Adjusted /RemoveOrphan,/MigrateDomain Messages

Functions.h

@@ -7,8 +7,8 @@
 // helper functions
 VOID EnablePrivs();
 const PSID GetSidFromName(std::wstring & sAccountName);
-std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan);
-std::wstring GetNameFromSidEx(const PSID tSid);
+std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan = nullptr);
+std::wstring GetNameFromSidEx(const PSID tSid, bool * bMarkAsOrphan = nullptr);
 std::wstring GenerateAccessMask(DWORD iCurrentMask);
 std::wstring GenerateInheritanceFlags(DWORD iCurrentFlags);
 HANDLE RegisterFileHandle(HANDLE hFile, std::wstring sOperation);

Helpers.cpp

@@ -150,7 +150,7 @@ std::wstring GetNameFromSid(const PSID tSid, bool * bMarkAsOrphan)
 	return sFullName;
 }
 
-std::wstring GetNameFromSidEx(const PSID tSid)
+std::wstring GetNameFromSidEx(const PSID tSid, bool * bMarkAsOrphan)
 {
 	// if sid is resolvable then return the account name
 	std::wstring sName = GetNameFromSid(tSid, NULL);

OperationHelp.cpp

@@ -12,7 +12,7 @@ ClassFactory<OperationHelp> * OperationHelp::RegisteredFactoryAltTwo =
 OperationHelp::OperationHelp(std::queue<std::wstring> & oArgList) : Operation(oArgList)
 {
 	std::wcout <<
-LR"(
+		LR"(
 repacls.exe /Path <Absolute Path> ... other options ....
 
 Repacls was developed to address large scale migrations, transitions, health 
@@ -52,6 +52,14 @@ or end of your command as to not confuse them with ordered parameters.
    computer name.  To include hidden, non-administrative shares, append 
    :IncludeHidden to the computer name.
 
+/DomainPaths <DomainName>[:AdminOnly|IncludeHidden|StopOnError]
+   Specifies a domain to scan for member servers that should be processed.  
+   For each server that is found, a /SharePaths command is processed
+   for that particular server.  This takes the same extra parameters as
+   /SharePaths including another option StopOnError to stop processing if 
+   the shares of any particular computer can not be read; if not specified
+   an error will be shown on the screen but processing will continue.
+
 /Quiet
    Hides all non-error output. This option will greatly enhance performance if
    a large number of changes are being processed.  Alternatively, it is 
@@ -165,7 +173,10 @@ Commands That Can Alter Security (When /WhatIf Is Not Present)
 
 /ReplaceAccount <SearchAccount> <ReplaceAccount>
    Search for an account and replace it with another account.
+)";
 
+std::wcout <<
+LR"(
 /Report <FileName> <RegularExpression>
    This command will write a comma separated value file with the fields of
    filename, security descriptor part (e.g., DACL), account name, permissions,
@@ -175,10 +186,7 @@ Commands That Can Alter Security (When /WhatIf Is Not Present)
    An optional qualifier after regular expression can be specified after the
    regular expression to refine what part of the security descriptor to scan.
    See Other Notes & Limitations section for more information.
-)";
 
-std::wcout <<
-LR"(
 /SetOwner <Name|Sid>
    Will set the owner of the file to the name specified.
 

OperationMigrateDomain.cpp

@@ -63,6 +63,9 @@ SidActionResult OperationMigrateDomain::DetermineSid(WCHAR * const sSdPart, Obje
 	std::wstring sTargetAccountName = sTargetDomain + (wcsstr(sSourceAccountName.c_str(), L"\\") + 1);
 	PSID tTargetAccountSid = GetSidFromName(sTargetAccountName);
 
+	// exit if no match was found
+	if (tTargetAccountSid == nullptr) return SidActionResult::Nothing;
+
 	// do a reverse lookup to see if this might be a sid history item
 	if (GetNameFromSidEx(tTargetAccountSid) == sSourceAccountName) return SidActionResult::Nothing;
 

OperationRemoveOrphan.cpp

@@ -23,6 +23,7 @@ OperationRemoveOrphan::OperationRemoveOrphan(std::queue<std::wstring> & oArgList
 
 	// do a reverse lookup of the name for reporting
 	sDomainName = GetNameFromSidEx(tDomainSid);
+	sDomainName = sDomainName.substr(0, sDomainName.find(L"\\"));
 
 	// flag this as being an ace-level action
 	AppliesToDacl = true;
@@ -51,11 +52,11 @@ SidActionResult OperationRemoveOrphan::DetermineSid(WCHAR * const sSdPart, Objec
 
 	// see if the sid is unresolvable; if it is then this is not an orphan
 	bool bIsOrphan = false;
-	GetNameFromSid(tCurrentSid, &bIsOrphan);
+	std::wstring sSid = GetNameFromSidEx(tCurrentSid, &bIsOrphan);
 	if (!bIsOrphan) return SidActionResult::Nothing;
 
 	// update the sid in the ace
-	InputOutput::AddInfo(L"Removing orphan of security identifier or domain '" + sDomainName + L"'", sSdPart);
+	InputOutput::AddInfo(L"Removing orphan of security identifier '" + sSid + L"' from domain '" + sDomainName + L"'", sSdPart);
 	tResultantSid = NULL;
 	return SidActionResult::Remove;
 }

repacls.vcxproj

@@ -139,13 +139,15 @@
       <FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <DisableSpecificWarnings>4100</DisableSpecificWarnings>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
       <Profile>true</Profile>
+      <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -168,7 +170,7 @@
       <SubSystem>Console</SubSystem>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
       <Profile>true</Profile>
     </Link>