def removeUserFromLocalGroup(group, username, domain=None): if localGroupExists(group): if domain and userExists(username, domain): win32net.NetLocalGroupDelMembers(None, group, [r'%s\\%s' % (domain, username)]) elif userExists(username): win32net.NetLocalGroupDelMembers(None, group, [r"%s" % username])
def LocalGroup(uname=None): "Creates a local group, adds some members, deletes them, then removes the group" level = 3 if uname is None: uname = win32api.GetUserName() if uname.find("\\") < 0: uname = win32api.GetDomainName() + "\\" + uname group = 'python_test_group' # delete the group if it already exists try: win32net.NetLocalGroupDel(server, group) print "WARNING: existing local group '%s' has been deleted." except win32net.error: pass group_data = {'name': group} win32net.NetLocalGroupAdd(server, 1, group_data) try: u = {'domainandname': uname} win32net.NetLocalGroupAddMembers(server, group, level, [u]) mem, tot, res = win32net.NetLocalGroupGetMembers(server, group, level) print "members are", mem if mem[0]['domainandname'] != uname: print "ERROR: LocalGroup just added %s, but members are %r" % ( uname, mem) # Convert the list of dicts to a list of strings. win32net.NetLocalGroupDelMembers(server, group, [m['domainandname'] for m in mem]) finally: win32net.NetLocalGroupDel(server, group) print "Created a local group, added and removed members, then deleted the group"
def onLogout(self, userName) -> None: logger.debug('Windows onLogout invoked: {}, {}'.format(userName, self._user)) try: p = win32security.GetBinarySid(REMOTE_USERS_SID) groupName = win32security.LookupAccountSid(None, p)[0] except Exception: logger.error('Exception getting Windows Group') return if self._user: try: win32net.NetLocalGroupDelMembers(None, groupName, [self._user]) except Exception as e: logger.error('Exception removing user from Remote Desktop Users: {}'.format(e))
def createOpsiSetupUser(self, admin=True, delete_existing=False): # pylint: disable=no-self-use,too-many-branches # https://bugs.python.org/file46988/issue.py user_info = { "name": OPSI_SETUP_USER_NAME, "full_name": "opsi setup user", "comment": "auto created by opsi", "password": f"/{''.join((random.choice(string.ascii_letters + string.digits) for i in range(8)))}?", "priv": win32netcon.USER_PRIV_USER, "flags": win32netcon.UF_NORMAL_ACCOUNT | win32netcon.UF_SCRIPT | win32netcon.UF_DONT_EXPIRE_PASSWD } # Test if user exists user_sid = None try: win32net.NetUserGetInfo(None, user_info["name"], 1) user_sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, user_info["name"])[0]) logger.info("User '%s' exists, sid is '%s'", user_info["name"], user_sid) except Exception as err: # pylint: disable=broad-except logger.info(err) self.cleanup_opsi_setup_user( keep_sid=None if delete_existing else user_sid) if delete_existing: user_sid = None # Hide user from login try: winreg.CreateKeyEx( winreg.HKEY_LOCAL_MACHINE, r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts', 0, winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative ) except WindowsError: # pylint: disable=undefined-variable pass try: winreg.CreateKeyEx( winreg.HKEY_LOCAL_MACHINE, r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList', 0, winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative ) except WindowsError: # pylint: disable=undefined-variable pass with winreg.OpenKey( winreg.HKEY_LOCAL_MACHINE, r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList', 0, winreg.KEY_SET_VALUE | winreg.KEY_WOW64_64KEY # sysnative ) as reg_key: winreg.SetValueEx(reg_key, user_info["name"], 0, winreg.REG_DWORD, 0) if user_sid: logger.info("Updating password of user '%s'", user_info["name"]) user_info_update = win32net.NetUserGetInfo(None, user_info["name"], 1) user_info_update["password"] = user_info["password"] win32net.NetUserSetInfo(None, user_info["name"], 1, user_info_update) else: logger.info("Creating user '%s'", user_info["name"]) win32net.NetUserAdd(None, 1, user_info) user_sid = win32security.ConvertSidToStringSid( win32security.LookupAccountName(None, user_info["name"])[0]) subprocess.run([ "icacls", os.path.dirname(sys.argv[0]), "/grant:r", f"*{user_sid}:(OI)(CI)RX" ], check=False) subprocess.run([ "icacls", os.path.dirname(config.get("global", "log_file")), "/grant:r", f"*{user_sid}:(OI)(CI)F" ], check=False) subprocess.run([ "icacls", os.path.dirname(config.get("global", "tmp_dir")), "/grant:r", f"*{user_sid}:(OI)(CI)F" ], check=False) local_admin_group_sid = win32security.ConvertStringSidToSid( "S-1-5-32-544") local_admin_group_name = win32security.LookupAccountSid( None, local_admin_group_sid)[0] try: if admin: logger.info("Adding user '%s' to admin group", user_info["name"]) win32net.NetLocalGroupAddMembers( None, local_admin_group_name, 3, [{ "domainandname": user_info["name"] }]) else: logger.info("Removing user '%s' from admin group", user_info["name"]) win32net.NetLocalGroupDelMembers(None, local_admin_group_name, [user_info["name"]]) except pywintypes.error as err: # 1377 - ERROR_MEMBER_NOT_IN_ALIAS # The specified account name is not a member of the group. # 1378 # ERROR_MEMBER_IN_ALIAS # The specified account name is already a member of the group. if err.winerror not in (1377, 1378): raise user_info_4 = win32net.NetUserGetInfo(None, user_info["name"], 4) user_info_4["password"] = user_info["password"] return user_info_4