ImpersonateLoggedOnUser and SetFileAttributes


I'm having some trouble with impersonating and SetFileAttributes. I'm
getting access, but I shouldn't!

I have created a file with only one ACE defined, granting r/w access to a
normal user (i.e. non-admin).

The local administrator is correctly denied access if he tries to change
file attributes from explorer. If he calls SetFileAttributes he's also
denied access.

If I try SetFileAttributes with LocalSystem, I get access denied.

But if LocalSystem impersonates local administrator and calls
SetFileAttributes, access is granted (which it shouldn't be!) and
SetFileAttributes is successful.

The code looks like this (error checking and cleanup omitted for brevity):


LogonUserW("administrator", NULL, "password",


SetFileAttributes(fileName, FILE_ATTRIBUTE_READONLY);


This happens on both XP and Win2K

What am I missing??

Sebastian Bargmann