Re: LsaRemoveAccountRights

From: Amit Rahul [MS] (arahul_at_online.microsoft.com)
Date: 04/17/04


Date: Fri, 16 Apr 2004 23:17:03 -0700

One addendum to the example below, it should be
lpright = SE_INTERACTIVE_LOGON_NAME to be used with LsaRemoveAccountRights
rather than SE_DENY_INTERACTIVE_LOGON_NAME. It was a typo. :-(

-- 
Thanks,
Amit Rahul [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Amit Rahul [MS]" <arahul@online.microsoft.com> wrote in message
news:%23jVeMIEJEHA.3436@tk2msftngp13.phx.gbl...
> You are going the right way by using LsaRemoveAccountRights for disabling
> interactive logon privilege. You can call LsaEnumerateUserRights to verify
> all the rights user had before calling remove rights. Also did you make
sure
> that you got the policy handle correctly (LsaOpenPolicy?).
>
> A typical example to do this would be
>
> NTSTATUS Status =  LsaOpenPolicy(NULL, &ObjectAttributes,
POLICY_ALL_ACCESS
> | POLICY_LOOKUP_NAMES, &hLsa);
> DWORD dwLength = wcslen(lpRight); //where lpright =
> SE_DENY_INTERACTIVE_LOGON_NAME
>
> LSA_UNICODE_STRING UserRight;
>
> UserRight.Buffer = lpRight;
>
> UserRight.Length = (USHORT) dwLength * sizeof(WCHAR);
>
> UserRight.MaximumLength = (USHORT) (dwLength + 1) * sizeof(WCHAR);
>
> NtStatus = LsaRemoveAccountRights( hLsa, pSid, FALSE, &UserRight, 1 );
>
>
> -- 
> Thanks,
> Amit Rahul [MS]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "John Burkhardt" <jbx1138@yahoo.com> wrote in message
> news:%23piWD8YIEHA.2300@tk2msftngp13.phx.gbl...
> > Hi Windows Security API gurus:
> >
> > I'm trying to use the method LsaRemoveAccountRights to disable the
ability
> > for a user to logon interactively.  I'm using AtlSecurity APIs to get
the
> > SID for a user, but I've also tried obtaining this SID with
> LsaLookupNames.
> > When I pass the SID to this method I get 0xC0000034, which is
> > STATUS_OBJECT_NAME_NOT_FOUND.  I'm assuming that this is referring to
the
> > account SID that I'm passing in, because if its the priveledge name I
> would
> > assume that to be STATUS_NO_SUCH_PRIVELEGE.
> >
> > Here is basically what I'm doing:
> >
> > Open the policy handle with GENERIC_READ | GENERIC_EXECUTE |
> > POLICY_LOOKUP_NAMES
> >
> > CSid sid("MyAccount"); // (note: this account is created on the local
> > machine not the domain)
> > CA2W SeInteractiveLogonName(SE_INTERACTIVE_LOGON_NAME);
> > CLSAUnicodeString accountRightName(
> >     SeInteractiveLogonName
> > );
> > NTSTATUS ntsResult = LsaRemoveAccountRights(
> >    hPolicy,
> >    const_cast<SID*>(sid.GetPSID()),
> >    FALSE,
> >    &accountRightName,
> >    1
> > );
> >
> > Note: CLSAUnicodeString is just a little wrapper around
LSA_UNICODE_STRING
> > that sets up the buffer and length parameters.
> > Note: The account was just created with NetUserAdd.
> > Note: LsaLookupNames succeeds with the account name and returns the same
> SID
> > (I've printed them out to compare them).
> >
> > And yet, I get STATUS_OBJECT_NAME_NOT_FOUND no matter what I've tried.
> >
> > Any insight would be much appreciated.
> >
> > Here is a high level description of the problem I'm trying to solve so
> maybe
> > there is an easier way?  After creating a user account I want to disable
> > interactive login rights for the account so that it doesn't show up in
the
> > list of accounts that can log into a machine on XP Home (for example).
> >
> > Thanks,
> >
> > John
> >
> >
>
>
>


Relevant Pages

  • Re: LsaRemoveAccountRights
    ... You are going the right way by using LsaRemoveAccountRights for disabling ... all the rights user had before calling remove rights. ... I'm using AtlSecurity APIs to get the> SID for a user, but I've also tried obtaining this SID with LsaLookupNames. ... I'm assuming that this is referring to the> account SID that I'm passing in, because if its the priveledge name I would> assume that to be STATUS_NO_SUCH_PRIVELEGE. ...
    (microsoft.public.platformsdk.security)
  • Re: moving accounts retaining SID
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... * This posting is provided "AS IS" with no warranties and confers no rights! ... is sensitive to the SID of an account in relation to an extensive SQL ...
    (microsoft.public.win2000.active_directory)
  • RE: No mapping between account names and security IDs...
    ... The second possibility is that you delete a group and try to use the SID ... You can compare the SID you used to get your account ... This posting is provided "AS IS" with no warranties and confers no rights. ...
    (microsoft.public.platformsdk.security)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: EFS Decryption Problem
    ... Was it only used to match up to the backed up userprofile, ... I thought the account's SID and password was involved in generating the ... a new account is created). ... instance of Windows would have a different SID even after restoring the ...
    (microsoft.public.windowsxp.security_admin)