Re: CreateProcessAsUser Doubt
From: Jordi Gou (jgou_at_ntr.es)
Date: 07/22/04
- Next message: Jordi Gou: "Re: CreateProcessAsUser error "the client does not have the required priviledges""
- Previous message: Dmitriy Golubev: "Re: Questions about GINA & Kerberos interoperability"
- In reply to: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Next in thread: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Reply: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jul 2004 10:41:47 +0200
How can I log off and log on? Could you show me the code to do this?
However, I have a problem with windows 2000. I log in with unprivileged user
and I use the sample lsaprivs that we can find on SDK platform samples and
it produces error 5 "access denied" on OpenPolicy method. If I log in as an
administrator the program does well.
I need to execute this program to give SE_TCB_NAME privilege to execute
LogonUser and become administrator user. So, how can I become an
administrator on W2K if I can't use LogonUser because I can't get
SE_TCB_NAME privilege?
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:OsTLfoAbEHA.1656@TK2MSFTNGP09.phx.gbl...
> You can not modify a user's privilege set on the fly, for instance if you
add
> "Act as part of the operating system" to a user, the user must log off and
log
> on to get that to work as it isn't in their token until you do so.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Jordi Gou wrote:
> > What are you exactly saying when say that you have to log off after put
> > privileges?
> >
> >
> >
> > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > news:ejedZFKYEHA.3716@TK2MSFTNGP10.phx.gbl...
> >
> >>Did you set it on the domain or on the PC itself?
> >>
> >>Did the user logoff and logon after getting the priv?
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>
> >>Victor Pereira wrote:
> >>
> >>>Mmm.. stange, because my user has the SE_TCB_NAME priv, and itīs not
> >>>working :-(
> >>>
> >>>Anyway, thanks for your help!
> >>>
> >>>VP
> >>>Joe Richards [MVP] wrote:
> >>>
> >>>
> >>>>This is why I asked what OS you are using and you responded XP.
> >>>>
> >>>>If that is the case, then you have to make sure that the userid who
> >>>>will fire the app has the SE_TCB_NAME priv before they log on and run
> >>>>your app (i.e you can't do that on the fly). No other way than to set
> >>>>up a service that proxies the calls like runas and SU (from reskit)
> >>>>does it.
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>
> >>>>Victor Pereira wrote:
> >>>>
> >>>>
> >>>>>Joe CreateProcessWithLogonW() is supported just by windows xp,2000
> >>>>>and 2003.Living in a third world, i must support winnt 4 :-(
> >>>>>
> >>>>>Thanks,
> >>>>>
> >>>>>VP
> >>>>>
> >>>>>Joe Richards [MVP] wrote:
> >>>>>
> >>>>>
> >>>>>>In that case, you don't need privilege and you should probably use
> >>>>>>CreateProcessWithLogonW as it is much easier to deal with. My CPAU
> >>>>>>(located on free win32 tools page of www.joeware.net) also uses that
> >>>>>>call.
> >>>>>>
> >>>>>> joe
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>--
> >>>>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>>>www.joeware.net
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Victor Pereira wrote:
> >>>>>>
> >>>>>>
> >>>>>>>Hi joe, iīm using WinXP
> >>>>>>>
> >>>>>>>Thanks,
> >>>>>>>
> >>>>>>>VP
> >>>>>>>oe Richards [MVP] wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>>1. What operating system are you working with?
> >>>>>>>>
> >>>>>>>>2. You can not add privileges to a userid on the fly, you must add
> >>>>>>>>them, then the ID must log off and log on to get them in their
> >>>>>>>>token. Then they can be enabled for use if needed. I.E. You can
> >>>>>>>>not run one program that sets the privs, then uses them. The user
> >>>>>>>>must always have those privs. This is why I ask what OS you are
> >>>>>>>>working with. XP and 2003 help.
> >>>>>>>>
> >>>>>>>>--
> >>>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>>>>>www.joeware.net
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Victor Pereira wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>Hi i'm trying to do a RunAs program and i have some doubts:
> >>>>>>>>>
> >>>>>>>>>1 - Can i run it without a service ? Just calling :
> >>>>>>>>>
> >>>>>>>>>LogonUser - to get a user token
> >>>>>>>>>DuplicateTokenEx - To duplicate my userīs token and set the
> >>>>>>>>>permissions TOKEN_ADJUST_PRIVILEGIES and TOKEN_QUERY
> >>>>>>>>>AdjustTokenPrivilegies - To set SE_TCB_NAME privilegies
> >>>>>>>>>CreateProcessAsUser - To run my process as a specifc user.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Because iīm receiving an error 1300 (decimail), which means "Not
> >>>>>>>>>all privileges referenced are assigned to the caller".
> >>>>>>>>>
> >>>>>>>>>2 - Can i adjust privilegies on an userīs token ? or i just can
> >>>>>>>>>set privilegies on a processīs token ?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Thanks in advance,
> >>>>>>>>>
> >>>>>>>>>Victor Pereira
> >
> >
> >
- Next message: Jordi Gou: "Re: CreateProcessAsUser error "the client does not have the required priviledges""
- Previous message: Dmitriy Golubev: "Re: Questions about GINA & Kerberos interoperability"
- In reply to: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Next in thread: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Reply: Joe Richards [MVP]: "Re: CreateProcessAsUser Doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
