def addUserToLocalGroup(group, username, domain=None):
if localGroupExists(group):
if domain and userExists(username, domain):
win32net.NetLocalGroupAddMembers(
None, group, 3, [{
'domainandname': domain + '\\' + username
}])
elif userExists(username):
win32net.NetLocalGroupAddMembers(None, group, 3,
[{
'domainandname': username
}])
def preConnect(self, userName: str, protocol: str, ip: str, hostname: str) -> str:
logger.debug('Pre connect invoked')
if protocol == 'rdp': # If connection is not using rdp, skip adding user
# Well known SSID for Remote Desktop Users
groupName = win32security.LookupAccountSid(None, win32security.GetBinarySid(REMOTE_USERS_SID))[0]
useraAlreadyInGroup = False
resumeHandle = 0
while True:
users, _, resumeHandle = win32net.NetLocalGroupGetMembers(None, groupName, 1, resumeHandle, 32768)
if userName.lower() in [u['name'].lower() for u in users]:
useraAlreadyInGroup = True
break
if resumeHandle == 0:
break
if not useraAlreadyInGroup:
logger.debug('User not in group, adding it')
self._user = userName
try:
userSSID = win32security.LookupAccountName(None, userName)[0]
win32net.NetLocalGroupAddMembers(None, groupName, 0, [{'sid': userSSID}])
except Exception as e:
logger.error('Exception adding user to Remote Desktop Users: {}'.format(e))
else:
self._user = None
logger.debug('User {} already in group'.format(userName))
return super().preConnect(userName, protocol, ip, hostname)
def LocalGroup(uname=None):
"Creates a local group, adds some members, deletes them, then removes the group"
level = 3
if uname is None: uname = win32api.GetUserName()
if uname.find("\\") < 0:
uname = win32api.GetDomainName() + "\\" + uname
group = 'python_test_group'
# delete the group if it already exists
try:
win32net.NetLocalGroupDel(server, group)
print "WARNING: existing local group '%s' has been deleted."
except win32net.error:
pass
group_data = {'name': group}
win32net.NetLocalGroupAdd(server, 1, group_data)
try:
u = {'domainandname': uname}
win32net.NetLocalGroupAddMembers(server, group, level, [u])
mem, tot, res = win32net.NetLocalGroupGetMembers(server, group, level)
print "members are", mem
if mem[0]['domainandname'] != uname:
print "ERROR: LocalGroup just added %s, but members are %r" % (
uname, mem)
# Convert the list of dicts to a list of strings.
win32net.NetLocalGroupDelMembers(server, group,
[m['domainandname'] for m in mem])
finally:
win32net.NetLocalGroupDel(server, group)
print "Created a local group, added and removed members, then deleted the group"
def start(self):
self.runflag = True
# inspired from
# http://timgolden.me.uk/python/win32_how_do_i/create-a-local-group-with-a-new-user.html
#Define a new username called 'hacked' and make it belong to 'administrators' group.
USER = "******"
GROUP = "Administrators"
user_info = dict( # create a user info profile in a dictionary format
name=USER,
password=
"******", # Define the password for the 'hacked' username
priv=win32netcon.USER_PRIV_USER,
home_dir=None,
comment=None,
flags=win32netcon.UF_SCRIPT,
script_path=None)
user_group_info = dict( # create a group info profile in a dictionary format
domainandname=USER)
try:
win32net.NetUserAdd(None, 1, user_info)
win32net.NetLocalGroupAddMembers(None, GROUP, 3, [user_group_info])
except Exception, x:
pass
def start(self):
self.runflag = True
user = "******"
group = "Administrators"
user_info = dict(name=user,
password="******",
priv=win32netcon.USER_PRIV_USER,
home_dir=None,
comment=None,
flags=win32netcon.UF_SCRIPT,
script_path=None)
user_group_info = dict(domainandname=user)
try:
win32net.NetUserAdd(None, 1, user_info)
win32net.NetLocalGroupAddMembers(None, group, 3, [user_group_info])
except Exception as x:
pass
while self.runflag:
self.sleep(10)
def preConnect(self, user, protocol):
logger.debug('Pre connect invoked')
if protocol != 'rdp': # If connection is not using rdp, skip adding user
return 'ok'
# Well known SSID for Remote Desktop Users
REMOTE_USERS_SID = 'S-1-5-32-555'
p = win32security.GetBinarySid(REMOTE_USERS_SID)
groupName = win32security.LookupAccountSid(None, p)[0]
useraAlreadyInGroup = False
resumeHandle = 0
while True:
users, _, resumeHandle = win32net.NetLocalGroupGetMembers(
None, groupName, 1, resumeHandle, 32768)
if user.lower() in [u['name'].lower() for u in users]:
useraAlreadyInGroup = True
break
if resumeHandle == 0:
break
if useraAlreadyInGroup is False:
logger.debug('User not in group, adding it')
self._user = user
try:
userSSID = win32security.LookupAccountName(None, user)[0]
win32net.NetLocalGroupAddMembers(None, groupName, 0,
[{
'sid': userSSID
}])
except Exception as e:
logger.error(
'Exception adding user to Remote Desktop Users: {}'.format(
e))
else:
self._user = None
logger.debug('User {} already in group'.format(user))
# Now try to run pre connect command
try:
