Re: CreateProcessAsUser Doubt

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/17/04 

Date: Sat, 17 Jul 2004 10:22:12 -0400

You can not modify a user's privilege set on the fly, for instance if you add
"Act as part of the operating system" to a user, the user must log off and log
on to get that to work as it isn't in their token until you do so. 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Jordi Gou wrote:
> What are you exactly saying when say that you have to log off after put
> privileges?
> 
> 
> 
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:ejedZFKYEHA.3716@TK2MSFTNGP10.phx.gbl...
> 
>>Did you set it on the domain or on the PC itself?
>>
>>Did the user logoff and logon after getting the priv?
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>Victor Pereira wrote:
>>
>>>Mmm.. stange, because my user has the SE_TCB_NAME priv, and itīs not
>>>working :-(
>>>
>>>Anyway, thanks for your help!
>>>
>>>VP
>>>Joe Richards [MVP] wrote:
>>>
>>>
>>>>This is why I asked what OS you are using and you responded XP.
>>>>
>>>>If that is the case, then you have to make sure that the userid who
>>>>will fire the app has the SE_TCB_NAME priv before they log on and run
>>>>your app (i.e you can't do that on the fly). No other way than to set
>>>>up a service that proxies the calls like runas and SU (from reskit)
>>>>does it.
>>>>
>>>>-- 
>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>www.joeware.net
>>>>
>>>>
>>>>
>>>>Victor Pereira wrote:
>>>>
>>>>
>>>>>Joe CreateProcessWithLogonW() is supported just by windows xp,2000
>>>>>and 2003.Living in a third world, i  must support winnt 4 :-(
>>>>>
>>>>>Thanks,
>>>>>
>>>>>VP
>>>>>
>>>>>Joe Richards [MVP] wrote:
>>>>>
>>>>>
>>>>>>In that case, you don't need privilege and you should probably use
>>>>>>CreateProcessWithLogonW as it is much easier to deal with. My CPAU
>>>>>>(located on free win32 tools page of www.joeware.net) also uses that
>>>>>>call.
>>>>>>
>>>>>>  joe
>>>>>>
>>>>>>
>>>>>>
>>>>>>-- 
>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>>>www.joeware.net
>>>>>>
>>>>>>
>>>>>>
>>>>>>Victor Pereira wrote:
>>>>>>
>>>>>>
>>>>>>>Hi joe, iīm using WinXP
>>>>>>>
>>>>>>>Thanks,
>>>>>>>
>>>>>>>VP
>>>>>>>oe Richards [MVP] wrote:
>>>>>>>
>>>>>>>
>>>>>>>>1. What operating system are you working with?
>>>>>>>>
>>>>>>>>2. You can not add privileges to a userid on the fly, you must add
>>>>>>>>them, then the ID must log off and log on to get them in their
>>>>>>>>token. Then they can be enabled for use if needed. I.E. You can
>>>>>>>>not run one program that sets the privs, then uses them. The user
>>>>>>>>must always have those privs. This is why I ask what OS you are
>>>>>>>>working with. XP and 2003 help.
>>>>>>>>
>>>>>>>>-- 
>>>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>>>>>www.joeware.net
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>Victor Pereira wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>>Hi i'm trying to do a RunAs program and i have some doubts:
>>>>>>>>>
>>>>>>>>>1 - Can i run it without a service ? Just calling :
>>>>>>>>>
>>>>>>>>>LogonUser - to get a user token
>>>>>>>>>DuplicateTokenEx - To duplicate my userīs token and set the
>>>>>>>>>permissions TOKEN_ADJUST_PRIVILEGIES and TOKEN_QUERY
>>>>>>>>>AdjustTokenPrivilegies - To set SE_TCB_NAME privilegies
>>>>>>>>>CreateProcessAsUser - To run my process as a specifc user.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Because iīm receiving an error 1300 (decimail), which means "Not
>>>>>>>>>all privileges referenced are assigned to the caller".
>>>>>>>>>
>>>>>>>>>2 - Can i adjust privilegies on an userīs token ? or i just can
>>>>>>>>>set privilegies on a processīs token ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>Thanks in advance,
>>>>>>>>>
>>>>>>>>>Victor Pereira
> 
> 
>

Relevant Pages