RE: Local security getting overwritten
- From: Scott S. <ScottS@xxxxxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 05:31:02 -0700
Jeffrey,
That hits the root of my question as to whether it would work to set the
global policy instead of just that system's local policy. Thank you!
Now, since the config app is written in VB6 I've got a bit of work to do
since the samples are in C. I think I've found the proper declarations for
the Lsa* calls I need.
The piece I'm still missing is the DC name. In our test domain we have
Win2003 servers using AD so I know I can check the environment variables for
the "LOGONSERVER" to get one of the DCs. But many of our customers still run
Win2000 servers ... those could be setup as NT, mixed, or AD domain. For the
NT and mixed wouldn't I want to find the PDC?
I've been hunting for a solution online, but obviously haven't hit the right
combination of keywords to get a relevant page ... most of the time I get
better hits using google than microsoft/msdn site's own search, but no luck
either way this morning.
So the new question is, is there a windows API call to determine the PDC or
list of DCs, or to determine which DC would be used to update local security
from when the system reboots?
Barring that I guess I can use any DC and just hope that replication has
occured before the reboot occurs.
Thanks,
Scott
""Jeffrey Tan[MSFT]"" wrote:
Hi Scott,.
Thanks for your defailed feedback!
Yes, I understand your concern. The reason I asked you for more information
is that knowing more background information I can understand your real need
better and may provide a better solution in the scenario. Thanks for your
understanding.
Based on my understanding, you will sale your application to other company,
whose domain policy may overwrite the right you needed. So your
configuration tool wanted to take charge of the automation actions and
change the customer's domain policy automatically without their domain
admins' work. If I have misunderstood you, please feel free to tell me.
To automate the domain policy programmatically, you may programmatically
change the LSA setting on the DC. The first reply I provided to you
contains the articles shows how to add the account right programmatically
with LSA APIs. More specificly, you should use LsaAddAccountRights to add
SE_BATCH_LOGON_NAME to the account your application wanted to run.
There are several issues you should take care of:
1. The first parameter of LsaOpenPolicy "SystemName" should point to the DC
machine's name.
2. The configuration tool requires Domain Admin to run it, so that the code
has the enough right to operate the DC LSA.
If you have anything unclear, please feel free to tell me, thanks!
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- RE: Local security getting overwritten
- From: Scott S.
- RE: Local security getting overwritten
- References:
- RE: Local security getting overwritten
- From: "Jeffrey Tan[MSFT]"
- RE: Local security getting overwritten
- From: "Jeffrey Tan[MSFT]"
- RE: Local security getting overwritten
- From: Scott S.
- RE: Local security getting overwritten
- From: "Jeffrey Tan[MSFT]"
- RE: Local security getting overwritten
- Prev by Date: Re: Change password on private key
- Next by Date: RE: Local security getting overwritten
- Previous by thread: RE: Local security getting overwritten
- Next by thread: RE: Local security getting overwritten
- Index(es):
Relevant Pages
|
