Re: CreateProcessAsUser Doubt

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/02/04

  • Next message: kr: "RE: How to elevate privileges of a process on 2k and XP"
    Date: Thu, 01 Jul 2004 18:15:51 -0400
    
    

    This is why I asked what OS you are using and you responded XP.

    If that is the case, then you have to make sure that the userid who will fire
    the app has the SE_TCB_NAME priv before they log on and run your app (i.e you
    can't do that on the fly). No other way than to set up a service that proxies
    the calls like runas and SU (from reskit) does it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net
    Victor Pereira wrote:
    > Joe CreateProcessWithLogonW() is supported just by windows xp,2000 and 
    > 2003.Living in a third world, i  must support winnt 4 :-(
    > 
    > Thanks,
    > 
    > VP
    > 
    > Joe Richards [MVP] wrote:
    > 
    >> In that case, you don't need privilege and you should probably use 
    >> CreateProcessWithLogonW as it is much easier to deal with. My CPAU 
    >> (located on free win32 tools page of www.joeware.net) also uses that 
    >> call.
    >>
    >>   joe
    >>
    >>
    >>
    >> -- 
    >> Joe Richards Microsoft MVP Windows Server Directory Services
    >> www.joeware.net
    >>
    >>
    >>
    >> Victor Pereira wrote:
    >>
    >>> Hi joe, iīm using WinXP
    >>>
    >>> Thanks,
    >>>
    >>> VP
    >>> oe Richards [MVP] wrote:
    >>>
    >>>> 1. What operating system are you working with?
    >>>>
    >>>> 2. You can not add privileges to a userid on the fly, you must add 
    >>>> them, then the ID must log off and log on to get them in their 
    >>>> token. Then they can be enabled for use if needed. I.E. You can not 
    >>>> run one program that sets the privs, then uses them. The user must 
    >>>> always have those privs. This is why I ask what OS you are working 
    >>>> with. XP and 2003 help.
    >>>>
    >>>> -- 
    >>>> Joe Richards Microsoft MVP Windows Server Directory Services
    >>>> www.joeware.net
    >>>>
    >>>>
    >>>>
    >>>> Victor Pereira wrote:
    >>>>
    >>>>> Hi i'm trying to do a RunAs program and i have some doubts:
    >>>>>
    >>>>> 1 - Can i run it without a service ? Just calling :
    >>>>>
    >>>>> LogonUser - to get a user token
    >>>>> DuplicateTokenEx - To duplicate my userīs token and set the 
    >>>>> permissions TOKEN_ADJUST_PRIVILEGIES and TOKEN_QUERY
    >>>>> AdjustTokenPrivilegies - To set SE_TCB_NAME privilegies
    >>>>> CreateProcessAsUser - To run my process as a specifc user.
    >>>>>
    >>>>>
    >>>>> Because iīm receiving an error 1300 (decimail), which means "Not 
    >>>>> all privileges referenced are assigned to the caller".
    >>>>>
    >>>>> 2 - Can i adjust privilegies on an userīs token ? or i just can set 
    >>>>> privilegies on a processīs token ?
    >>>>>
    >>>>>
    >>>>> Thanks in advance,
    >>>>>
    >>>>> Victor Pereira
    

  • Next message: kr: "RE: How to elevate privileges of a process on 2k and XP"

    Relevant Pages

    • Re: Retreiving MailBox Rights from AD using .Net
      ... Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.exchange2000.active.directory.integration)
    • Re: CreateProcessAsUser Doubt
      ... > I need to execute this program to give SE_TCB_NAME privilege to execute ... >>Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.platformsdk.security)
    • Re: LDAP Queries
      ... The solution to this is to dump the samaccountname and homedirectory values for all users and run a script across the values. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.win2000.active_directory)
    • Re: Password complexity Based on OU
      ... Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.windows.server.security)
    • Re: Cant delete a corrupt user object
      ... Joe Richards Microsoft MVP Windows Server Directory Services ... If you find the deleted user on any of ...
      (microsoft.public.windows.server.active_directory)