RE: Local security getting overwritten



I found the NetServerEnum() API function and have it working to get me the
primary domain controller name ...
Then I got the call to LsaOpenPolicy() coded in VB, but am having trouble
with the
LsaAddAccountRights call because I need the Sid of the user account as a
long? Not sure how to do that?

Anyone ever call these routines from VB6? Everything I've found uses C/C++
which is what I'd normally prefer, but I'm stuck with VB6 on this one.

Scott

"Scott S." wrote:

Jeffrey,

That hits the root of my question as to whether it would work to set the
global policy instead of just that system's local policy. Thank you!

Now, since the config app is written in VB6 I've got a bit of work to do
since the samples are in C. I think I've found the proper declarations for
the Lsa* calls I need.

The piece I'm still missing is the DC name. In our test domain we have
Win2003 servers using AD so I know I can check the environment variables for
the "LOGONSERVER" to get one of the DCs. But many of our customers still run
Win2000 servers ... those could be setup as NT, mixed, or AD domain. For the
NT and mixed wouldn't I want to find the PDC?

I've been hunting for a solution online, but obviously haven't hit the right
combination of keywords to get a relevant page ... most of the time I get
better hits using google than microsoft/msdn site's own search, but no luck
either way this morning.

So the new question is, is there a windows API call to determine the PDC or
list of DCs, or to determine which DC would be used to update local security
from when the system reboots?

Barring that I guess I can use any DC and just hope that replication has
occured before the reboot occurs.

Thanks,
Scott

""Jeffrey Tan[MSFT]"" wrote:

Hi Scott,

Thanks for your defailed feedback!

Yes, I understand your concern. The reason I asked you for more information
is that knowing more background information I can understand your real need
better and may provide a better solution in the scenario. Thanks for your
understanding.

Based on my understanding, you will sale your application to other company,
whose domain policy may overwrite the right you needed. So your
configuration tool wanted to take charge of the automation actions and
change the customer's domain policy automatically without their domain
admins' work. If I have misunderstood you, please feel free to tell me.

To automate the domain policy programmatically, you may programmatically
change the LSA setting on the DC. The first reply I provided to you
contains the articles shows how to add the account right programmatically
with LSA APIs. More specificly, you should use LsaAddAccountRights to add
SE_BATCH_LOGON_NAME to the account your application wanted to run.

There are several issues you should take care of:
1. The first parameter of LsaOpenPolicy "SystemName" should point to the DC
machine's name.
2. The configuration tool requires Domain Admin to run it, so that the code
has the enough right to operate the DC LSA.

If you have anything unclear, please feel free to tell me, thanks!

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.