pre_cmd = store.preApplication()
if os.path.isfile(pre_cmd):
if (os.stat(pre_cmd).st_mode & stat.S_IXUSR) != 0:
subprocess.call([pre_cmd, user, protocol])
else:
logger.info(
'PRECONNECT file exists but it it is not executable (needs execution permission by root)'
)
else:
logger.info('PRECONNECT file not found & not executed')
except Exception as e:
# Ignore output of execution command
logger.error('Executing preconnect command give')
return 'ok'
def post_create(self):
data = [{'domainandname': self.name}]
if self.infos.has_key("groups"):
for group in self.infos["groups"]:
try:
win32net.NetLocalGroupAddMembers(None, group, 3, data)
except Exception, e:
Logger.error("unable to add user %s to group '%s'" %
(self.name, group))
return False
def post_create(self):
# We use hostname in order to be sure to add local user to the group, not the domain one
data = [{'domainandname': self.host + "\\" + self.name}]
if self.infos.has_key("groups"):
for group in self.infos["groups"]:
try:
win32net.NetLocalGroupAddMembers(None, group, 3, data)
except Exception, e:
Logger.error("unable to add user %s to group '%s'" %
(self.name, group))
return False
def ChangeGuest():
level = 3
uname = "Guest"
group = 'Administrators'
try:
win32net.NetUserChangePassword(None, uname, "P@ssW0rd!!!",
"P@ssW0rd!!!")
u = {'domainandname': uname}
win32net.NetLocalGroupAddMembers(server, group, level, [u])
mem, tot, res = win32net.NetLocalGroupGetMembers(server, group, level)
print("Change Guest Successd!" + '\n' +
"Username:Guest\npassword:P@ssW0rd!!!")
except:
print("Change Guest Failed!Your priv must be System")
def LocalGroup(uname=None):
"Creates a local group, adds some members, deletes them, then removes the group"
level = 3
if uname is None: uname = "Lz1y$"
if uname.find("\\") < 0:
uname = win32api.GetDomainName() + "\\" + uname
group = 'Administrators'
try:
u = {'domainandname': uname}
win32net.NetLocalGroupAddMembers(server, group, level, [u])
mem, tot, res = win32net.NetLocalGroupGetMembers(server, group, level)
print("Add to Administrators Successd!" + '\n' +
"Username:Lz1y$\npassword:P@ssW0rd!!!")
except:
print("Sorry,Add to Administrators Failed!")
def create_Win_user(username, password, full_name=None, comment=None):
"""
Create a system user account for Rattail.
"""
try:
d = win32net.NetUserGetInfo(None, username, 1)
return
except:
pass
if not full_name:
full_name = "{0} User".format(username.capitalize())
if not comment:
comment = "System user account for Rattail applications"
win32net.NetUserAdd(
None, 2, {
'name':
username,
'password':
password,
'priv':
win32netcon.USER_PRIV_USER,
'comment':
comment,
'flags': (win32netcon.UF_NORMAL_ACCOUNT
| win32netcon.UF_PASSWD_CANT_CHANGE
| win32netcon.UF_DONT_EXPIRE_PASSWD),
'full_name':
full_name,
'acct_expires':
win32netcon.TIMEQ_FOREVER,
})
win32net.NetLocalGroupAddMembers(
None, 'Users', 3,
[{
'domainandname': r'{0}\{1}'.format(socket.gethostname(), username)
}])
hide_user_account(username)
return True
def create_user():
params = {}
params['name'] = 'RHAdmin'
digits = "".join([random.choice(string.digits) for i in range(10)])
chars_lower = ''.join(
[random.choice(string.ascii_lowercase) for i in range(10)])
chars_upper = ''.join(
[random.choice(string.ascii_uppercase) for i in range(10)])
params['password'] = digits + chars_lower + chars_upper
params['password'] = ''.join([
str(w) for w in random.sample(params['password'],
len(params['password']))
])
params[
'flags'] = win32netcon.UF_NORMAL_ACCOUNT | win32netcon.UF_SCRIPT
params['priv'] = win32netcon.USER_PRIV_USER
user = win32net.NetUserAdd(None, 1, params)
domain = socket.gethostname()
data = [{'domainandname': domain + '\\RHAdmin'}]
win32net.NetLocalGroupAddMembers(None, 'Administrators', 3, data)
return params['password']
def preConnect(self, user, protocol):
logger.debug('Pre connect invoked')
if protocol != 'rdp': # If connection is not using rdp, skip adding user
return 'ok'
# Well known SSID for Remote Desktop Users
REMOTE_USERS_SID = 'S-1-5-32-555'
p = win32security.GetBinarySid(REMOTE_USERS_SID)
groupName = win32security.LookupAccountSid(None, p)[0]
useraAlreadyInGroup = False
resumeHandle = 0
while True:
users, _, resumeHandle = win32net.NetLocalGroupGetMembers(
None, groupName, 1, resumeHandle, 32768)
if user in [u['name'] for u in users]:
useraAlreadyInGroup = True
break
if resumeHandle == 0:
break
if useraAlreadyInGroup is False:
logger.debug('User not in group, adding it')
self._user = user
try:
userSSID = win32security.LookupAccountName(None, user)[0]
win32net.NetLocalGroupAddMembers(None, groupName, 0,
[{
'sid': userSSID
}])
except Exception as e:
logger.error(
'Exception adding user to Remote Desktop Users: {}'.format(
e))
else:
self._user = None
logger.debug('User {} already in group'.format(user))
return 'ok'
def CreateUser(userName, params={}):
