Re: LogonUser
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 09/20/05
- Next message: William Stacey [MVP]: "Re: Importance of salt"
- Previous message: Paul Clement: "Re: LogonUser"
- Maybe in reply to: Paul Clement: "Re: LogonUser"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 Sep 2005 12:50:54 -0500
Are you on Windows 2000? Under Win2K, LogonUser requires the caller to have
the TCB privilege (act as part of the operating system) which is only
granted to the SYSTEM account by default.
Switching to Windows Server 2003 is a great solution to this problem, but
you might have to give the TCB privilege to the account in question if that
is not an option. Unfortunately, this weakens the security of your app as
this is a dangerous privilege to give out. Factoring this specific call
into a COM object registered under COM+ with a special identity is one way
to help mitigate that problem.
Joe K.
"***" <Richard.Giles@nospam.nospam> wrote in message
news:2EA28A4D-4319-4F46-B071-0D4503F902BA@microsoft.com...
> I'm trying to use the LogonUser function from "advapi32.dll" as described
> in
> the KB article "How to validate Windows user rights in a Visual Basic .NET
> application" but the function returns the error message "A required
> privilege
> is not held by the client.". Please can you explain what this means and
> what
> I need to do to get around it. Many thanks.
- Next message: William Stacey [MVP]: "Re: Importance of salt"
- Previous message: Paul Clement: "Re: LogonUser"
- Maybe in reply to: Paul Clement: "Re: LogonUser"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: LogonUser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
