Documentation
¶
Overview ¶
Package windowsuser offers an interface over user management on Windows
Index ¶
- Constants
- Variables
- func AgentUserPasswordPresent() (bool, error)
- func GetAgentUserFromService() (string, error)
- func GetAgentUserNameFromRegistry() (string, error)
- func GetComputerName() (string, error)
- func GetWindowsAccountDomainSid(sid *windows.SID) (*windows.SID, error)
- func IsLocalAccount(sid *windows.SID) (bool, error)
- func IsServiceAccount(sid *windows.SID) (bool, error)
- func IsSupportedWellKnownAccount(sid *windows.SID) bool
- func NetIsServiceAccount(username string) (bool, error)
- func ValidateAgentUserRemoteUpdatePrerequisites(userName string) error
- type MSA_INFO_STATE
Constants ¶
const ( MsaInfoNotExist = 1 MsaInfoNotService = 2 MsaInfoCannotInstall = 3 MsaInfoCanInstall = 4 MsaInfoInstalled = 5 )
MSA_INFO_STATE
https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/ne-lmaccess-msa_info_state
const (
STATUS_OBJECT_NAME_NOT_FOUND = windows.NTStatus(0xC0000034)
)
Windows status codes
Variables ¶
var ErrPrivateDataNotFound = errors.New("private data not found")
ErrPrivateDataNotFound is returned when LSARetrievePrivateData returns STATUS_OBJECT_NAME_NOT_FOUND
Functions ¶
func AgentUserPasswordPresent ¶
AgentUserPasswordPresent returns true if the Agent user password is present in LSA.
Returns false if the password is not present or is empty.
func GetAgentUserFromService ¶ added in v0.70.0
GetAgentUserFromService returns the fully qualified username for the Agent service user
The service configuration stores the service account name in custom formats, e.g. LocalSystem or .\username, which are not supported by the Windows security subsystem. So this function resolves the fully qualified username by:
- service username -> SID
- SID -> fully qualified username
func GetAgentUserNameFromRegistry ¶
GetAgentUserNameFromRegistry returns the user name for the Agent, stored in the registry by the Agent MSI
func GetComputerName ¶
GetComputerName returns the NetBIOS name of the local computer.
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcomputernamew
func GetWindowsAccountDomainSid ¶
GetWindowsAccountDomainSid returns a SID representing the domain of that SID
For example:
- for local accounts, returns the local machine SID (LookupAccountName(hostname))
- for domain accounts, returns the domain SID
For special sids, such as container users and LocalSystem, returns ERROR_NON_ACCOUNT_SID
func IsLocalAccount ¶
IsLocalAccount returns true if the account is a local account. This function compares the domain part of the account SID to the computer SID
https://learn.microsoft.com/en-us/archive/blogs/aaron_margosis/machine-sids-and-domain-sids
func IsServiceAccount ¶
IsServiceAccount returns true if the account is a service account.
This function checks if the account is a well known account or a gMSA account.
For implementation details and usage restrictions, see NetIsServiceAccount.
func IsSupportedWellKnownAccount ¶
IsSupportedWellKnownAccount returns true if the account is a well known account that we support running the Agent as
Current list: LocalSystem, LocalService, NetworkService
func NetIsServiceAccount ¶
NetIsServiceAccount returns true if the account is a sMSA or gMSA.
This function RPC connects to the local netlogon service, which is only running on domain joined machines. On standalone machines, an error is returned.
If the account is not found in the local netlogon store, the function may try to contact a domain controller which requires network credentials. Some environments, such as WinRM, ansible, and ssh key authentication, do not have network credentials and this call will fail with STATUS_OPEN_FAILED (decimal -1073741514 / hex 0xc0000136). For more information, see the "double hop problem". Interestingly, this issue does not occur when this code runs as SYSTEM, because the computer credentials are accepted. This can be a valid workaround in ansible.
This function returns an error for accounts with non-domain prefixes like NT AUTHORITY\SYSTEM
NetIsServiceAccount returns true if NetQueryServiceAccount returns MsaInfoInstalled, this is the same behavior as the Test-ADServiceAccount cmdlet in PowerShell.
https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netisserviceaccount
func ValidateAgentUserRemoteUpdatePrerequisites ¶
ValidateAgentUserRemoteUpdatePrerequisites validates the prerequisites for remote updates with the Agent user
NOTE: This function must not be used to validate the Agent user prior to initial installation. That requires additional processing on the account name for handling of names that do not yet exist. Validation of initial installation is left to the MSI. We forward any MSI errors to the user.
NOTE: This function is intended to be run only by the daemon service and its subprocesses running as LocalSystem. This assumption is checked in validateProcessContext. If this assumption changes, we must change how we validate gMSA accounts. See NetIsServiceAccount docs for details.
Keep loosely in sync with the MSI ProcessUserCustomActions conditions. Noting the difference between fresh installs and remote updates noted above.
Types ¶
type MSA_INFO_STATE ¶
type MSA_INFO_STATE int
MSA_INFO_STATE enum
https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/ne-lmaccess-msa_info_state
func NetQueryServiceAccount ¶
func NetQueryServiceAccount(username string) (MSA_INFO_STATE, error)
NetQueryServiceAccount returns the service account type of the account.
See NetIsServiceAccount for more important usage details.
https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netqueryserviceaccount
func (MSA_INFO_STATE) String ¶
func (m MSA_INFO_STATE) String() string
Source Files