Re: CreateProcessWithLogonW on Server 2003

From: Yu Chen [MS] (yuchen_at_online.microsoft.com)
Date: 07/13/04

  • Next message: Dmitriy Golubev: "Questions about GINA & Kerberos interoperability"
    Date: Mon, 12 Jul 2004 19:14:09 -0700
    
    

    When LogonUser failed, what error code did GetLastError return? I bet it's
    ERROR_LOGON_TYPE_NOT_GRANTED. By default the SeBatchLogon right is not
    granted to any account. If you need to use the batch logon type, you have to
    grant the SeBatchLogon right to the account.

    -- 
    Yu Chen [MS]
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Vincent Finn" <1@2.com> wrote in message
    news:k6b5f0hrhc4mklv513pv4sc2gn5vusuu3c@4ax.com...
    > On Wed, 7 Jul 2004 16:46:42 -0700, "Yu Chen [MS]"
    > <yuchen@online.microsoft.com> wrote:
    >
    > >That's a known issue in Windows Server 2003 - the CreateProcessWithLogonW
    > >API is changed to better handle the new process' use of desktop by
    utilizing
    > >"Logon Sid" in the caller's token. However the local system token (under
    > >which your service is running) doesn't have a "Logon sid" so the API
    failed
    > >when caller is local system.
    > >
    > >If the caller is local system, you can use LogonUser and
    CreateProcessAsUser
    > >to achieve the same thing.
    >
    > That sorted it, thanks.
    >
    > LogonUser only seems to work if I use 'LOGON32_LOGON_INTERACTIVE'
    > rather than 'LOGON32_LOGON_BATCH'
    >
    > any idea why that might be?
    >
    > Vin
    

  • Next message: Dmitriy Golubev: "Questions about GINA & Kerberos interoperability"

    Relevant Pages

    • Re: How to avoid an "access denied" when setting PriorityClass
      ... I don't believe that "logonuser" can help with this (what's the Local System ... runs under a user account, and that user is the one assocaited with the ... Impersonate method (the documentation for the Impersonate method should have ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Thread Unable to Impersonate (Workaround)
      ... Your workaround is working cause the System account has extended privileges ... ASPX page is impersonating a token that is coming from a client. ... LogonUser is a very bad API to use since it requires a cleartext password. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Win32 LogonUser()
      ... IUserMachinename/anonymous user account. ... in IIS and may be more other properties for IUserMachineName account. ... > For three days now I have been trying to use LogonUser() API to login ... > lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Win32 LogonUser()
      ... > IUserMachinename/anonymous user account. ... > in IIS and may be more other properties for IUserMachineName account. ... >> For three days now I have been trying to use LogonUser() API to login ... >> lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Win32 LogonUser()
      ... IUserMachinename/anonymous user account. ... in IIS and may be more other properties for IUserMachineName account. ... > For three days now I have been trying to use LogonUser() API to login ... > lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out ...
      (microsoft.public.dotnet.framework.aspnet.security)