Re: CreateProcessAsUser, error code 6

From: Tim (tchalk_at_gmail.com)
Date: 10/06/05 

Date: 6 Oct 2005 10:42:43 -0700

> >Hi!
> > As long as the user I use with LogonUser is in the administrators
> > group, everything works fine. However, if I remove the user from the
> > administrators group, the exitcode that comes from GetExitCodeProcess
> > is always "6". Note, that the process I'm calling creates a logfile
> > when it starts up, and I *never* see the logfile. So it looks like
> > CreateProcessAsUser is not actually starting the process, even though
> > it returns with a success.

> The process calling LogonUser requires the SE_TCB_NAME privilege. If the
> calling process does not have this privilege, LogonUser fails and
> GetLastError returns ERROR_PRIVILEGE_NOT_HELD. Administrator has this
> privilegde while other user does not have. so whenver you remove your user
> from administrative group it will fail but you can give any user that right.
> For that you need to manually add this privielde using either local security
> policy or group policy.

Right, I'm familiar with the impersonation priviledges. The LogonUser
call still
actually succeeds in my application, and the user is logged in. In my
case, the
calling process is a service running as System, so the impersonation
priviledge is
inherent. The user being logged in also has to be granted the"Logon as
a Service"
rights, which is being done.

That's part of the weird part. the logon succeeds, but the
CreateProcessasUser fails.
Does the user being logged in typcially require the TCB_NAME priveledge
also for
some reason?

Relevant Pages

  • Re: WindowsIdentity.Impersonate() vs ImpersonateLoggedOnUser()
    ... So LogonUser, ImpersonateLoggedOnUser and RevertToSelf ... On Windows 2000 Professional the code fails at LogonUser with error ... Windows 2000 needs the "Act as part of the operating system" privilege ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: CreateProcessAsUser, error code 6
    ... > administrators group, the exitcode that comes from GetExitCodeProcess ... The process calling LogonUser requires the SE_TCB_NAME privilege. ... my app being called by the service works. ... > primary user token), then calls createprocessasuser(). ...
    (microsoft.public.platformsdk.security)
  • Re: Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!?
    ... > I'm making a call to LogonUser and it fails with error 1314 "A ... > required privilege is not held by the client"... ... > and here I select the "Act as part of the operating system" policy ... the Effective Setting is none. ...
    (microsoft.public.security)
  • Re: Unable to assign SeTcbPrivilege (SE_TCB_NAME)!?!?
    ... > I'm making a call to LogonUser and it fails with error 1314 "A ... > required privilege is not held by the client"... ... > and here I select the "Act as part of the operating system" policy ... the Effective Setting is none. ...
    (microsoft.public.win2000.security)
  • Re: passwords Service accounts and services
    ... In these cases we had gone from all users being local administrators to ... Microsoft MVP - Windows Security ... process of applying the policy of "least privilege" trial and error at ... I hope these service accounts do not have excessive permissions ...
    (microsoft.public.windows.server.security)
Quantcast