Re: CreateProcessAsUser Doubt
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/28/04
- Previous message: Sandip: "Access token lifetime"
- In reply to: Jordi Gou: "Re: CreateProcessAsUser Doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jul 2004 17:28:49 -0400
You can not do this on the fly. The user must be configured with the right PRIOR
to them logging on.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Jordi Gou wrote: > How can I log off and log on? Could you show me the code to do this? > However, I have a problem with windows 2000. I log in with unprivileged user > and I use the sample lsaprivs that we can find on SDK platform samples and > it produces error 5 "access denied" on OpenPolicy method. If I log in as an > administrator the program does well. > > I need to execute this program to give SE_TCB_NAME privilege to execute > LogonUser and become administrator user. So, how can I become an > administrator on W2K if I can't use LogonUser because I can't get > SE_TCB_NAME privilege? > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:OsTLfoAbEHA.1656@TK2MSFTNGP09.phx.gbl... > >>You can not modify a user's privilege set on the fly, for instance if you > > add > >>"Act as part of the operating system" to a user, the user must log off and > > log > >>on to get that to work as it isn't in their token until you do so. >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >> >>Jordi Gou wrote: >> >>>What are you exactly saying when say that you have to log off after put >>>privileges? >>> >>> >>> >>>"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message >>>news:ejedZFKYEHA.3716@TK2MSFTNGP10.phx.gbl... >>> >>> >>>>Did you set it on the domain or on the PC itself? >>>> >>>>Did the user logoff and logon after getting the priv? >>>> >>>>-- >>>>Joe Richards Microsoft MVP Windows Server Directory Services >>>>www.joeware.net >>>> >>>> >>>> >>>>Victor Pereira wrote: >>>> >>>> >>>>>Mmm.. stange, because my user has the SE_TCB_NAME priv, and itīs not >>>>>working :-( >>>>> >>>>>Anyway, thanks for your help! >>>>> >>>>>VP >>>>>Joe Richards [MVP] wrote: >>>>> >>>>> >>>>> >>>>>>This is why I asked what OS you are using and you responded XP. >>>>>> >>>>>>If that is the case, then you have to make sure that the userid who >>>>>>will fire the app has the SE_TCB_NAME priv before they log on and run >>>>>>your app (i.e you can't do that on the fly). No other way than to set >>>>>>up a service that proxies the calls like runas and SU (from reskit) >>>>>>does it. >>>>>> >>>>>>-- >>>>>>Joe Richards Microsoft MVP Windows Server Directory Services >>>>>>www.joeware.net >>>>>> >>>>>> >>>>>> >>>>>>Victor Pereira wrote: >>>>>> >>>>>> >>>>>> >>>>>>>Joe CreateProcessWithLogonW() is supported just by windows xp,2000 >>>>>>>and 2003.Living in a third world, i must support winnt 4 :-( >>>>>>> >>>>>>>Thanks, >>>>>>> >>>>>>>VP >>>>>>> >>>>>>>Joe Richards [MVP] wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>>In that case, you don't need privilege and you should probably use >>>>>>>>CreateProcessWithLogonW as it is much easier to deal with. My CPAU >>>>>>>>(located on free win32 tools page of www.joeware.net) also uses that >>>>>>>>call. >>>>>>>> >>>>>>>> joe >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>-- >>>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services >>>>>>>>www.joeware.net >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>Victor Pereira wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>Hi joe, iīm using WinXP >>>>>>>>> >>>>>>>>>Thanks, >>>>>>>>> >>>>>>>>>VP >>>>>>>>>oe Richards [MVP] wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>1. What operating system are you working with? >>>>>>>>>> >>>>>>>>>>2. You can not add privileges to a userid on the fly, you must add >>>>>>>>>>them, then the ID must log off and log on to get them in their >>>>>>>>>>token. Then they can be enabled for use if needed. I.E. You can >>>>>>>>>>not run one program that sets the privs, then uses them. The user >>>>>>>>>>must always have those privs. This is why I ask what OS you are >>>>>>>>>>working with. XP and 2003 help. >>>>>>>>>> >>>>>>>>>>-- >>>>>>>>>>Joe Richards Microsoft MVP Windows Server Directory Services >>>>>>>>>>www.joeware.net >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>Victor Pereira wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>Hi i'm trying to do a RunAs program and i have some doubts: >>>>>>>>>>> >>>>>>>>>>>1 - Can i run it without a service ? Just calling : >>>>>>>>>>> >>>>>>>>>>>LogonUser - to get a user token >>>>>>>>>>>DuplicateTokenEx - To duplicate my userīs token and set the >>>>>>>>>>>permissions TOKEN_ADJUST_PRIVILEGIES and TOKEN_QUERY >>>>>>>>>>>AdjustTokenPrivilegies - To set SE_TCB_NAME privilegies >>>>>>>>>>>CreateProcessAsUser - To run my process as a specifc user. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>Because iīm receiving an error 1300 (decimail), which means "Not >>>>>>>>>>>all privileges referenced are assigned to the caller". >>>>>>>>>>> >>>>>>>>>>>2 - Can i adjust privilegies on an userīs token ? or i just can >>>>>>>>>>>set privilegies on a processīs token ? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>Thanks in advance, >>>>>>>>>>> >>>>>>>>>>>Victor Pereira >>> >>> >>> > >
- Previous message: Sandip: "Access token lifetime"
- In reply to: Jordi Gou: "Re: CreateProcessAsUser Doubt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
