Read and set Group Policy settings from C++ program - c++

I have a standalone Windows-NT based machine (not connected to any network) and I want to be able to read and later set the Group Policy settings via a C++ program.
Here's what I would do manually. Run gpedit.msc as administrator, then say I want to prevent users from accessing registry. So in the "Local Group Policy Editor" I'll go to
User Configuration -> Administrative Templates -> System -> "Prevent access to registry editing tools"
and set it to Enabled.
Is there any way to do the same from a C++ program? Any code samples would be greatly appreciated!

You can use the Group Policy API.

Related

Sitecore SIM Installation permission error

I am trying to install SIM version 13 rev 1404021 using Administrative priveleges
When i click on Grant button it give me error that " you dont have neccessary permission set".
Also i have given full permission to Network Service,IUSR, IIS_USR and network to the folder
C:\Inetpub\wwwroot
Kindly let me know whate else permission need to be given inorder to run sitecore instance manager succesfully.
It may be caused by bug in SIM that doesn't get actual SQL Server user account (LocalService or custom) and thinks that it is always NetworkService. So work around is to switch your SQL Server service from using LocalService or custom account to NetworkService.
Same context with Alen's answer, but in windows 10.
Use 'Local System account' and tick the 'Allow service to interact with desktop'.
Then, restart the service.
At this point, you don't need to reopen the SIM installation window. You can just click the Grant button and it would work.
Well, for me the issue was that the database user didn't have the dbcreator role so the wizard couldn't create databases in SQL Server.
Open SQL Server Management Studio
Expand Security > Logins
Double-click on the user to open the properties dialog
In Server Roles, check the dbcreator role
Press OK and enjoy
Source: http://sitecoreblog.patrickperrone.com/2015/04/a-simple-error.html
When you downloaded the SIM zip file from Marketplace, did you click "Properties" on the zip file and click the "Unblock" button before unzipping and running it?
I've found in the past that forgetting this step can be the cause of odd security related errors with applications.
I ran across a similar issue I had, but for me root issue was that the wwwroot folder was on a VM/Parallels and that folder was marked "compress" and "archive"
unset that for wwwroot and child items, and then SIM proceeded correctly.

How to get a list of Group Policy Objects applied to local workstation

My Windows service application runs on workstations belonging to the Active Directory domain. Once in a while I get user questions about some features of my program not working. Upon further investigation it usually turns out that certain Group Policy Object (GPO) settings are to blame.
So I was thinking, is there a way to list all GPOs applied to a local/member workstation? (I can then store them in the log file and quickly refer to it later if the problem comes up.)
The main problem is, that "group policy" is just a good name... it consists of many individual registry entries... the only way to see this is to dump all these indivudual registry entries...
A starting point might be:
Group Policy Registry Table
Group Policy Registry Key Entries for Windows 7/Vista/XP and Server
Alternatively you can use the GPO API (which might be a better starting point):
GetAppliedGPOList
You can check it by simple windows command "gpresult".
Just open console and type gpresult /r /scope computer and you can get your result.

Disable Fast user switching in vista and 7 without admin rights?

i'm writing a security program for vista and 7 (Right now my main os i'm using is 08 server which i'm testing it on as well) and I would like to block the fast user switching option from within windows. The problems is that I can't edit the registry under a normal user as its under the HKLM and I need to be able to edit the key to block it or find another way to accomplish this.
I tried running it as admin and that hasn't worked. With wxDev C++ I tried the manifest option and I still can't get it to work. If the program runs under an admin account though it does.
Would anyway happen to know how to do this? I've been looking on Google all day today now and all I keep finding out is how to edit the reg or group policy to turn it off but I need a way to do it though c++.
Again thank you
The registry key that controls fast user switching is in key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
it is a DWORD value named AllowMultipleTSSessions.
Set it to 0 to disable fast user switching. Windows uses terminal services to implement multiple desktops.
To write to the HKEY_LOCAL_MACHINE hive, the process must be running with administrator privileges.
The manifest needed to make your process automatically prompt for administrator privileges is:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

Release writing permission in Windows 7

I am trying to release a C++ .Net application and am getting very frustrated with Windows UAC. I have not much experience with this as have always been writing for XP.
The program needs to update some properties that are stored in two XML files and every time it tries it gets access denied if it is not running with an Administrator account.
I have followed the recommendations from Microsoft and am writing all the files that need to be modified to the CSIDL_COMMON_APPDATA folder. The installer has an action that creates the [Organization}[Program] structure within the later and adds the security group Every One with full control privilege because by default, that directory is read only.
I have verified that the cretated directory [Organization}[Program] does actually contains the group and the privilege assigned after installing.
Also, the application has a manifest with a requestedExecutionLevel, which I have tried asinvoker and Highestavailable.
The application is still not being capable of writing to the directory unless the user is not logged as Administrator...
The machines are in a domain controled by a server 2003 but the clients are a mix of XP, vista and 7.
Please, could someone with more experience in this than I enlight me?
Should I use some other folder? The problem is that Different users might log into the computer and those settings are common, therefore the obvious User folder is not an option.
I cannot either add the user to the security of the folders with the installer because I don't know which user from the domain will use the program and I cannot do it from the program when starting because if the user does not have adminstrator rights the program will just be blocked.
Please, any advise or indication about what am I missing here?
This may discuss your problem. See especially
Your application's installer needs to set ACLs on your subdirectory of CSIDL_COMMON_APPDATA to allow users to access that directory as required by your application

Local Security policy using WMI

I need to retrieve list of users/groups who have access to perform volume maintain tasks using WMI objects on remote machine.
What I can do it explicitly is
On the Start menu, click Run. In the Open box, type secpol.msc.
Expand Local Policies.
Select the User Rights Assignment folder. The policies will be displayed in the details pane.
In the pane, double-click Perform Volume Maintenance Tasks.
In properties window, I can see user/group list who have access.
I need to get this exact list using WMI call in my C# application.
In order to get or modify the values of the windows security policy you must access the windows registry. Now to find the exact key which store the values which you are looking for you must check the Group Policy Settings Reference for Windows and Windows Server which contains a excel file with all the group policy settings and the location in the windows registry.
Password Policy, Account lockout policies are a part of secured registry settings. It cannot be read remotely until explicit permissions are given.
FYI that document doesn't actually work fully. Manually editing the values do not actually change the gp setting (still shows not set in gpedit), yet it does restrict the process you are setting. Also, if you manually set the value with gpedit while running procmon, the key it is hitting is not as listed in the document.