Re: LsaRemoveAccountRights

From: Amit Rahul [MS] (arahul_at_online.microsoft.com)
Date: 04/17/04


Date: Fri, 16 Apr 2004 23:17:03 -0700

One addendum to the example below, it should be
lpright = SE_INTERACTIVE_LOGON_NAME to be used with LsaRemoveAccountRights
rather than SE_DENY_INTERACTIVE_LOGON_NAME. It was a typo. :-(

-- 
Thanks,
Amit Rahul [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Amit Rahul [MS]" <arahul@online.microsoft.com> wrote in message
news:%23jVeMIEJEHA.3436@tk2msftngp13.phx.gbl...
> You are going the right way by using LsaRemoveAccountRights for disabling
> interactive logon privilege. You can call LsaEnumerateUserRights to verify
> all the rights user had before calling remove rights. Also did you make
sure
> that you got the policy handle correctly (LsaOpenPolicy?).
>
> A typical example to do this would be
>
> NTSTATUS Status =  LsaOpenPolicy(NULL, &ObjectAttributes,
POLICY_ALL_ACCESS
> | POLICY_LOOKUP_NAMES, &hLsa);
> DWORD dwLength = wcslen(lpRight); //where lpright =
> SE_DENY_INTERACTIVE_LOGON_NAME
>
> LSA_UNICODE_STRING UserRight;
>
> UserRight.Buffer = lpRight;
>
> UserRight.Length = (USHORT) dwLength * sizeof(WCHAR);
>
> UserRight.MaximumLength = (USHORT) (dwLength + 1) * sizeof(WCHAR);
>
> NtStatus = LsaRemoveAccountRights( hLsa, pSid, FALSE, &UserRight, 1 );
>
>
> -- 
> Thanks,
> Amit Rahul [MS]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "John Burkhardt" <jbx1138@yahoo.com> wrote in message
> news:%23piWD8YIEHA.2300@tk2msftngp13.phx.gbl...
> > Hi Windows Security API gurus:
> >
> > I'm trying to use the method LsaRemoveAccountRights to disable the
ability
> > for a user to logon interactively.  I'm using AtlSecurity APIs to get
the
> > SID for a user, but I've also tried obtaining this SID with
> LsaLookupNames.
> > When I pass the SID to this method I get 0xC0000034, which is
> > STATUS_OBJECT_NAME_NOT_FOUND.  I'm assuming that this is referring to
the
> > account SID that I'm passing in, because if its the priveledge name I
> would
> > assume that to be STATUS_NO_SUCH_PRIVELEGE.
> >
> > Here is basically what I'm doing:
> >
> > Open the policy handle with GENERIC_READ | GENERIC_EXECUTE |
> > POLICY_LOOKUP_NAMES
> >
> > CSid sid("MyAccount"); // (note: this account is created on the local
> > machine not the domain)
> > CA2W SeInteractiveLogonName(SE_INTERACTIVE_LOGON_NAME);
> > CLSAUnicodeString accountRightName(
> >     SeInteractiveLogonName
> > );
> > NTSTATUS ntsResult = LsaRemoveAccountRights(
> >    hPolicy,
> >    const_cast<SID*>(sid.GetPSID()),
> >    FALSE,
> >    &accountRightName,
> >    1
> > );
> >
> > Note: CLSAUnicodeString is just a little wrapper around
LSA_UNICODE_STRING
> > that sets up the buffer and length parameters.
> > Note: The account was just created with NetUserAdd.
> > Note: LsaLookupNames succeeds with the account name and returns the same
> SID
> > (I've printed them out to compare them).
> >
> > And yet, I get STATUS_OBJECT_NAME_NOT_FOUND no matter what I've tried.
> >
> > Any insight would be much appreciated.
> >
> > Here is a high level description of the problem I'm trying to solve so
> maybe
> > there is an easier way?  After creating a user account I want to disable
> > interactive login rights for the account so that it doesn't show up in
the
> > list of accounts that can log into a machine on XP Home (for example).
> >
> > Thanks,
> >
> > John
> >
> >
>
>
>