Darren Mar-Elia]

Well, you're probably going to have to get the list of groups the user is a
member of and check that as well as just their account. This is not that
straightforward to chase down, especially in multi-domain environments. In
any case, you're interested in the memberOf attribute on the user object,
which will contain links to the groups they are a direct member of.

 

[Anthony Hunter]

Got it working. Used the NetUserGetLocalGroups and NetUserGetGroups
API's. Works like a charm.


Thanks again,
Anthony