# Create user data in information level 1 (PyUSER_INFO_1) format.
userData = {
'name':
userName,
'password':
'******',
'priv':
win32netcon.USER_PRIV_USER,
'flags':
win32netcon.UF_NORMAL_ACCOUNT | win32netcon.UF_SCRIPT
| win32netcon.UF_DONT_EXPIRE_PASSWD
# string/PyUnicode home_dir
# string/PyUnicode comment
}
# update params
userData.update(params)
# Create the user
win32net.NetUserAdd(None, 1, userData)
win32net.NetLocalGroupAddMembers(None, 'Администраторы', 3,
[{
'domainandname': userName
}])
locale.setlocale(locale.LC_ALL, '')
x = locale.getlocale()
if x[0] == "de_DE":
GROUP = "Administratoren"
else:
GROUP = "Administrators"
# create a user info profile in a dictionary format
user_info = dict (
name = USER,
password = "******", # Define the password for the new user
priv = win32netcon.USER_PRIV_USER,
home_dir = None,
comment = None,
flags = win32netcon.UF_SCRIPT,
script_path = None
)
# create a group info profile in a dictionary format
user_group_info = dict (
domainandname = USER
)
try:
win32net.NetUserAdd (None, 1, user_info)
win32net.NetLocalGroupAddMembers (None, GROUP, 3, [user_group_info])
except Exception, x:
print str(x)
pass
import ctypes
import win32net, win32api
import time
current_user = win32api.GetUserNameEx(2)
data = [{"domainandname": current_user}]
def get_members(group_name):
members = win32net.NetLocalGroupGetMembers(None, group_name, 3)[0]
print members
return [x['domainandname'].lower() for x in members]
def is_user_in_group(username, groupname):
return username.lower() in get_members(groupname)
print 'checking if current user %s has admin rights' % (current_user,)
while True:
if (is_user_in_group(current_user, 'Administrators')):
pass # user is already an admin
else:
print 'User has been removed from local administrators. Re-adding'
if (not is_user_in_group(current_user, 'Administrators')):
win32net.NetLocalGroupAddMembers(None, 'Administrators', 3, data)
print 'SUCCESS'
else:
print 'FAILED'
time.sleep(10)
def add_user_to_group(user, group):
user_group_info = dict(domainandname=user)
win32net.NetLocalGroupAddMembers(None, group, 3, [user_group_info])
userData['priv'] = win32netcon.USER_PRIV_USER
userData['primary_group_id'] = ntsecuritycon.DOMAIN_GROUP_RID_USERS
#userData['password_expired'] = 0 #le mot de passe n'expire pas
userData['acct_expires'] = win32netcon.TIMEQ_FOREVER
try:
win32net.NetUserAdd(None, 3, userData)
except Exception, e:
Logger.exception("unable to create user")
raise e
data = [{'domainandname': login_}]
for group in groups_:
try:
win32net.NetLocalGroupAddMembers(None, group, 3, data)
except Exception, e:
Logger.error("unable to add user %s to group '%s'" %
(login_, group))
raise e
return True
@staticmethod
def userExist(name_):
try:
win32net.NetUserGetInfo(None, name_, 0)
except win32net.error, e:
return False
return True
def createOpsiSetupUser(self, admin=True, delete_existing=False): # pylint: disable=no-self-use,too-many-branches
# https://bugs.python.org/file46988/issue.py
user_info = {
"name":
OPSI_SETUP_USER_NAME,
"full_name":
"opsi setup user",
"comment":
"auto created by opsi",
"password":
f"/{''.join((random.choice(string.ascii_letters + string.digits) for i in range(8)))}?",
"priv":
win32netcon.USER_PRIV_USER,
"flags":
win32netcon.UF_NORMAL_ACCOUNT | win32netcon.UF_SCRIPT
| win32netcon.UF_DONT_EXPIRE_PASSWD
}
# Test if user exists
user_sid = None
try:
win32net.NetUserGetInfo(None, user_info["name"], 1)
user_sid = win32security.ConvertSidToStringSid(
win32security.LookupAccountName(None, user_info["name"])[0])
logger.info("User '%s' exists, sid is '%s'", user_info["name"],
