Re: INTERACTIVE group missing after SSPI auth

From: Sami J. Lehtinen (sjl_at_newsgroups.nospam)
Date: 11/23/05


Date: Wed, 23 Nov 2005 14:23:14 +0200

Rhett Gong [MSFT] wrote:
> Hello Sami, What error does CreateProcessAsUser report in this case?

Actually, we first execute a helper shell-program for the user with
CreateProcessAsUser(), and in this helper program use CreateProcess() to
  start "cmd.exe". When using LogonUser(), access token generated with
S4U or a custom authentication package with LsaLogonUser(), or SSPI on
platfroms other than Windows 2003 Server, this works fine. However, on
Windows 2003 Server with SSPI, trying to execute "cmd.exe" results in
error code 5 (reported by GetLastError()), which I believe is
ERROR_ACCESS_DENIED.

There is a quite strong case that this is because BUILTIN\Users don't
have execution rights for cmd.exe in Windows 2003 Server.

Instead, they are:

C:\WINDOWS\system32\cmd.exe NT AUTHORITY\INTERACTIVE:R
                             NT AUTHORITY\SERVICE:R
                             BUILTIN\Administrators:F
                             NT AUTHORITY\SYSTEM:F
                             BUILTIN\Administrators:F
                             SJLVPCWS2003\TelnetClients:R

and regular user, logging in with SSPI, isn't assigned to that group.
This is what I was asking in my original question, in the message that
started this thread <#mELBBR6FHA.3120@tk2msftngp13.phx.gbl>.

> And could you just add this user to "Allow log on
> locally" to see if the user can launch cmd.exe correctly?

The user does have that privilige, and doesn't have the "Deny login
locally" "right".

-- 
sjl@ssh.com