bug#865: 23.0.60; The directory is unsafe today

[Francis Litterio]

Lennart Borgman (gmail) wrote:

> Francis Litterio wrote:
>> Eli Zaretskii wrote:
>>
>>> Thanks.  Do you know which API can be used to find out
>>> programmatically whether this setting is one or the other?
>> 
>> You had to ask. :) Some hours of Googling and reading bad MS
>> documentation reveals that Windows sets the following registry value to
>> 0 or 1 to reflect that particular policy:
>> 
>>   Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
>>   Value: NoDefaultAdminOwner
>> 
>> If it is 0, then new files created by members of Local Administrators
>> are owned by the group, otherwise they are owned by the user.
>
> Is this the recommended way to check it? Quite often I have seen people
> on Internet claiming that you should look for a registry value when the
> documentation from MS clearly say you should use an API instead.

The documentation from MS on how to query policy settings is poorly
organized.  There is a function named GetGPOList() documented at:

  http://msdn.microsoft.com/en-us/library/aa373520(VS.85).aspx

but it isn't clear to me how one extracts a specific policy setting from
the returned GPO list.  There's a structure named GROUP_POLICY_OBJECT
documented at:

  http://msdn.microsoft.com/en-us/library/aa374173(VS.85).aspx

but it's not clear to me how that structure represents policy settings.

There is a different (newer?) API called RSOP (Resulting Set of
Policies) that's part of the WMI (Windows Management Infrastructure)
API, but it doesn't appear to be directly callable from C code.  It's
documented at:

  http://msdn.microsoft.com/en-us/library/aa375082(VS.85).aspx

The overall Group Policy architecture is documented at:

  http://msdn.microsoft.com/en-us/library/aa373783(VS.85).aspx

where it is implied that group policies only exist on a domain, which
leads me to wonder if any of the above APIs work on non-domain
machines.

Confusing.
--
Fran