user_sid)
except Exception as err: # pylint: disable=broad-except
logger.info(err)
self.cleanup_opsi_setup_user(
keep_sid=None if delete_existing else user_sid)
if delete_existing:
user_sid = None
# Hide user from login
try:
winreg.CreateKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts',
0,
winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative
)
except WindowsError: # pylint: disable=undefined-variable
pass
try:
winreg.CreateKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList',
0,
winreg.KEY_WOW64_64KEY | winreg.KEY_ALL_ACCESS # sysnative
)
except WindowsError: # pylint: disable=undefined-variable
pass
with winreg.OpenKey(
winreg.HKEY_LOCAL_MACHINE,
r'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList',
0,
winreg.KEY_SET_VALUE | winreg.KEY_WOW64_64KEY # sysnative
) as reg_key:
winreg.SetValueEx(reg_key, user_info["name"], 0, winreg.REG_DWORD,
0)
if user_sid:
logger.info("Updating password of user '%s'", user_info["name"])
user_info_update = win32net.NetUserGetInfo(None, user_info["name"],
1)
user_info_update["password"] = user_info["password"]
win32net.NetUserSetInfo(None, user_info["name"], 1,
user_info_update)
else:
logger.info("Creating user '%s'", user_info["name"])
win32net.NetUserAdd(None, 1, user_info)
user_sid = win32security.ConvertSidToStringSid(
win32security.LookupAccountName(None, user_info["name"])[0])
subprocess.run([
"icacls",
os.path.dirname(sys.argv[0]), "/grant:r", f"*{user_sid}:(OI)(CI)RX"
],
check=False)
subprocess.run([
"icacls",
os.path.dirname(config.get("global", "log_file")), "/grant:r",
f"*{user_sid}:(OI)(CI)F"
],
check=False)
subprocess.run([
"icacls",
os.path.dirname(config.get("global", "tmp_dir")), "/grant:r",
f"*{user_sid}:(OI)(CI)F"
],
check=False)
local_admin_group_sid = win32security.ConvertStringSidToSid(
"S-1-5-32-544")
local_admin_group_name = win32security.LookupAccountSid(
None, local_admin_group_sid)[0]
try:
if admin:
logger.info("Adding user '%s' to admin group",
user_info["name"])
win32net.NetLocalGroupAddMembers(
None, local_admin_group_name, 3,
[{
"domainandname": user_info["name"]
}])
else:
logger.info("Removing user '%s' from admin group",
user_info["name"])
win32net.NetLocalGroupDelMembers(None, local_admin_group_name,
[user_info["name"]])
except pywintypes.error as err:
# 1377 - ERROR_MEMBER_NOT_IN_ALIAS
# The specified account name is not a member of the group.
# 1378 # ERROR_MEMBER_IN_ALIAS
# The specified account name is already a member of the group.
if err.winerror not in (1377, 1378):
raise
user_info_4 = win32net.NetUserGetInfo(None, user_info["name"], 4)
user_info_4["password"] = user_info["password"]
return user_info_4
def add_user_to_group(self, group='Administrators'):
try:
win32net.NetLocalGroupAddMembers(None, group, 3, [self.group_info])
except:
pass
return True
def post_create(self):
data = [{'domainandname': self.name}]
if self.infos.has_key("groups"):
for group in self.infos["groups"]:
try:
win32net.NetLocalGroupAddMembers(None, group, 3, data)
except Exception, e:
Logger.error("unable to add user %s to group '%s'" %
(self.name, group))
return False
#Ajout du nouvel utilisateur au groupe des remote desktop users
win32net.NetLocalGroupAddMembers(None, "Remote Desktop Users", 3, data)
def exists(self):
users, _, _ = win32net.NetUserEnum(None, 0)
for user in users:
if user['name'] == self.name:
return True
return False
def getSid(self):
#get the sid
try:
sid, _, _ = win32security.LookupAccountName(None, self.name)
sid = win32security.ConvertSidToStringSid(sid)
except Exception, e:
Logger.warn("Unable to get SID: %s" % (str(e)))
