Re: Logon Broker

From: "Jos Scherders" <thrower@xxxxxxx>
Date: Mon, 20 Feb 2006 22:32:06 +0100

Hi,

I tried this and LoadUserProfile is still failing with Access Denied.

The documentation states you need the SE_RESTORE_NAME and SE_BACKUP_NAME
privileges. Do I need to Enable these privileges as well or will the API try
to enable them ? Also, I saw a microsoft article stating that you need Admin
privileges to use
this API. Is that true ?

Can you explain why you use the impersonateloggedonuser() API ?

Thanks,
Jos.

"Kellie Fitton" <KELLIEFITTON@xxxxxxxxx> wrote in message
news:1140390808.248874.305890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,

Use the following APIs to launch the process under the user's
security context privilege:

LogonUserEx()
ImpersonateLoggedOnUser()
CreateEnvironmentBlock()
GetUserProfileDirectory()
LoadUserProfile()
CreateProcessAsUser()
Then,
DestroyEnvironmentBlock()
UnloadUserProfile()
RevertToSelf()
CloseHandle()

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuserex.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/impersonateloggedonuser.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/createenvironmentblock.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getuserprofiledirectory.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/loaduserprofile.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/destroyenvironmentblock.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/unloaduserprofile.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/reverttoself.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/closehandle.asp

Hope these information helps,

Kellie.

References:
- Logon Broker
  - From: Jos Scherders

Prev by Date: Re: CAPI and RC4: can not decrypt when Final parameter is set to F
Next by Date: Re: Logon Broker
Previous by thread: Logon Broker
Next by thread: Re: Logon Broker
Index(es):
- Date
- Thread

Relevant Pages

GetTokenInformation API
... I am using the GetTokenInformation API with the TokenPrivileges flag for the ... The API returns a structure whose first member is the Privileges ... As I go through the ATTRIBUTES portion of the LUID_AND_ATTRIBUTES structure, ...
(microsoft.public.security)
Re: LoadUserProfile() returns ERROR_ACCESS_DENIED
... ImpersonateLoggedOnUser() ... CreateEnvironmentBlock() ... Call LoadUserProfile outside of the impersonation scope. ... The account you are impersonating is likely not to have the required privileges. ...
(microsoft.public.platformsdk.security)
Re: Logon broker
... I tried this and LoadUserProfile is still failing with Access Denied. ... Do I need to Enable these privileges as well or will the API try ... CreateEnvironmentBlock() ...
(microsoft.public.win32.programmer.kernel)
Re: Getting logged in user from a service?
... against the OS services (that is, by directly calling WIN32 Api's) you ... the API available on the *target* machine? ... security constraints, privileges, etc. ...
(microsoft.public.dotnet.languages.csharp)
Re: Getting logged in user from a service?
... against the OS services (that is, by directly calling WIN32 Api's) you have to consider a lot of things at "development" time, things like - is the API available on the *target* machine? ... Most of these things are taken care of by the framework and it's underlying services, whatever these are, and in this particular case the underlying service is native WMI in top of Win32. ... I don't see how using .NET Framework exempts you from worrying about security constraints, privileges, etc. ...
(microsoft.public.dotnet.languages.csharp)