def removeUserFromLocalGroup(group, username, domain=None):
if localGroupExists(group):
if domain and userExists(username, domain):
win32net.NetLocalGroupDelMembers(None, group,
[r'%s\\%s' % (domain, username)])
elif userExists(username):
win32net.NetLocalGroupDelMembers(None, group, [r"%s" % username])
def LocalGroup(uname=None):
"Creates a local group, adds some members, deletes them, then removes the group"
level = 3
if uname is None: uname = win32api.GetUserName()
if uname.find("\\") < 0:
uname = win32api.GetDomainName() + "\\" + uname
group = 'python_test_group'
# delete the group if it already exists
try:
win32net.NetLocalGroupDel(server, group)
print "WARNING: existing local group '%s' has been deleted."
except win32net.error:
pass
group_data = {'name': group}
win32net.NetLocalGroupAdd(server, 1, group_data)
try:
u = {'domainandname': uname}
win32net.NetLocalGroupAddMembers(server, group, level, [u])
mem, tot, res = win32net.NetLocalGroupGetMembers(server, group, level)
print "members are", mem
if mem[0]['domainandname'] != uname:
print "ERROR: LocalGroup just added %s, but members are %r" % (
uname, mem)
# Convert the list of dicts to a list of strings.
win32net.NetLocalGroupDelMembers(server, group,
[m['domainandname'] for m in mem])
finally:
win32net.NetLocalGroupDel(server, group)
print "Created a local group, added and removed members, then deleted the group"
def onLogout(self, userName) -> None:
logger.debug('Windows onLogout invoked: {}, {}'.format(userName, self._user))
try:
p = win32security.GetBinarySid(REMOTE_USERS_SID)
groupName = win32security.LookupAccountSid(None, p)[0]
except Exception:
logger.error('Exception getting Windows Group')
return
if self._user:
try:
win32net.NetLocalGroupDelMembers(None, groupName, [self._user])
except Exception as e:
logger.error('Exception removing user from Remote Desktop Users: {}'.format(e))
def createOpsiSetupUser(self, admin=True, delete_existing=False): # pylint: disable=no-self-use,too-many-branches
# https://bugs.python.org/file46988/issue.py
user_info = {
"name":
OPSI_SETUP_USER_NAME,
"full_name":
"opsi setup user",
"comment":
"auto created by opsi",
"password":
f"/{''.join((random.choice(string.ascii_letters + string.digits) for i in range(8)))}?",
"priv":
win32netcon.USER_PRIV_USER,
"flags":
win32netcon.UF_NORMAL_ACCOUNT | win32netcon.UF_SCRIPT
| win32netcon.UF_DONT_EXPIRE_PASSWD
}
# Test if user exists
user_sid = None
try:
win32net.NetUserGetInfo(None, user_info["name"], 1)
user_sid = win32security.ConvertSidToStringSid(
win32security.LookupAccountName(None, user_info["name"])[0])
logger.info("User '%s' exists, sid is '%s'", user_info["name"],
user_sid)
except Exception as err: # pylint: disable=broad-except
logger.info(err)
self.cleanup_opsi_setup_user(
keep_sid=None if delete_existing else user_sid)
if delete_existing:
user_sid = None
# Hide user from login
try:
winreg.CreateKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts',
0,
winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative
)
except WindowsError: # pylint: disable=undefined-variable
pass
try:
winreg.CreateKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList',
0,
winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative
)
except WindowsError: # pylint: disable=undefined-variable
pass
with winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList',
0,
winreg.KEY_SET_VALUE | winreg.KEY_WOW64_64KEY # sysnative
) as reg_key:
winreg.SetValueEx(reg_key, user_info["name"], 0, winreg.REG_DWORD,
0)
if user_sid:
logger.info("Updating password of user '%s'", user_info["name"])
user_info_update = win32net.NetUserGetInfo(None, user_info["name"],
1)
user_info_update["password"] = user_info["password"]
win32net.NetUserSetInfo(None, user_info["name"], 1,
user_info_update)
else:
logger.info("Creating user '%s'", user_info["name"])
win32net.NetUserAdd(None, 1, user_info)
user_sid = win32security.ConvertSidToStringSid(
win32security.LookupAccountName(None, user_info["name"])[0])
subprocess.run([
"icacls",
os.path.dirname(sys.argv[0]), "/grant:r", f"*{user_sid}:(OI)(CI)RX"
],
check=False)
subprocess.run([
"icacls",
os.path.dirname(config.get("global", "log_file")), "/grant:r",
f"*{user_sid}:(OI)(CI)F"
],
check=False)
subprocess.run([
"icacls",
os.path.dirname(config.get("global", "tmp_dir")), "/grant:r",
f"*{user_sid}:(OI)(CI)F"
],
check=False)
local_admin_group_sid = win32security.ConvertStringSidToSid(
"S-1-5-32-544")
local_admin_group_name = win32security.LookupAccountSid(
None, local_admin_group_sid)[0]
try:
if admin:
logger.info("Adding user '%s' to admin group",
user_info["name"])
win32net.NetLocalGroupAddMembers(
None, local_admin_group_name, 3,
[{
"domainandname": user_info["name"]
}])
else:
logger.info("Removing user '%s' from admin group",
user_info["name"])
win32net.NetLocalGroupDelMembers(None, local_admin_group_name,
[user_info["name"]])
except pywintypes.error as err:
# 1377 - ERROR_MEMBER_NOT_IN_ALIAS
# The specified account name is not a member of the group.
# 1378 # ERROR_MEMBER_IN_ALIAS
# The specified account name is already a member of the group.
if err.winerror not in (1377, 1378):
raise
user_info_4 = win32net.NetUserGetInfo(None, user_info["name"], 4)
user_info_4["password"] = user_info["password"]
return user_info_4
